Ransomware and phishing are still the biggest concerns in terms of cybersecurity for healthcare providers based on Health-ISAC’s Current and Emerging Healthcare Cyber Threat Landscape report for February 2023. The joint report by Booz Allen Hamilton Cyber Threat Intelligence (CTI) and Health-ISAC reveals the major threats to the healthcare industry. It is based on a November 2022 survey participated by executives from Health-ISAC, the Health Sector Coordinating Council, and CHIME.
Biggest Cybersecurity Threat in Healthcare
Survey responders ranked the biggest concerns in cybersecurity for their companies in 2022 as well as for the remainder of 2023. The top concern for 2022 and 2023 was ransomware, while phishing and spear phishing are next. Included in the top 5 are third-party/partner breaches, data security breaches, and social engineering. Social engineering now ranked 5th replacing insider threat that was listed in the last published report.
It is expected that ransomware will still be the biggest threat in years to come. Although the authorities are doing more to stop ransomware groups and are taking threat actors to court, the profit from doing attacks is much more than the costs. As long as attacks are profitable, they will continue. Although cybercriminal groups are now diversifying their income streams because fewer victims are paying the ransom. It is likely that phishing will also continue to threaten the industry because of its low capital and its high rate of success in acquiring preliminary access to healthcare systems.
A significant concern in hospitals is medical device cybersecurity considering the increase in the number of devices used. Medical devices usually have several vulnerabilities and operate on obsolete operating systems and allow hackers easy access to healthcare systems. Healthcare companies with more connected medical devices encounter more cyberattacks. Healthcare companies must boost their medical device security by conducting regular risk assessments, applying patches and updates promptly, and identifying devices with weak or default credentials and updating them.
The report also mentioned threats associated with geopolitical activity like the Russia-Ukraine war, which resulted in more cyberattacks connected to Ukraine. Aside from attacks on the Ukraine government, Russian threat actors have been attacking companies that are known supporters of Ukraine, doing business in Ukraine, and even those that stopped operations in Russia. Chinese hackers have been launching attacks in order for the Communist Party of China (CPC) to acquire intellectual property in line with Chin’s 5-Year Plan, while North Korean hackers have been attacking U.S. healthcare firms for financial gain and for espionage.
Upcoming Threats to the Healthcare Industry
The report takes note of two appearing risks that are likely to cause problems in the healthcare sector in 2023 and beyond. These are product abuse and synthetic accounts. Threat actors can easily target Internet-facing products like web login pages and APIs by using compromised credentials. These credentials captured through malware, phishing, and data breaches are being utilized to acquire access to healthcare systems for ransomware attacks and obtain patient data for financial gain.
For many years, several industries are having problems with synthetic accounts. There is currently increasing evidence that synthetic accounts are utilized for healthcare fraud. Many synthetic accounts have been made using PII available on dark web forums. These accounts are utilized for fraudulently getting loans, making big purchases, paying for medical billing, etc. Cybercriminals are using bogus medical companies, or other business accounts to charge insurance companies and government agencies for fraudulent services.
To prepare for these attacks, it is necessary to properly align system controls, application, authentication, and risk layers to keep organizational information safe and lower the risk of credential stuffing, carding attacks, account takeovers, and synthetic account creation.
The TLP: Green report and the TLP: White summary are available for download by Health-ISAC members on this link.
FDA Cybersecurity Requirements for Medical Devices Now in Effect
Keeping medical devices cyber secure is a big challenge in the healthcare industry. Medical devices usually have unpatched vulnerabilities, use obsolete software, and do not have proper security features. Hence, they are a weak point in security that malicious actors can exploit to acquire access to healthcare systems and sensitive patient information.
As per the FBI, over 50% of medical devices that hospitals use have critical vulnerabilities that need to be addressed. Malicious actors can potentially exploit more than 6 vulnerabilities in medical devices, on average. Over 40% of medical devices have reached their end-of-life and do not have upgrades or security patches.
There are steps being undertaken to enhance medical devices’ cybersecurity. Device makers will soon need to integrate cybersecurity measures in devices and develop and impose a plan to address vulnerabilities all through the devices’ lifecycle, otherwise, the device will not be approved by the U.S. Food and Drug Administration (FDA).
The Consolidated Appropriations Act of 2023 started taking effect on March 29, 2023. This bill is a medical device cybersecurity requirement of the $1.7 trillion omnibus spending bill. Before medical devices will be authorized, it is now required by the FDA to submit data about the cybersecurity measures that have been applied to the medical devices. Section 3305 of the Omnibus bill (aka Ensuring Cybersecurity of Medical Devices) revised the Federal Food, Drug, and Cosmetic Act (FD&C Act) by including section 524B (Ensuring Cybersecurity of Devices). This amendment took effect 90 days after December 29, 2022 when the Act was approved. This means premarket submissions filed with the FDA after March 29, 2023 require the inclusion of data about the implemented cybersecurity of the medical devices.
According to a guidance document for the FDA staff, there is no intention to give refuse to accept (RTA) decisions for premarket submissions that do not include the necessary data on cybersecurity until after October 1, 2023. This will give medical device sponsors enough time to be ready with the required data; nevertheless, after that date, the FDA won’t accept applications and submissions without the needed cybersecurity elements. Meanwhile, the FDA will help applicants repair any problems in their documentation.
The sponsor of an application or submission should confirm that it is in compliance with the four core cybersecurity requirements:
- A plan to track, identify, and address postmarket cybersecurity vulnerabilities and exploits, which include disclosure of coordinated vulnerability and associated processes.
- Processes and procedures that make sure that devices are cyber secure, including getting updates and patches immediately when the devices are on the market to take care of known unacceptable vulnerabilities and critical vulnerabilities that can result in uncontrolled risks.
- A software bill of materials, which include commercial, open-source, and off-the-shelf software parts.
- Compliance with other prerequisites that may be included through regulation to show reasonable guarantees that devices and associated parts are cyber secure.
The FDA will partner with the Cybersecurity and Infrastructure Security Agency (CISA) to include updates to its guidance on cybersecurity for medical devices in two years. Its online resources will also be updated in 6 months and then yearly with information on how healthcare companies and device manufacturers can find and address vulnerabilities. The FDA will also work with other government institutions to bolster the security of medical devices.
