On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This landmark analysis reports on domestic hospitals’ current state of cybersecurity preparedness.

The scope of the HHS study was limited to activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data were considered only if the breach had a direct impact on patient care and safety.

To compile the Hospital Cyber Resiliency Landscape Analysis, data was curated from multiple sources, such as the U.S. government, cybersecurity vendors, open-source intelligence, CrowdStrike, Verizon, CISA, FBI, NSA, Health Sector Cybersecurity Coordination Center and Health-Information Sharing and Analysis Center (Health-ISAC) threat reports. The investigators also consulted with 20 geographically and demographically diverse hospitals.

The report paints a picture of the challenges hospitals face in today’s cyber landscape — as well as how they can adapt.

Ransomware leverages DDoS

The HHS states that ransomware continues to be the biggest threat to the healthcare sector. The report also stressed the effect ransomware can have on services that directly impact patient care and safety — such as attacks that compromise the availability of patient care tools.

Of particular interest, the HHS notes that adversaries may elevate ransomware attacks when victims do not meet their demands. For example, attackers sometimes launch DDoS attacks against the target organization. Actors may also make ransom demands from others affected by the release of sensitive information (patients, hospital affiliates, etc.). Criminals might even leverage both DDoS and collateral ransom attacks simultaneously.

In fact, in March 2023, Microsoft documented a sharp rise in DDoS attacks against the healthcare sector using Azure. The attack rate had grown from up to 20 attacks per day in November 2022 to up to 60 per day in February 2023 (a 300% increase).

Critical security features and processes

Many healthcare entities are adopting more robust security practices. However, the depth and consistency of these practices may be inadequate, according to the HHS report. Some examples include:

• Multi-factor authentication (MFA): Only 84% of VPNs and 88% of email systems are MFA-protected. The lack of full MFA adoption can leave critical assets open to successful compromises.
• Training and outreach: Data suggests there may be considerable variability in hospital cyber training. Some hospitals indicated that scenario-based training (where results are shared in near real-time) is an effective way to improve cyber hygiene, as is training targeting high-risk groups (such as executives).
• Hospital-at-home: In-home care uses medical devices in patients’ homes to facilitate clinical care. Hospitals face challenges such as device protection, standardization issues, vendor lock-in and scaling services while maintaining asset security.

More key observations

Other key observations made by the HHS report include:

• Hospitals report success in implementing email protections. Over 99% of hospitals surveyed reported having basic anti-spam and anti-phishing capabilities. Also, 92% of hospitals use URL detection, and 86% leverage automated responses to malicious email removal. Still, these methods may not definitively thwart newer social engineering and phishing attacks.
• Supply chain risk is pervasive in hospitals. Only 49% of hospitals state they have adequate coverage in managing supply chain risk. Nearly every participating hospital considered supply chain risk management as a top priority to address. Many hospitals already require CISO approval before making acquisition requests.
• Attackers do not typically exploit medical devices. Threat intelligence and breach data suggest medical devices are not a prominent attack vector against hospital operations — yet. However, device vulnerabilities can allow advanced forms of attacks to spread across the organization.
• Significant variation in cybersecurity resiliency. Primary sources of resilience investment variation include third-party risk management, medical device security, asset management, participation in Information Sharing and Analysis Centers (ISACs) and the use of governance, risk and compliance systems. Many hospitals expressed a need for more benchmarking data and consumable, actionable intelligence information.
• The use of antiquated hardware, systems and software. The HHS states that 96% of hospitals say they use end-of-life operating systems or software with known vulnerabilities. Antiquated technologies limit hospitals’ abilities to harden (e.g., patch) and secure their systems.
• Rising cybersecurity insurance premiums. Sharp increases in cyber insurance costs have caused some hospitals to forgo insurance or self-insure to reduce risk. Coverage exclusions for non-compliance with security standards have reduced coverage as well. These exclusions tend to be more challenging for small and rural hospitals.

High-priority cybersecurity for hospitals

The HHS report identified the following Health Industry Cybersecurity Practices as being of the highest risk and priority:

• Endpoint protection systems: An endpoint is any device connected to the network. As per the HHS, “EDR tools are critical for identifying initial exploitation attempts and follow-on lateral movement or malicious use of built-in system utilities that may occur as part of an attacker’s kill-chain pattern.”
• Identity and access management: IAM ensures that only authorized individuals have access to sensitive resources and that user actions are properly monitored and audited. Despite claims of IAM deployment, the HHS “continues to see a majority of successful attacks against hospitals where a single credential stolen from a phishing attack was the key vector used.”
• Network management: Self-assessment data on IT asset management referenced 91% of participating organizations monitoring devices on their networks. However, only 52.6% have an inventory of personal devices on the network. The HHS states this disparity suggests coverage gaps in network monitoring controls.
• Vulnerability management: The low percentage of hospitals using advanced forms of vulnerability testing, like Red Team, Purple Team and Tabletop exercises to uncover flaws, is a major concern. As per the report, higher forms of assessment testing are necessary to detect advanced attacks such as ransomware.
• Security operations center and incident response: Data suggests that the vast majority of hospitals participate in DHS/CISA’s threat indicator sharing programs. However, hospital security personnel also said threat-sharing programs are cumbersome and offer largely duplicative information with little to no unique value per feed.

The HHS Hospital Cyber Resiliency Initiative Landscape Analysis is required reading for anyone on the front lines of healthcare cybersecurity. The report contains a wealth of information and insight that can help guide hospital-based security professionals.