Key Takeaways:
- Attackers are using AI tools to develop more sophisticated phishing emails that can fool people into clicking on malicious links.
- Unpatched vulnerabilities in software used by vendors and third-party providers are a major source of risk for hospitals and health systems.
- Over 80% of attacks reported to the federal government originate from entities other than hospitals and health systems, highlighting the risk from third-party vendors.
- Hospital CEOs and boards are focusing more on cybersecurity and the risks from vendors, and there is greater sharing of intelligence from federal authorities about threats.
- Cybersecurity is an ongoing process that requires continuous effort and improvement to protect against evolving threats.
Introduction to the Threats
Attackers are becoming increasingly sophisticated in their methods, using AI tools to develop more polished "phishing" emails that can entice people to click on links they shouldn’t, allowing hackers into systems. According to Scott Gee, deputy national advisor for cybersecurity and risk, the emails from attackers are less likely to include stilted language and numerous typos, making them more convincing and increasing the risk of successful attacks. This highlights the need for hospitals and health systems to be vigilant and proactive in their cybersecurity efforts.
The Role of Social Engineering
Attackers are also using social engineering to deceive the "help desk" of information technology departments, with some hackers posing as company leaders and getting the help desk to give them access into the organization. This tactic relies on the helpful nature of the help desk staff, who may not be aware of the true identity of the person they are assisting. As Gee notes, "They call to impersonate the CEO and know everything about the CEO. And the help desk being helpful, resets their password and enrolls their new multi-factor authentication device." This highlights the need for robust authentication and verification processes to prevent such attacks.
Unpatched Vulnerabilities
Health systems are being infiltrated by a persistent problem – attackers finding software vulnerabilities that haven’t been repaired. Unpatched vulnerabilities continue to be a major issue, with attackers routinely learning of these weaknesses almost instantly and trying to exploit them. As Riggi notes, "Unpatched vulnerabilities continue to be the perennial issue." This highlights the need for hospitals and health systems to prioritize patching and updating their software to prevent attacks.
Risks from Vendors
Most of the unpatched vulnerabilities are coming from software used by vendors and third-party providers that hospitals are dealing with on a regular basis. As Riggi notes, "That unpatched software is not software that the hospitals wrote, it’s external software that we are constantly trying to keep up and patch." This highlights the need for hospitals and health systems to carefully assess the cybersecurity risks associated with their vendors and third-party providers. The Change Healthcare cyberattack offers a chilling example of the risk to hospitals from vendors and business partners, with nearly all hospitals affected by the attack.
The Importance of Preparation
With so many hospitals being affected by cyberattacks, even if they are aimed at third parties, Riggi says health systems are paying more attention to the risks of disruptions from breaches. Hospital CEOs and boards are focusing more on cybersecurity, and the risks from vendors. However, as Riggi notes, "The question, we always say, is not if you will be attacked, but how prepared are you?" This highlights the need for hospitals and health systems to have solid plans in place to maintain operations when breaches occur.
The Ongoing Pursuit of Cybersecurity
Cybersecurity is not a one-time achievement, but an ongoing process that requires continuous effort and improvement to protect against evolving threats. As Riggi notes, "Cybersecurity is not an end state. Cybersecurity is a process. It is ongoing. It’s iterative. You have to keep doing it, and it’s absolutely critical for hospitals and the healthcare sector to understand that and do their best to themselves and their patients and their communities." This highlights the need for hospitals and health systems to prioritize cybersecurity and make it an ongoing part of their operations. By doing so, they can reduce the risk of successful attacks and protect their patients and communities.