By Jenny Wu | Senior Incident Response Consultant at Nettitude
The move to the Cloud and remote working models has changed the way networks are connected. Today, we are shifting focus from security to protecting assets rather than the traditional perimeter. Traditional anti-virus is no longer able to keep up with newer attacks and vulnerabilities, allowing compromises to occur more frequently; especially for the healthcare industry which is frequently targeted. They therefore need additional protection in the form of Endpoint Detection and Response (EDR) Tooling.
What Problems are the Healthcare Industry Facing?
The healthcare industry is frequently targeted by attacks, and suffer from a higher ratio of compromises than other industries. In fact, the healthcare sector accounted for 45% of all cyber-attacks in 2019, compared to the second most targeted (finance and banking) at 12%. This is largely due to budget constraints that have already been stretched thin, making it a high-value, low-effort target for attackers.
[The average cost of a data breach, by industry]
A recent study has indicated that at least 88% of healthcare providers claimed a lack of budget was a major obstacle in acquiring the right resources needed to provide adequate protections for their organisations’. In the same study, 35% of providers claim to have spent less than 1% of their budget toward IT. This translates directly into being unable to get the appropriate tooling and staff needed to respond to attacks or have the right level of attention and care needed to address vulnerabilities and risks.
This means less budget for tooling and less budget for skilled talent, and what little budget is available is usually used to fix issues that have been ongoing for years (upgrading outdated software, maintaining legacy software).
As a result, providers have to make do with what they have in-house, conducting occasional security training. But even the most technically savvy person would fall victim to a malicious attack given the right conditions. Where the human element fails, technology exists to back them up.
Even more, attacks are quickly growing more sophisticated, outpacing in-house security training and traditional defenses such as anti-virus. Attackers leverage pre-existing programmes native to the endpoint, bypassing blocklists. Ransomware and polymorphic malware variants change their hashes constantly, outpacing anti-virus updates. Even if a user were able to detect that an attack was occurring, they cannot do anything about it. This is especially true for healthcare providers, where every moment counts and lives are at stake, these attacks serve as a major disruption that can be mitigated.
Endpoint Detection and Response as a Solution
Again, where the human element fails, technology should be there to back them up. In place of anti-virus, switching to endpoint detection and response (EDR) tools should be the next step that providers should look at taking.
EDR is often advertised as the next-generation anti-virus; traditional anti-virus relies on malware signatures while EDR focuses on processes. All files have a signature (hash), which is a sort of fingerprint for computers, and anti-virus programmes usually get updates of new malware signatures and their variants on a regular basis. With polymorphic viruses (viruses that can change their form and ultimately, their signature) and attacks that use native tooling, more and more attacks are escaping the notice of anti-virus.
EDR provides a stopgap and immediate results to keep organisations safe as they try to expand their security stack and advance their security strategy. It detects suspicious actions (such as multiple files being encrypted by an unauthorised programme or a Microsoft Word macro, reaching out to a foreign IP address). Depending on the organisation, this can block or audit the actions. This allows for providers to have more autonomy with their work while allowing IT and security personnel to gather the data they need to fix issues.
Healthcare providers and first responders should be able to conduct their work with limited interruptions, especially from malware and viruses. EDR also provides minimal intrusiveness, given that it is configured appropriately, it can become a great tool to stop attacks before they’ve even begun.
Are we at a Make or Break Point with the Healthcare Industry?
Implementation of EDR not only helps keep the organisation safe, it also helps keep the organisation compliant. HIPAA requires entities to implement measures against the introduction of malware. Usually this means having anti-malware or anti-virus in place, but it is simply not effective enough. These breaches can cost organisations an average of $8.6million dollars in the United States. This cost is only expected to rise in the coming years.
Compliance serves as a baseline but not the ceiling for security controls. While anti-virus on paper is sufficient, mitigating against real-life attacks can be a matter of life and death. Security experts are wary of having their worst fears realised: that an attack one day may be able to take lives directly.
In September 2020, a patient in Germany was reported to have died as a result of a ransomware attack, but later investigations indicated the patient’s health was poor and the attack was not directly responsible. While this may have been a false alarm, it shows that it is only a matter of time before this situation becomes reality.
What’s Next for the Healthcare Industry?
The healthcare industry faces a series of challenges when it comes to security. Being the most targeted industry, combined with insufficient budgets, make for a potentially deadly combination. For those who can, upgrading to endpoint detection and response (EDR) tooling will provide an intelligent and strategic next step for advancing your security posture.