Healthcare sector under attack

The activity concludes an unprecedented year of cybersecurity activity. Imperva data shows the healthcare industry experienced 187 million attacks per month, on average, or roughly 498 attacks per organization each month. That’s a 10% increase year-over-year, and it underscores the growing risk of web application vectors for healthcare organizations -- many of which are still struggling to manage the demands of the on-going global pandemic.

Throughout 2020, cybercriminals used an array of vectors to attack vulnerable healthcare organizations. Facilities operating in the United States, Brazil, United Kingdom and Canada were the top targets of these attacks.

In December, Imperva researchers saw four specific vectors increase significantly in volume of recorded attacks:

• Cross-site scripting (XSS) attacks increased 43% in December, and represents the largest number of overall attacks.
• SQL injections (SQLi) increased 44% and represents the second-largest volume of attacks.
• Protocol manipulation attacks increased at the greatest rate (76%) and represents the third-largest volume of overall attacks. 
• Remote Code Execution/Remote File Inclusion (RCE/RFI) attacks increased by 68% in December, but registered a smaller overall attack volume.

Impact is Still Unknown … For Now

While the volume of attacks increased in 2020, reports show that the number of breaches decreased. As someone who has worked in cybersecurity for more than 20 years, this makes no sense. My hypothesis is that many organizations likely don’t know the extent or impact of these attacks yet. The reason being: for most of the year, healthcare was focused on trying to enable remote work while managing the frontline logistics of a global pandemic. Thus, less time was spent on threat research, incident response and incident analysis.

In the New Year, I predict many breaches will come home to roost, a theory I outline in an Imperva webinar. There is also some early evidence to support this prediction. In the just the first three days of 2021, Imperva researchers saw a dramatic 43% increase in data leakage, the unauthorized transmission of data from within an organization to an external destination or recipient, which is often the result of a breach. 

As Healthcare IT Transforms, the Threat Landscape Expands

Over the past year, IT transformation across every industry was accelerated to meet the challenges brought on by the global pandemic. In healthcare, the digital agenda sped up at an astonishing pace. By some estimates, what would take 10 years to accomplish will now be done in three years. I’ve even heard of digital initiatives with a timeline of weeks or months! 

From expanding telehealth availability, to improving the patient experience through more digital channels, the healthcare industry adopted more cloud-based technologies and applications to achieve these goals. Based on my experience, many healthcare organizations rely on third-party applications anytime they can, instead of writing their own, for the convenience it offers, to reduce IT development risks and costs and to facilitate greater collaboration. While there are sometimes business advantages to third-party applications, the risks include: patching only on the vendor’s timeline, known exploits that are widely publicized and constant zero-day research on widely used third-party tools and APIs.

Reliance on JavaScript APIs and third-party applications creates a threat landscape of more complex, automated, and opportunistic cybersecurity risks that are increasingly challenging for all organizations to detect and stop. And while ransomware attacks commonly land healthcare organizations in the news, it’s only the vulnerable application front end to all healthcare data that experiences the variety and volume of daily attacks noted above.  

Defense At the Speed of Automated Attacks

While this latest threat intelligence paints a grim picture, there are actions healthcare organizations can take today to protect themselves. 

• Protect data -- and all paths to it. As the pace of digital transformation quickens, data resides in more places than ever before. Further, as healthcare organizations modernize their systems and power their services through APIs and applications, sensitive data has a far greater chance of exposure. Organizations need to invest in application and data security to offer multi-layered protection that allows legitimate traffic through and keeps bad actors out.  
• Move away from point solutions. With teams under-resourced, managing a growing stack of point solutions to address each unique risk is unrealistic. Instead, find a partner that can offer an integrated platform that provides protection against the leading attacks and optimizes web performance, helping the organization to operate more efficiently and securely.
• Don’t forget regulatory compliance. Most privacy and data security regulations today require healthcare providers and payers to demonstrate access controls and monitoring for all access to sensitive patient healthcare information.