Small and Medium Sized Practices Under Increased Pressure from Cyberattacks

2020 saw cyberattacks on healthcare organizations increase significantly. While large healthcare organizations are being targeted by Advanced Persistent Threat (APT) groups and ransomware gangs, there has also been a marked increase in attacks on small- to medium-sized healthcare organizations.

A cyberattack on a large healthcare organization could allow the hackers to steal large quantities of protected health information and ransomware attacks typically see ransom demands issued for millions of dollars. The rewards from these attacks are considerable, but large healthcare organizations tend to invest heavily in cybersecurity and often have their own IT security teams to protect and monitor their IT networks. Cyberattacks on these organizations require more skill and they can be difficult and time consuming.

Medium-sized healthcare organizations also store large amounts of sensitive data, yet their networks tend to be less well protected, which makes cyberattacks much easier and still highly profitable.

Cyberattacks on Small- and Medium-Sized Healthcare Organizations are Increasing

The CTI League recently published a report highlighting the work completed by its “Dark Team” on emerging threats to the healthcare industry. In the final Quarter of 2020, its researchers identified a sharp increase in cyberattacks on the healthcare sector. “From October to December the CTI League observed a dramatic uptick in focused attacks against healthcare entities, particularly small and medium sized hospitals and clinics, which impacted clinical workflows at hundreds of healthcare providers,” explained the researchers in the report.

Ransomware attacks on small to mid-sized healthcare organizations have been increasing, according to the ransomware response company Coveware. Coveware’s data for Q3, 2020 shows more than 70% of ransomware attacks were conducted on companies with fewer than 1,000 employees and 65.9% of ransomware attacks in Q4, 2020 were on small (30.2%) and medium (35.7%) sized companies. The Ryuk and Sodinokibi ransomware operations continue to target large enterprises; but there are many more smaller operations that target small- to medium-sized entities, including the Dharma, Snitch, and Netwalker ransomware operations.

Q4, 2020 Ransomware Attacks. Source: Coveware

Attacks on small-and medium-sized organizations tend to be easier to pull off, as access controls tend to be simpler and it is less common for 2-factor authentication to be implemented. These organizations also tend to have less robust backup systems, which makes data recovery without paying the ransom problematic. Oftentimes backups are performed, but they do not cover all systems, or the backups are not tested to make sure file recovery is possible. It is also common for cybersecurity best practices such as network segmentation not to be followed.

These organizations have less money available to devote to cybersecurity and often have a lack of skilled in-house cybersecurity professionals. It is also common for them not to view themselves as being targets for hackers. Medium sized healthcare organizations are undoubtedly a sweet spot – Attacks are easier as defenses are poorer, so less skill is required to breach defenses. That means they are attractive targets for the affiliates of many of the smaller ransomware operations. These organizations are also likely to have the funds available to pay reasonably high ransom demands.

How Can Small- and Medium Sized Healthcare Organizations Improve their Security Posture?

Preventing attacks with limited resources can be difficult, so it is important to concentrate on the main attack vectors. The initial aim is not to make it impossible for systems to be compromised. The initial aim should be to make small changes to improve defenses to make attacks harder.

Phishing is the most common attack vector so improving defenses against phishing emails will go a long way toward improving your security posture. An advanced email security solution will help to block more phishing emails for a relatively low cost. Employee security awareness training will help to make employees aware of cyber threats. The importance of training employees to identify phishing emails cannot be overstated. Strong passwords need to be set and 2-factor authentication should be implemented on all username-password systems, with a password manager like Bitwarden being essential to ensure complex passwords are used, passwords are not shared, and to prevent phishing.

RDP compromise is also a common attack vector. Start with changing default ports, locking out individuals after a set number of failed logins to block brute force tactics to guess weak passwords, and use whitelists to restrict access. Also ensure you apply patches and perform security updates promptly to correct known vulnerabilities. If it is not possible to apply patches, ensure those systems are not Internet facing and segment networks to hamper lateral movement and limit the harm caused if systems are breached.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.