Smaller hospitals are often how cyberattackers and nation states gain access to health system networks to steal IP, deploy ransomware or scour data to sell on the dark web, according to new research from cybersecurity firm CyCognito.
The firm’s latest research studied health systems with more than $1 billion in revenue and more than 19 hospitals.
Healthcare IT News interviewed Rob Gurzeev, CEO and founder of CyCognito, to discuss the results of his firm’s latest research, including why smaller hospitals are entry points for bad actors, how health systems are increasing risk by not paying their smaller entities enough attention, exactly how threat actors are using these points for entry, and how health systems can get a handle on extended attack surfaces.
Q. Your research found that smaller hospitals are often the entry point for bad actors to get in and steal intellectual property, issue ransomware or sell data on the dark web. Why is this?
A. Our research looked at subsidiary organizations such as the smaller hospitals, clinics, healthcare service providers and facilities that a larger health system may acquire, or, at times, divest, as they grow. Baker Tilley, one of the world’s largest accounting firms, reported that healthcare M&A activity was up 43% in the first half of 2021 versus the first half of 2020. With that increased M&A activity comes larger attack surfaces, along with more risk.
For example, a small healthcare organization being acquired might have around 5,000 digital assets on average. A very large organization might have 100,000 digital assets or more. Earlier research by CyCognito showed that about 7% of these smaller organization digital assets are at risk. That means around 350 at-risk assets are added to the parent’s attack surface when a smaller organization is acquired.
To find those 350 among a sea of digital assets, the parent organization needs to discover all of the assets, test them and take corrective action.
Many times, these entities continue to operate certain functions – such as cybersecurity – autonomously or at an arm’s length with respect to the parent organization for some period of time. When this is the case the smaller hospitals and facilities do the best they can with the resources they have but, generally speaking, have fewer resources and less-well-trained cybersecurity staff than larger organizations do.
Scarily, most of these organizations have digital connections into the critical systems, applications and data of the parent health systems.
Attackers are clever, opportunistic and resourceful, and they understand the dynamics of health systems and other large organizations very well. They know that as the IT ecosystems of these healthcare providers grow, the pieces that are under dotted-line or indirect control of the “headquarters” security team – and pieces that are effectively IT blind spots, such as cloud and SaaS applications provisioned outside of the control or view of IT staff – are the weakest and least protected of the organization.
Therefore, bad actors target those small hospitals and entities because they are the paths of least resistance back into the networks, applications and data of the larger health system.
Q. How are health systems increasing risk and exposure by not paying enough attention to their smaller entities?
A. “Attack surface” blind spots provide the biggest risk. These blind spots frequently include the digital surfaces associated with smaller hospitals, connected partners, cloud providers and other related entities.
These are the exact places where organizations get breached. Research firm ESG found that 67% of organizations have been attacked via an unknown or unmanaged asset, and 75% expect it to happen again.
Q. How are threat actors using these points for entry?
A. With ransomware and supply chain attacks becoming more prevalent over the last 18 months, the way attackers operate in this context has become clearer. Attackers look for an opening, and in the case of ransomware, one of the main attack vectors they use is unpatched or otherwise under-secured systems.
For example, ransomware attackers often target remote services like remote desktop protocol (RDP) to gain a foothold and extort money from their victims. CyCognito labs research found that the attack surface of a large organization typically harbors between two to 20 or more easily exploited remote access systems. This initial point of entry is called the “initial access” point, and it is critical to identify these as rapidly as possible, because they are so important to the bad guys.
Once initial access is gained, attackers often target patient personally identifiable information (PII). These records are worth as much as $250 per record, which is orders of magnitude more valuable than other PII like email credentials, phone numbers or even credit card numbers, because an individual can’t easily change their health history.
After data is stolen, the attacker can start making money. Most directly, they can sell the information they find.
Secondarily, they can ransom the information, usually to the healthcare provider directly for millions of dollars in bitcoin, and in some cases back to the patients themselves (as seen in the Vastaamo mental health breach of 2019).
A third path is to use ransomware to encrypt healthcare IT systems and ask for payment to decrypt them. This is again particularly impactful, because access to up-to-the-minute health information is critical to business and healthcare operations.
Q. How can health systems get a handle on the extended attack surface?
A. Best practices dictate that health systems discover all of their exposed digital assets, test them for security risks, and work with asset owners to quickly focus on, and remediate, the most critical risks. Those basic steps need to be performed on a continuous basis to effectively manage cyber risk in an extended attack surface.
Our research showed that cyber risks increase with the number of subsidiaries that are part of the organization. Therefore, including digital assets that are part of the attack surface of smaller hospitals and other owned providers is a critical part of that process.
The research also found that to make the attack surface management process as operationally efficient as possible, respondents favored dedicated attack surface management solutions over a variety of other solutions they had tried, viewing them as the most effective solution category for managing subsidiary risk.