May 31, 2023 By Jonathan Reed 4 min read

On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness.

The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct impact on patient care and safety.

To compile the Hospital Cyber Resiliency Landscape Analysis, data was curated from multiple sources, such as the U.S. government, cybersecurity vendors, open-source intelligence, CrowdStrike, Verizon, CISA, FBI, NSA, Health Sector Cybersecurity Coordination Center and Health-Information Sharing and Analysis Center (Health-ISAC) threat reports. The investigators also consulted with 20 geographically and demographically diverse hospitals.

The report paints a picture of the challenges hospitals face in today’s cyber landscape — as well as how they can adapt.

Ransomware leverages DDoS

The HHS states that ransomware continues to be the biggest threat to the healthcare sector. The report also stressed the effect ransomware can have on services that directly impact patient care and safety — such as attacks that compromise the availability of patient care tools.

Of particular interest, the HHS notes that adversaries may elevate ransomware attacks when victims do not meet their demands. For example, attackers sometimes launch DDoS attacks against the target organization. Actors may also make ransom demands from others affected by the release of sensitive information (patients, hospital affiliates, etc.). Criminals might even leverage both DDoS and collateral ransom attacks simultaneously.

In fact, in March 2023, Microsoft documented a sharp rise in DDoS attacks against the healthcare sector using Azure. The attack rate had grown from up to 20 attacks per day in November 2022 to up to 60 per day in February 2023 (a 300% increase).

Critical security features and processes

Many healthcare entities are adopting more robust security practices. However, the depth and consistency of these practices may be inadequate, according to the HHS report. Some examples include:

  • Multi-factor authentication (MFA): Only 84% of VPNs and 88% of email systems are MFA-protected. The lack of full MFA adoption can leave critical assets open to successful compromises.
  • Training and outreach: Data suggests there may be considerable variability in hospital cyber training. Some hospitals indicated that scenario-based training (where results are shared in near real-time) is an effective way to improve cyber hygiene, as is training targeting high-risk groups (such as executives).
  • Hospital-at-home: In-home care uses medical devices in patients’ homes to facilitate clinical care. Hospitals face challenges such as device protection, standardization issues, vendor lock-in and scaling services while maintaining asset security.

More key observations

Other key observations made by the HHS report include:

  • Hospitals report success in implementing email protections. Over 99% of hospitals surveyed reported having basic anti-spam and anti-phishing capabilities. Also, 92% of hospitals use URL detection, and 86% leverage automated responses to malicious email removal. Still, these methods may not definitively thwart newer social engineering and phishing attacks.
  • Supply chain risk is pervasive in hospitals. Only 49% of hospitals state they have adequate coverage in managing supply chain risk. Nearly every participating hospital considered supply chain risk management as a top priority to address. Many hospitals already require CISO approval before making acquisition requests.
  • Attackers do not typically exploit medical devices. Threat intelligence and breach data suggest medical devices are not a prominent attack vector against hospital operations — yet. However, device vulnerabilities can allow advanced forms of attacks to spread across the organization.
  • Significant variation in cybersecurity resiliency. Primary sources of resilience investment variation include third-party risk management, medical device security, asset management, participation in Information Sharing and Analysis Centers (ISACs) and the use of governance, risk and compliance systems. Many hospitals expressed a need for more benchmarking data and consumable, actionable intelligence information.
  • The use of antiquated hardware, systems and software. The HHS states that 96% of hospitals say they use end-of-life operating systems or software with known vulnerabilities. Antiquated technologies limit hospitals’ abilities to harden (e.g., patch) and secure their systems.
  • Rising cybersecurity insurance premiums. Sharp increases in cyber insurance costs have caused some hospitals to forgo insurance or self-insure to reduce risk. Coverage exclusions for non-compliance with security standards have reduced coverage as well. These exclusions tend to be more challenging for small and rural hospitals.

High-priority cybersecurity for hospitals

The HHS report identified the following Health Industry Cybersecurity Practices as being of the highest risk and priority:

  • Endpoint protection systems: An endpoint is any device connected to the network. As per the HHS, “EDR tools are critical for identifying initial exploitation attempts and follow-on lateral movement or malicious use of built-in system utilities that may occur as part of an attacker’s kill-chain pattern.”
  • Identity and access management: IAM ensures that only authorized individuals have access to sensitive resources and that user actions are properly monitored and audited. Despite claims of IAM deployment, the HHS “continues to see a majority of successful attacks against hospitals where a single credential stolen from a phishing attack was the key vector used.”
  • Network management: Self-assessment data on IT asset management referenced 91% of participating organizations monitoring devices on their networks. However, only 52.6% have an inventory of personal devices on the network. The HHS states this disparity suggests coverage gaps in network monitoring controls.
  • Vulnerability management: The low percentage of hospitals using advanced forms of vulnerability testing, like Red Team, Purple Team and Tabletop exercises to uncover flaws, is a major concern. As per the report, higher forms of assessment testing are necessary to detect advanced attacks such as ransomware.
  • Security operations center and incident response: Data suggests that the vast majority of hospitals participate in DHS/CISA’s threat indicator sharing programs. However, hospital security personnel also said threat-sharing programs are cumbersome and offer largely duplicative information with little to no unique value per feed.

The HHS Hospital Cyber Resiliency Initiative Landscape Analysis is required reading for anyone on the front lines of healthcare cybersecurity. The report contains a wealth of information and insight that can help guide hospital-based security professionals.

More from News

Poland spending $760 million on cybersecurity after attack

3 min read - Visitors to the Polish Press Agency (PAP) website on May 31 at 2 p.m. Polish time were met with an unusual message. Instead of the typical daily news, the state-run newspaper had supposedly published a story announcing that a partial mobilization, which means calling up specific people to serve in the armed forces, was ordered by Polish Prime Minister Donald Tusk beginning on July 1, 2024. Deputy Prime Minister Krzysztof Gawkowski refuted the claim on X (formerly Twitter). His post…

New ransomware over browser threat targets uploaded files

3 min read - We all have a mental checklist of things not to do while online: click on unknown links, use public networks and randomly download files sent over email. In the past, most ransomware was deployed on your network or computer when you downloaded a file that contained malware. But now it’s time to add a new item to our high-risk activity checklist: use caution when uploading files. What is ransomware over browsers? Researchers at Florida International University worked with Google to…

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today