Ransomware, including an increase in attacks from criminal groups linked to rogue states such as Russia and North Korea, will continue to dominate the medical security landscape as 2023 begins and the COVID-19 pandemic begins to fade in the rearview mirror. likely, say cybersecurity experts. Said.
Additionally, the proliferation of Internet of Things (IoT) devices across healthcare is likely to lead to new breaches, and privacy and security concerns surrounding web trackers such as Meta Pixels can lead to breaches of organizational web pages and apps. The code will be scrutinized, experts say. Said.
The threats we expect to see in 2023 have evolved from what was prevalent in previous years, said Michael Hamilton, co-founder and chief information security officer at security firm Critical Insight. “Threats will continue, primarily from criminal groups known to deliberately target the health sector,” Hamilton said. RPP“However, with three nation-states currently involved in cyber-theft and extortion, a shift in tactics by state-sponsored attackers could create a new emergency.”
For example, Hamilton said: Disruption in the health sector also serves the strategic goals of these countries. I think national actors will rise as a threat priority to the sector. ”
Business email compromise will be the most important HIPAA security issue in 2023, Hamilton said, adding:[it’s] Not because of regulatory penalties, but because hospitals are struggling financially, and direct financial loss can be survival-threatening for smaller organizations.more money to lose [such incidents] Better than ransomware and tactically easier to execute. ”
Threat Resilience: Poor
Ransomware trends in 2022 declined in the third quarter, according to a report released in December by cybersecurity firm Guidepoint Security. According to the report, the healthcare industry remains the top three targeted industries and was most frequently attacked using Lockbit ransomware.
However, Rebecca Herold, President of SIMBUS360.com and CEO of The Privacy Professor, said: RPP Most Covered Entities (CEs) and nearly all Business Associates (BAs) still fail to defend against ransomware.
“Instead of building and using more secure code for our applications and systems, we should strongly encrypt all data in storage and in transit, establish more effective backup and recovery procedures and practices, and empower our employees. Provide more frequent and effective education on how to uncover ransomware attempts Given how they react when they slip through, most organizations instead choose not to be targeted. Either you take chances and do nothing, or you take out cyber liability insurance and assume your insurance covers everything, you are usually wrong. It’s the cost of a ransomware attack,” said Herold. “Wake up! All organizations are targets.”
Herold said ransomware will continue to spread until business leaders recognize the need to invest in strong and effective security measures. These include improving secure systems engineering and coding practices, encrypting all data in storage and in transit, enhancing backup and recovery practices and tools, and training employees to stop successful ransomware attacks from the start. including providing education to
David Harlow, chief compliance and privacy officer at Insulet Corporation, says ransomware’s popularity among criminals stems from the fact that its use is reasonable and effective. . “I don’t see a decline in ransomware attacks anytime soon, especially given how easy it is to mount ransomware as a service at scale. He packages are also available and the barriers to entry are low or non-existent.” says Harlow. He said. “This underscores the need to take appropriate measures.”
Challenges posed by pixels and IoT
CEs and BAs are also failing to defend against the threats inherent in IoT usage, Herold said, adding that IoT products are increasing the attack surface and threat vectors for most organizations.
“The number of IoT products has grown from 11.28 billion in 2021 to 13.1 billion in 2022,” she said. “This is the addition of billions of mostly insecure devices that can be used to create more pathways in and out of an organization’s networks, systems, applications, and databases. It could also be used as a bot to start. [distributed denial of service] It is used in various ways to spread attacks, other types of malware, and monitor malware within the digital ecosystem. And most of the organizations involved are completely unaware of the activities that IoT products support and perform within the digital ecosystem. ”
According to Herold, IoT products are ubiquitous within most organizations, and relevant business leaders are unaware of all the IoT devices connected to their networks.
Harlow agreed that IoT devices will be an increasing threat in 2023. Laptops as part of the email threat vector could be a big growth area,” he said.
