Critical OT and IoT devices are prime targets for cybercriminals, while typically urgent focus on patient care takes attention away from cybersecurity

The rise of IoT devices in the healthcare sector has helped patients and doctors alike, notably in monitoring patients’ state of health in real-time. However, it has also triggered the rise of security issues such as data and operation compromise, ransomware and phishing attacks in the healthcare industry.

According to the ExtraHop 2022 Cyber Confidence Index: Asia Pacific report, half of the cybersecurity incidents in the region happen because organizations have an outdated security stance. A weak posture can obstruct operations and patient care, which can increase patient mortality rates if they are not provided with timely treatment.

IoT-related attacks have been happening since 2014, but they were initially considered to be low-likelihood events as there was little to no critical data stored on the device. What was once a low-impact device to leverage is now a critical element in sustaining service continuity and consistent treatment and care for patients.

CybersecAsia discussed some of these findings with Chris Thomas, Senior Security Advisor, APJ, at ExtraHop.

What risks do IoT devices in healthcare present?

Chris Thomas: As the internet of things (IoT) in healthcare continues to grow, having a strong security plan in place is fundamental to safeguarding patient information as well as patient safety. With patient outcomes the focal point of healthcare provision, mitigating the risk of security or data breaches is critical.

Because of this patient focus, compared to other industries, healthcare providers must be wary that a failure to adopt more secure technologies and more comprehensive cybersecurity practices could be disastrous.

The growth of digitalization and the increased sophistication of threat actors’ modus operandi have delivered a situation where giving and receiving care is at heightened risk of being targeted. In recent years, the rise in cyberattacks on healthcare organizations has been well documented. Waiting idly will greatly hamper providers’ ability to secure their data — including sensitive information — before it is too late.

The good news is that Asia Pacific’s healthcare cybersecurity market is expected to have the fastest CAGR of 23.47%, according to The Brainy Insights. This will ensure Electronic Health Records (EHRs), wireless medical devices, and telemedicine do not compromise patient confidentiality and other valuable assets in the hands of providers.

Chris Thomas, Senior Security Advisor, APJ, at ExtraHop

What comprises an updated cybersecurity posture?

Chris Thomas: An updated cybersecurity posture ultimately boils down to knowing which users to trust. The answer lies with ‘zero trust’, which essentially allows access where necessary, while protecting the assets most valued by the organization.

Unfortunately, cyberthreats can be impossible to identify if your strategy relies on deploying agents on every endpoint. Amid the increasingly common deployment of devices in healthcare, zero trust allows providers to secure their networks beyond the perimeter’s north-south communications. Without visibility inside your network, you will not see unusual activity, which invariably means you will not be able to stop a threat.

But getting there requires an approach that enables end-to-end network visibility and eliminates silos that hinder collaboration between siloed IT teams.

This is where network detection and response (NDR) platforms can add real value, enabling organizations to adopt a zero-trust model faster and at lower risk.

Are threat actors selective when targeting victims in APJ healthcare sectors? Do they first study hospital weaknesses and susceptibility to attacks, and ability to pay off ransomware demands? Or is everyone unsafe at any moment?

Chris Thomas: Unfortunately, attackers have gotten more sophisticated with time and are shown to be increasingly adept at breaching the first layer of perimeter defences.

Shoring up weaknesses is the difference — especially as, once inside, attackers can move laterally through the network and attempt to escalate privileges. It is during this gap, after the initial compromise and before the attacker gets escalated privileges, that security teams have the greatest potential to stop the attack.

Monitoring east-west traffic inside the network to look for anomalous activity and other indicators of compromise is crucial to stopping the loss of assets and sensitive data.

Perimeter-based defences alone are not enough. NDR solutions can provide quick wins for security teams by overcoming the shortcomings of endpoint detection and response by passively capturing network communications. NDR applies advanced techniques, including behavioral analytics and machine learning, to identify both known and unknown attack patterns.

This data can also be used to perform a real-time investigation into post-compromise activity and to forensically investigate incidents. While not all NDR solutions decrypt network traffic, the most advanced solutions provide secure decryption capability to help identify threats hiding within encrypted traffic.

What is the connection between an organization’s network and its capacity to repel cyber attacks? How long does it take for that healthcare network to have a good defense against attacks?

Chris Thomas: Too often what happens between an intrusion and a full-on breach is missed or overlooked. Taking actions that can alert your team to the intrusion enables you to stop attackers in their tracks before they inflict the most damage by stealing (exfiltrating) and/or destroying sensitive data.

While attackers are innovating to get in, they’re also innovating inside, hiding their tracks through encryption and erasing logs. The challenge for healthcare providers is going beyond tactics focused on the beginning and end. Focusing on the network empowers incident response with the ability to interrupt intruders before they do real damage.

NDR is designed to monitor network traffic patterns and protocols that attackers leverage during the midgame. For instance, NDR excels where traditional controls fall short. These range from improved internal reconnaissance to spotting lateral movement techniques that lead to the compromise of domain controllers and data services.

NDR can also spot exploits even if it occurs over encrypted protocols, while isolating intruders even in noisy DNS traffic, and can identify data staging for exfiltration and encryption activity.

Why are holiday seasons prime time for cyber-attacks in the healthcare sector?

Chris Thomas: Organizations — including in the healthcare sector — tend to be overburdened during holiday seasons. Cyberattacks invariably are the last thing on most people’s minds, but attackers notice that vulnerabilities increase with less network supervision during the holidays.

While different attackers use different techniques, social engineering, phishing and ransomware are the most frequently used. Organizations can better understand how these schemes work and avoid falling victim to them if they have solid, year-round cybersecurity training.

This should be paired with ensuring security tools are up to date and can account for the busy season, through fully automated responses that make the organization’s security toolset more effective at stopping threats before they make off with valuable company assets.