May 31, 2023 By Jonathan Reed 4 min read

On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness.

The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct impact on patient care and safety.

To compile the Hospital Cyber Resiliency Landscape Analysis, data was curated from multiple sources, such as the U.S. government, cybersecurity vendors, open-source intelligence, CrowdStrike, Verizon, CISA, FBI, NSA, Health Sector Cybersecurity Coordination Center and Health-Information Sharing and Analysis Center (Health-ISAC) threat reports. The investigators also consulted with 20 geographically and demographically diverse hospitals.

The report paints a picture of the challenges hospitals face in today’s cyber landscape — as well as how they can adapt.

Ransomware leverages DDoS

The HHS states that ransomware continues to be the biggest threat to the healthcare sector. The report also stressed the effect ransomware can have on services that directly impact patient care and safety — such as attacks that compromise the availability of patient care tools.

Of particular interest, the HHS notes that adversaries may elevate ransomware attacks when victims do not meet their demands. For example, attackers sometimes launch DDoS attacks against the target organization. Actors may also make ransom demands from others affected by the release of sensitive information (patients, hospital affiliates, etc.). Criminals might even leverage both DDoS and collateral ransom attacks simultaneously.

In fact, in March 2023, Microsoft documented a sharp rise in DDoS attacks against the healthcare sector using Azure. The attack rate had grown from up to 20 attacks per day in November 2022 to up to 60 per day in February 2023 (a 300% increase).

Critical security features and processes

Many healthcare entities are adopting more robust security practices. However, the depth and consistency of these practices may be inadequate, according to the HHS report. Some examples include:

  • Multi-factor authentication (MFA): Only 84% of VPNs and 88% of email systems are MFA-protected. The lack of full MFA adoption can leave critical assets open to successful compromises.
  • Training and outreach: Data suggests there may be considerable variability in hospital cyber training. Some hospitals indicated that scenario-based training (where results are shared in near real-time) is an effective way to improve cyber hygiene, as is training targeting high-risk groups (such as executives).
  • Hospital-at-home: In-home care uses medical devices in patients’ homes to facilitate clinical care. Hospitals face challenges such as device protection, standardization issues, vendor lock-in and scaling services while maintaining asset security.

More key observations

Other key observations made by the HHS report include:

  • Hospitals report success in implementing email protections. Over 99% of hospitals surveyed reported having basic anti-spam and anti-phishing capabilities. Also, 92% of hospitals use URL detection, and 86% leverage automated responses to malicious email removal. Still, these methods may not definitively thwart newer social engineering and phishing attacks.
  • Supply chain risk is pervasive in hospitals. Only 49% of hospitals state they have adequate coverage in managing supply chain risk. Nearly every participating hospital considered supply chain risk management as a top priority to address. Many hospitals already require CISO approval before making acquisition requests.
  • Attackers do not typically exploit medical devices. Threat intelligence and breach data suggest medical devices are not a prominent attack vector against hospital operations — yet. However, device vulnerabilities can allow advanced forms of attacks to spread across the organization.
  • Significant variation in cybersecurity resiliency. Primary sources of resilience investment variation include third-party risk management, medical device security, asset management, participation in Information Sharing and Analysis Centers (ISACs) and the use of governance, risk and compliance systems. Many hospitals expressed a need for more benchmarking data and consumable, actionable intelligence information.
  • The use of antiquated hardware, systems and software. The HHS states that 96% of hospitals say they use end-of-life operating systems or software with known vulnerabilities. Antiquated technologies limit hospitals’ abilities to harden (e.g., patch) and secure their systems.
  • Rising cybersecurity insurance premiums. Sharp increases in cyber insurance costs have caused some hospitals to forgo insurance or self-insure to reduce risk. Coverage exclusions for non-compliance with security standards have reduced coverage as well. These exclusions tend to be more challenging for small and rural hospitals.

High-priority cybersecurity for hospitals

The HHS report identified the following Health Industry Cybersecurity Practices as being of the highest risk and priority:

  • Endpoint protection systems: An endpoint is any device connected to the network. As per the HHS, “EDR tools are critical for identifying initial exploitation attempts and follow-on lateral movement or malicious use of built-in system utilities that may occur as part of an attacker’s kill-chain pattern.”
  • Identity and access management: IAM ensures that only authorized individuals have access to sensitive resources and that user actions are properly monitored and audited. Despite claims of IAM deployment, the HHS “continues to see a majority of successful attacks against hospitals where a single credential stolen from a phishing attack was the key vector used.”
  • Network management: Self-assessment data on IT asset management referenced 91% of participating organizations monitoring devices on their networks. However, only 52.6% have an inventory of personal devices on the network. The HHS states this disparity suggests coverage gaps in network monitoring controls.
  • Vulnerability management: The low percentage of hospitals using advanced forms of vulnerability testing, like Red Team, Purple Team and Tabletop exercises to uncover flaws, is a major concern. As per the report, higher forms of assessment testing are necessary to detect advanced attacks such as ransomware.
  • Security operations center and incident response: Data suggests that the vast majority of hospitals participate in DHS/CISA’s threat indicator sharing programs. However, hospital security personnel also said threat-sharing programs are cumbersome and offer largely duplicative information with little to no unique value per feed.

The HHS Hospital Cyber Resiliency Initiative Landscape Analysis is required reading for anyone on the front lines of healthcare cybersecurity. The report contains a wealth of information and insight that can help guide hospital-based security professionals.

More from News

What is the Open-Source Software Security Initiative (OS3I)?

3 min read - The Open-Source Software Security Initiative (OS3I) recently released Securing the Open-Source Software Ecosystem report, which details the members’ current priorities and recommended cybersecurity solutions. The accompanying fact sheet also provides the highlights of the report. The OS3I includes both federal departments and agencies working together to deliver policy solutions to secure and defend the ecosystem. The new initiative is part of the overall National Cybersecurity Strategy. After the Log4Shell vulnerability in 2021, the Biden-Harris administration committed to improving the security…

Europe’s Cyber Resilience Act: Redefining open source

3 min read - Amid an increasingly complex threat landscape, we find ourselves at a crossroads where law, technology and community converge. As such, cyber resilience is more crucial than ever. At its heart, cyber resilience means maintaining a robust security posture despite adverse cyber events and being able to anticipate, withstand, recover from and adapt to such incidents. While new data privacy and protection regulations like GDPR, HIPAA and CCPA are being introduced more frequently than ever, did you know that there is new…

Feds release urgent guidance for U.S. water sector

3 min read - The water and wastewater sector (WWS) faces cybersecurity challenges that leave it wide open to attacks. In response, the CISA, EPA and FBI recently released joint guidance to the sector, citing variable cyber maturity levels and potential cybersecurity solutions. The new Incident Response Guide (IRG) provides the water sector with information about the federal roles, resources and responsibilities for each stage of the cyber incident response lifecycle. Sector owners and operators can use this information to augment their incident response…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today