Understanding the Hospital Cyber Resiliency Landscape Analysis

by Hannah Grace Holladay / March 12th, 2024

The United States Healthcare and Public Health (HPH) sector is facing a dramatic increase in cyber-attacks that are disrupting patient care and safety.  Hospitals are facing directly targeted ransomware attacks that aim to disrupt clinical operations.

According to a new study (linked below) by the U.S. Department of Health and Human Services (HHS), 96% of small, medium, and large sized hospitals claim they are operating with end-of-life operating systems or software with known vulnerabilities, which is inclusive of medical devices. Because of varied adoption of critical security features and processes, along with the continually evolving threat landscape, more and more hospitals are being exposed to cyber-attacks.

If this fear resonates with you, we understand how you feel. We know that providing quality and uninterrupted patient care is your number one priority. It’s overwhelming to keep up with new security adoptions & implementations, especially with countless critical devices that are connected to your network and could result in the disruption of patient care. Throw in today’s evolving threats and there’s even more to keep up with.

With so many things to keep track of, you need someone to tell you what to be concerned about and how to protect yourself against it before losing billions of dollars or even a life. That’s where threat informed defense comes in – it will give you a clear game plan for gaining assurance.

To create this game plan, we need to know what we’re up against.  On April 17, 2023, The U.S. Department of Health and Human Services (HHS) 405(d) Program announced the release of its Hospital Cyber Resiliency Initiative Landscape Analysis. This analysis reviewed the active threats that hospitals are currently facing, and the cybersecurity capabilities of hospitals across the country.  The report set out to identify the biggest threats hospitals and patient care are up against before identifying the controls and cyber practices that need to be in place to mitigate those threats. 

This blog will explore the threats identified by the report, and another will dive into the best practices healthcare organizations need to have in place to protect their patients from these threats.  Both will provide practical steps for strengthening your cyber defenses.

How Do Cyber Attacks Impact Healthcare Providers?

From small, independent practitioners to large, integrated health systems, cyber-attacks on healthcare records, IT systems, and medical devices have affected even the most protected systems. Cyber-attacks expose sensitive patient information and can lead to substantial financial costs to regain control of hospital systems and patient data.

According to the Landscape Analysis, “cyber incidents affecting hospitals and health systems lead to extended care disruptions caused by multi-week outages; patient diversion to other facilities; and strain on acute care provisioning and capacity, causing cancelled medical appointments, non-rendered services, and delayed medical procedures (particularly elective procedures).

More importantly, they put patients’ safety at risk and impact local and surrounding communities that depend on the availability of the local emergency department, radiology unit, or cancer center for life-saving care.”

When these cyber incidents impact operations, they impact the health and safety of the patients who trusted their healthcare providers. Patients deserve to trust their providers, and providers deserve to feel confident that they can provide the highest quality of care as well as keep patient data confidential.

The Top Five Threats Your Organization Needs to Know About

The Landscape Analysis reviewed active threats attacking hospitals and the cybersecurity capabilities of U.S. hospitals. Many types of threats were identified, but there are five your organization needs to know about to be truly prepared:

1. Ransomware Attacks

Ransomware attacks are a type of malware that are designed to access an organization or user’s data and deny access to the data until a ransom is paid.  Attackers will encrypt the stolen data and require organizations to pay for the decryption key.   

2. Cloud Exploitations by Threat Actors

Threat actors are targeting cloud infrastructures to gain access to sensitive data being transferred between organizations and their cloud providers.  By deploying a variety of tools onto vulnerable servers, hackers can exploit this transfer of data for their own gain.

3. Phishing/Spear-Phishing Attacks

Phishing is any effort from an attacker to gain sensitive information from an individual via email, social media, or even phone calls.  By misleading employees into providing private information, malicious individuals can gain access to company systems, processes, or data. These attacks are not personalized. Instead, they are mass-generated with the hope at least one individual will fall for the trap. 

4. Software and Zero—Day Vulnerabilities

A zero-day vulnerability means your device or system is being targeted by a threat that is unknown to your developers, and the vulnerability is left unpatched. Because they’re unknown, they can be very difficult to detect and easy for hackers to exploit.

5. Distributed Denial of Service attacks (DDos)

A Denial of Service (DoS) attack attempts to flood your network or servers with so many requests that it renders your server unusable, causing your website to crash. 

There are two types of DoS attacks: buffer overflow and flood attacks.  A buffer overflow attacks CPU time, hard disk space, and memory.  Flood attacks overload the server capacity. 

In a Distributed Denial of Service (DDoS) attack, the flooding attempts come from multiple sources.  

Discover Your Vulnerabilities Before an Attacker Does

These threats are intimidating and scary, but there is no better protection against them than discovering where your weaknesses are before an attack does. The good news is that most of these attacks have similar attributes, and we know how the bad guys attack.

Healthcare providers can turn the tables on their adversaries and use their own characteristics and behaviors to validate and improve their defenses. Integrating threat informed offensive security capabilities into your defenses allows your environment to be assessed through the eyes of your greatest adversaries.

Partnering with a team of experts to research, model, and execute attack tactics, techniques, and procedures (TTPs) allows you to adjust your existing defenses to prevent any malicious efforts from affecting or damaging your data.  We understand how overwhelming and hard it is to keep up, but we also know just what to do to help you get ahead of the mess and fortify your defenses.

The only way you can really be confident that your organization is prepared to face these threats is to undergo an attack simulation.  When your organization chooses to participate in a penetration test, you can see how the controls you’ve put in place will stand up to the very-real threats you’re facing in a not-so-real simulation.

Here’s how it works:

  1. Make an attack plan
    • Partner with an expert to get a custom game plan on what you should test and how to execute your attack simulation. We begin with an initial workshop that’s focused on gaining knowledge of your threats and cyber capabilities. From there, we research your attack surface and TTPs that will inform a plan that aligns with your objectives.
  2. Test your security
    • Experience how your security defenses respond to a simulated cyber attack by an advanced ethical hacker. Our penetration testers will use their expertise and intuition to execute their TTPs, assess your attack surface, and discover any vulnerabilities within your security stance. This is normally done collaboratively working with defenders during the test, which allows for real time adjustments to defense and detection capabilities.
  3. Fortify your defenses
    • After the exploit, our professional writing team will deliver a report that gives insight into our team’s findings and their recommendations on defense, detection, and response improvements. After your remediations, our team will retest to assure that you’ve fortified your attack surface from future attacks.

Fortify Your Defenses with Offensive Security at KirkpatrickPrice

The KirkpatrickPrice approach to attack simulation prepares your organization to defend against the threats you are the most concerned about. Collaborative testing provides real time feedback on both mitigation and detection capabilities, clarity on gaps in your defenses, and ultimately assurance that your organization is prepared to withstand an attack.

Threats never stop.  Connect with one of our red team experts today so you can face them confidently.

About the Author

Hannah Grace Holladay

Hannah Grace Holladay is an experienced content marketer with degrees in both creative writing and public relations. She has earned her Certificate in Cybersecurity (CC) certification from (ISC)2 and has worked for KirkpatrickPrice since November 2019, starting first as a Professional Writer before moving to the marketing team as our Content Marketing Specialist. Her experience at KirkpatrickPrice and love for storytelling inspires her to create content that educates, empowers, and inspires the cybersecurity industry.