Still, Harlow said he sees “widespread misconceptions about web tracker composition” as the top HIPAA security issue for 2023. Several CEs have reported large-scale breaches due to misconfigured his web trackers such as Meta Pixel, and OCR issued guidance on web trackers in December. .
Harlow said health care organizations need to identify any active web trackers on their systems. To mitigate that risk, “self-audits are needed, with external help where necessary,” he explained.
At the same time, he reminded organizations not to neglect the basics. “Sometimes things that aren’t on anyone’s radar are things that should be on everyone’s radar, so we don’t put them on the list,” Harlow said. “One of his recent examples is patch management to protect against zero-day exploits. we know.”
Christopher Strand, chief risk and compliance officer at Cybersixgill, an automated, real-time dark web threat intelligence provider, said cybercriminals will continue to use phishing and other social engineering attacks in 2023. He said he expects to continue using it. These are “primarily used to take over critical systems via spoofing third-party systems and data requests that allow access to healthcare systems,” Strand said of his RPP. told to
“The goal of both methods is to gain access and implement ransomware or exfiltrate data after a successful illegitimate data request,” Strand said. “With the numerous proposed changes, [HIPAA] 2023 may see an increase or change as we may see an increase or change in medical regulations regarding “rights to access” and ownership of health data. Criminals have built or evolved many data request spoofing techniques and exploits such as using pretexts to gain access and exploit sensitive health conditions. care data.
Bitcoin’s price plummeted in mid-2022, leading to a decline in traditional ransomware, Cybercriminals are simply changing their objectives, Strand said, “often turning to the cryptocurrency swap market and even targeting systems that have access to real dollars, such as payroll. It is there and can perform slow attacks at low speeds to reap benefits over time.” “It may be a decline, but ransomware is still prevalent and still a frequent choice when targeting healthcare systems.”
The move to the cloud poses threats
Health IT futurist and head of healthcare and life sciences analytics at Qlik, Jon-Michael Smith, said that perhaps the most important data security issue healthcare organizations will face in 2023 and beyond is related and we believe it will solve the problem. from – Mass migration of data and protected health information to cloud-based applications by organizations.
“Cloud-based applications offer the scalability, flexibility, and real-time decision-making that healthcare organizations need for both operational and business decisions to support better patient care, but without the strong support. It’s more important than ever to work with our vendor partners to provide data governance and meet or exceed HIPAA compliance to protect our users,” said Smith. RPP.
“One of the most important things healthcare organizations can do to maintain data security is to strategically control data access. These two things can go hand in hand,” added Smith. rice field. “Data security does not have to come at the expense of data accessibility. It is possible and important to do both at the same time.”
Meanwhile, the use of outdated or unsupported IT systems within healthcare remains common, Strand notes. “Because of the cost factor in procuring the many types of healthcare systems across the industry and the need to operate with little downtime, we have always been overly reliant on scaling our systems as much as possible. Systems in production that are no longer supported or security patches are no longer available,” he said.
“This situation opens the door to numerous potential vulnerabilities for cybercriminals to act on, as exploits are often reused to deliver payloads that are executed and exploited, such as ransomware attacks.” Mr Strand said. “The most important security issue is that healthcare companies will become more proactive as they prioritize gaps in their systems and remain vigilant against predictable targeting that can occur due to the nature and condition of their systems. it is necessary.”
Strand adds:
Phishing, ransomware emails as usual
Harlow said he sees security in healthcare organizations similarly to the protective measures taken during the COVID-19 pandemic. Penetration testing; multi-layered management, technical and physical protections like vaccines, masks, isolation and hand washing, like the Swiss cheese model of COVID protection. One element of the protection system is not enough. But if you layer them all on top of each other, you’re more likely to prevent compromise,” he said.
“Things are always changing, and there are always new threats, like old wine in new bottles,” Harlow said. “The subject lines of phishing and ransomware emails can change, and there are new types of attacks all the time. The exploit links with a simple “click me”. ‘ Most of the time, campaigns change only superficially. ”