May 31, 2023 By Jonathan Reed 4 min read

On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness.

The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct impact on patient care and safety.

To compile the Hospital Cyber Resiliency Landscape Analysis, data was curated from multiple sources, such as the U.S. government, cybersecurity vendors, open-source intelligence, CrowdStrike, Verizon, CISA, FBI, NSA, Health Sector Cybersecurity Coordination Center and Health-Information Sharing and Analysis Center (Health-ISAC) threat reports. The investigators also consulted with 20 geographically and demographically diverse hospitals.

The report paints a picture of the challenges hospitals face in today’s cyber landscape — as well as how they can adapt.

Ransomware leverages DDoS

The HHS states that ransomware continues to be the biggest threat to the healthcare sector. The report also stressed the effect ransomware can have on services that directly impact patient care and safety — such as attacks that compromise the availability of patient care tools.

Of particular interest, the HHS notes that adversaries may elevate ransomware attacks when victims do not meet their demands. For example, attackers sometimes launch DDoS attacks against the target organization. Actors may also make ransom demands from others affected by the release of sensitive information (patients, hospital affiliates, etc.). Criminals might even leverage both DDoS and collateral ransom attacks simultaneously.

In fact, in March 2023, Microsoft documented a sharp rise in DDoS attacks against the healthcare sector using Azure. The attack rate had grown from up to 20 attacks per day in November 2022 to up to 60 per day in February 2023 (a 300% increase).

Critical security features and processes

Many healthcare entities are adopting more robust security practices. However, the depth and consistency of these practices may be inadequate, according to the HHS report. Some examples include:

  • Multi-factor authentication (MFA): Only 84% of VPNs and 88% of email systems are MFA-protected. The lack of full MFA adoption can leave critical assets open to successful compromises.
  • Training and outreach: Data suggests there may be considerable variability in hospital cyber training. Some hospitals indicated that scenario-based training (where results are shared in near real-time) is an effective way to improve cyber hygiene, as is training targeting high-risk groups (such as executives).
  • Hospital-at-home: In-home care uses medical devices in patients’ homes to facilitate clinical care. Hospitals face challenges such as device protection, standardization issues, vendor lock-in and scaling services while maintaining asset security.

More key observations

Other key observations made by the HHS report include:

  • Hospitals report success in implementing email protections. Over 99% of hospitals surveyed reported having basic anti-spam and anti-phishing capabilities. Also, 92% of hospitals use URL detection, and 86% leverage automated responses to malicious email removal. Still, these methods may not definitively thwart newer social engineering and phishing attacks.
  • Supply chain risk is pervasive in hospitals. Only 49% of hospitals state they have adequate coverage in managing supply chain risk. Nearly every participating hospital considered supply chain risk management as a top priority to address. Many hospitals already require CISO approval before making acquisition requests.
  • Attackers do not typically exploit medical devices. Threat intelligence and breach data suggest medical devices are not a prominent attack vector against hospital operations — yet. However, device vulnerabilities can allow advanced forms of attacks to spread across the organization.
  • Significant variation in cybersecurity resiliency. Primary sources of resilience investment variation include third-party risk management, medical device security, asset management, participation in Information Sharing and Analysis Centers (ISACs) and the use of governance, risk and compliance systems. Many hospitals expressed a need for more benchmarking data and consumable, actionable intelligence information.
  • The use of antiquated hardware, systems and software. The HHS states that 96% of hospitals say they use end-of-life operating systems or software with known vulnerabilities. Antiquated technologies limit hospitals’ abilities to harden (e.g., patch) and secure their systems.
  • Rising cybersecurity insurance premiums. Sharp increases in cyber insurance costs have caused some hospitals to forgo insurance or self-insure to reduce risk. Coverage exclusions for non-compliance with security standards have reduced coverage as well. These exclusions tend to be more challenging for small and rural hospitals.

High-priority cybersecurity for hospitals

The HHS report identified the following Health Industry Cybersecurity Practices as being of the highest risk and priority:

  • Endpoint protection systems: An endpoint is any device connected to the network. As per the HHS, “EDR tools are critical for identifying initial exploitation attempts and follow-on lateral movement or malicious use of built-in system utilities that may occur as part of an attacker’s kill-chain pattern.”
  • Identity and access management: IAM ensures that only authorized individuals have access to sensitive resources and that user actions are properly monitored and audited. Despite claims of IAM deployment, the HHS “continues to see a majority of successful attacks against hospitals where a single credential stolen from a phishing attack was the key vector used.”
  • Network management: Self-assessment data on IT asset management referenced 91% of participating organizations monitoring devices on their networks. However, only 52.6% have an inventory of personal devices on the network. The HHS states this disparity suggests coverage gaps in network monitoring controls.
  • Vulnerability management: The low percentage of hospitals using advanced forms of vulnerability testing, like Red Team, Purple Team and Tabletop exercises to uncover flaws, is a major concern. As per the report, higher forms of assessment testing are necessary to detect advanced attacks such as ransomware.
  • Security operations center and incident response: Data suggests that the vast majority of hospitals participate in DHS/CISA’s threat indicator sharing programs. However, hospital security personnel also said threat-sharing programs are cumbersome and offer largely duplicative information with little to no unique value per feed.

The HHS Hospital Cyber Resiliency Initiative Landscape Analysis is required reading for anyone on the front lines of healthcare cybersecurity. The report contains a wealth of information and insight that can help guide hospital-based security professionals.

More from News

Research finds 56% increase in active ransomware groups

4 min read - Any good news is welcomed when evaluating cyber crime trends year-over-year. Over the last two years, IBM’s Threat Index Reports have provided some minor reprieve in this area by showing a gradual decline in the prevalence of ransomware attacks — now accounting for only 17% of all cybersecurity incidents compared to 21% in 2021. Unfortunately, it’s too early to know if this trendline will continue. A recent report released by Searchlight Cyber shows that there has been a 56% increase in…

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

CISA and FBI release secure by design alert on cross-site scripting 

3 min read - CISA and the FBI are increasingly focusing on proactive cybersecurity and cyber resilience measures. Conjointly, the agencies recently released a new Secure by Design alert aimed at eliminating cross-site Scripting (XSS) vulnerabilities, which have long been exploited to compromise both data and user trust. Cross-site scripting vulnerabilities occur when a web application improperly handles user input, allowing attackers to inject malicious scripts into web pages that are then executed by unsuspecting users. These vulnerabilities are dangerous because they don't attack…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today