The Dangers of Ineffective Threat Intelligence in Healthcare

Healthcare organizations are increasingly becoming targets for cyberattacks. The recent ransomware attacks on McLaren Health Care and Ascension are a stark reminder that these threats are not isolated incidents. In fact, the McLaren attack comes almost exactly a year after the same organization was attacked by the ransomware group BlackCat. This raises a crucial question – how can we ensure that cybersecurity measures are truly effective and extend beyond the fundamentals in order to stay ahead of bad actors?

Cyberattacks are not Lightning Strikes

It would be optimistic to assume that once an organization has been attacked, they won’t be targeted again. Sadly, in the eyes of attackers, this couldn’t be farther from the truth. According to Armis Labs, 37% of healthcare delivery organizations have suffered more than two attacks. If we consider that outages as a result of cyberattacks can take weeks, often months, to return to normal operations, multiple consecutive attacks can leave an already vulnerable sector incapacitated.

The McLaren Health Care case is a stark example of this. Experiencing two similar attacks a year apart underscores what is a fear for any organization – that despite best efforts, the standard approach to cybersecurity is just not enough. This recent attack presents a sobering reminder that cyber threats are always evolving. And our defenses must do the same.

Early warning threat intelligence can detect and neutralize malicious actions in your environment before they are exploited. Having robust visibility, protection, and alerts management in place can provide an effective threat forecast and a realistic picture of where to focus your efforts.

True Visibility of the Healthcare Device Ecosystem

Healthcare device ecosystems are some of the most complex in the world. The technology consists of enterprise assets, devices directly used for patient care, patient experience devices used to facilitate optimal care flow, and of course the supporting building management systems which provide essential underpinnings to safe, effective, and continuous care. True, effective asset inventory and visibility must include all of these asset types. Within healthcare environments, it’s imperative to understand the care delivery context of each asset and their importance to day-to-day clinical operations. Devices must be identified appropriately with any dependencies thoroughly mapped. Access to location information and identifying the appropriate asset owners can avoid lengthy manual efforts and expedite any remediation or preventive measures that are required.

The Complacency Trap

Having ineffective cybersecurity solutions, poor visibility, and static views of the threat landscape all contribute to a false sense of security. Cybersecurity cannot be reduced to a mere compliance checklist. When organizations fall into this trap, despite their best genuine efforts, they may become complacent, believing that their existing measures are sufficient.

This is a serious risk for any organization, particularly in healthcare where attacks have been steadily increasing throughout 2023 and 2024. A static cybersecurity policy might protect against yesterday’s threats but will fail miserably against today’s evolving methodologies. Effective cybersecurity solutions need to be dynamic, constantly adapting to the latest threats. Threat intelligence measures that detect anomalous behaviors or adapt to the attack landscape can make all the difference for transforming a cybersecurity approach to get ahead of attackers before it is too late.

Collaboration for More Effective Risk Reduction

It’s essential for healthcare organizations to endeavor toward a holistic approach to cybersecurity and break down internal operating silos to achieve this. Traditionally, IT departments and biomedical device specialists have had different priorities and areas of focus which require different information. The key to reducing risk, particularly in non-IT or enterprise assets is by embracing and collaborating with the appropriate asset owners in order to reduce risk. This can be a challenge when the technology infrastructure intended to resolve these issues directly obstruct collaboration by limiting access to information.

Cybersecurity should be a common goal within an organization. So the tools we use should follow suit. A single pane of glass across all teams can streamline and accelerate risk recommendations and reductions. By enabling real-time information sharing of critical risk, the time to mitigation can be drastically reduced.

The Need for Proactive Cybersecurity

Swift action in case of a breach is crucial. The longer it takes to identify and respond to a cyberattack, the more damage can be done. Traditional, reactive measures are no longer sufficient. Proactive approaches and methodologies are required to keep pace with the ever-changing threat landscape. In an industry that is constantly asked to do more with less, facing budget cuts and headcount concerns, a proactive model that anticipates and mitigates threats before they can cause harm is the best chance at avoiding massive disruption to patient care and expensive reactionary efforts to get systems back online.

Key Components of Proactive Cybersecurity in Healthcare:

1. Real-time Threat Detection: Utilize advanced AI and machine learning algorithms to detect and respond to detect threats in real-time
2. Continuous Monitoring: Implement solutions that offer 24/7 monitoring of network activity to identify unusual patterns and potential breaches
3. Regular Updates and Patches: Ensure all systems and software are regularly updated to protect against known vulnerabilities
4. Total Attack Surface Visibility: Maintain a dynamic inventory of all elements of your attack surface, including every asset type, third-party vendors, and supply chain risk
5. Contextual Risk Assessment: Evaluate and consider risk factors beyond vulnerabilities. Effective medical device ecosystem risk includes departmental context, clinical risk, behavioral context, device configuration risk, anomalous activity, and device and systems data
6. Prioritized Response: Deduplicate alerts to view a concise list of required actions, prioritize based on contextual, behavioral, and clinical risk, assign to the correct owner and expedite the resolution or mitigation process
7. Incident Response Plan: Develop and regularly update an incident response plan to ensure swift action in case of a breach
8. Collaboration and Information Sharing: Ensure all teams have access to the relevant information, breaking down silos to cut straight to the issue at hand without operational delays.

Are Standard Practices Enough?

When healthcare organizations experience recurring cyberattacks, it becomes evident that standard security practices are not enough. Threat actors are continually evolving their techniques, proving static defenses inadequate. A cybersecurity policy or platform that does not constantly adapt to the current threat landscape serves only to provide false comfort. Asset inventory and visibility are not threat prevention.

Healthcare professionals and IT specialists need to ask themselves the hard questions – are our current cybersecurity measures truly protecting us, or are we simply ticking boxes? Are we stuck in the visibility zone or are we actually protected? Are we able to quickly and adequately respond to potential threats, and are we able to detect and neutralize them before they get out of control?

The dangers of limited or siloed cybersecurity practices in healthcare are clear and present. It’s time to move beyond static, reactive measures and adopt a proactive, dynamic approach to cybersecurity. Even the best healthcare systems can be rendered ineffective without access to their technology services and can affect the health of thousands of patients. Let’s not wait for another attack to realize the importance of more modern, proactive cybersecurity.

For more on the components of best practice, proactive cybersecurity, continue reading here.