In 2023, the healthcare sector was hit with more formidable and complex challenges than ever before. We saw it splashed across media outlets far too often: Highly sophisticated, relentless cyber-attacks on healthcare organizations (HCOs).
But have you noticed that the undertone of this news commentary is often one of helplessness?
At ClearDATA, we don’t buy into that narrative. We believe healthcare defenders like you can approach the risk of cyber attacks with a different mindset – once you have the right intel to stand proactive and ready.
While increases in attack frequency, sophistication, and targeting scale are undeniable, together with our Managed Detection & Response (MDR) team, we advocate for meeting these threats proportionally, with a deep understanding of the specific threats to HCOs and their supply chains informing defensive posture choices and key strategies.
We’ve drawn these insights from over a decade of collaboration while defending numerous U.S. healthcare organizations. Just as advanced persistent threats (APTs) move fast and retain the flexibility to outpace defenders and achieve their goals, defenders must also work smarter and efficiently to navigate bureaucracy and maximize mitigation actions to respond appropriately to developing security events.
First, let’s take a look at the key 2023 threat trends we found in our reporting and then we’ll dive into how to address them.
2023 Key Trends
- Ransomware dominance: Although healthcare slid from the top targeted sector in volume, ransomware against healthcare organizations remained a costly, highly prioritized threat due to high tempo, high impact campaigns seen from APTs such as LockBit, BlackCat, CL0P, and newcomers like Rhysida.
- AI and LLM Impact: Several opportunities and threats presented themselves for both malicious actors and cybersecurity defenders as artificial intelligence (AI) and large language model (LLM) tools facilitated the acceleration of development, scripting, and other capabilities.
- Attack surface awareness: The average time for threat actors to exploit a new vulnerability has fallen to under 24 hours, emphasizing the need for intelligence-driven security operations and mitigation strategies.
- Identity and Vulnerability Management: 2023 attack data showed significant trends involving user identity compromise and IAM abuse, as well as exploitation of critical or zero-day vulnerabilities in public internet-facing resources, often through supply chain or third-party vendor components.
- FBI seizes Hive ransomware group resources, releases decryptor for victim recovery.
- CL0P zero-day campaigns – 2700+ victims, PII/PHI of ~84 million individuals
- AI competition and the release of internet-connected Google Bard assistant
- Unprecedented TTPs: BlackCat (and later LockBit) uses nude patient medical photos as ransom leverage.
- Rhysida ransomware group conducts a forty-day attack against a provider HCO (Q2), showcasing the effectiveness of the Ransomware-as-a-Service (Raas) model, as well as the worst-case scenario of medical operational disruptions.
- AI oversight concerns were addressed in the U.S. Senate by a subcommittee that proposed the implementation of new safety standards, regulations, and monitoring in a cybersecurity model similar to FDA regulations.
- Critical vulnerabilities, supply chains, and libraries – several emergent vulnerabilities, vendor gaps, and zero-days all upped the intensity and difficulty for healthcare cybersecurity responders attempting to prioritize resources and defensive response efforts.
Now that we have a clearer picture of cybersecurity trends…what can we do about them?
Often, defenders are resource-constrained and lack staffing or specialized expertise to deploy and manage comprehensive cybersecurity solutions at the necessary operational tempo. Between actor dwell times, which are documented as dropping below 24 hours in 2023, and the average organization’s resolution time of 4-5 days, there is more pressure than ever for efficient response from security teams to match the pace of today’s threat actors.
One action healthcare organizations can take is to expand their capabilities through partnerships with security providers capable of abstracting complex technical actions, such as incident response or threat intelligence that aren’t necessarily feasible to staff in-house. Whether it’s deploying and managing EDR agents, implementing attack surface monitoring to gain visibility into exposed resources, or building out a vulnerability management program, experienced strategic partnerships can accelerate the lift as HCOs bolster their security posture.
ClearDATA MDR’s multi-cloud security experience has helped our partners to reduce complexity, implement practical, effective security measures, and securely adopt cloud services. This experience has culminated in our 2023 Healthcare Threat Report, helping orient today’s healthcare cybersecurity leaders with a no-nonsense assessment of the U.S. healthcare cyber threat landscape.
In 2023, ClearDATA MDR’s team of security professionals:
- Responded to over 1,600 threat investigations throughout 2023, averaging well under 24 hours for resolution time. In terms of full-time employee (FTE) resources, this averages to a savings of 320 hours per customer—the equivalent of two full months of focused FTE effort.
- Hunted nearly 200 targeted threats on behalf of our customers. At a conservative 3 hours per hunt, this represents on average 9 hours per week of cybersecurity research focused specifically on elevated threats to the healthcare sector, which are then operationalized (as relevant) through ClearDATA MDR’s customer threat advisory products.
As the trends shown throughout 2023’s threat landscape continue to ripen in 2024, we hope that healthcare cybersecurity leaders find useful leverage from the data-driven insights of this report. By focusing on understanding adversaries, adopting intelligence-driven strategies, eliminating visibility gaps, and prioritizing defensive fundamentals, healthcare defenders can enhance their ability to safeguard patient data and critical workloads in the cloud.
Generative AI, though still evolving, has already shown that HCOs must adapt by executing a comprehensive strategy of security fundamentals or risk becoming “low-hanging fruit” for RaaS-distributed, AI-assisted cybercriminals seeking to cash in on lucrative PHI. Helplessness can easily develop into a conditioned response, with budgetary or staffing challenges as a perpetual focal point for blame, and fostering an at-risk environment for targeting by threat actors.
We believe that a direct, purposeful approach to address these threats preemptively can enable healthcare defenders to respond to challenges with the right tools, and most importantly, the right strategy for success, regardless of budget or headcount.
In the words of the Roman philosopher Seneca, “The important thing about a problem is not its solution, but the strength we gain in finding the solution.”