What is it about healthcare?
Longtime readers of this blog might be experiencing a sense of déjà vu as we report, yet again, on warnings of elevated cyberattacks targeting the healthcare industry.
Throughout the spring of 2020, as COVID-19 was beginning to strain healthcare resources, there were multiple reports of high threat levels, particularly regarding ransomware, which we wrote about here and here. Rates of data breaches and intrusions ballooned along with ransomware through that year and in 2021, as we discussed here and here.
Which brings us to a recent threat brief from the U.S. Department of Health and Human Services Cybersecurity Coordination Center (HC3) about a rise in web application attack campaigns that target healthcare organizations.
Multiple contributing factors
Cybercriminals may be ethically and morally challenged, but they’re not stupid — they have good reasons to disproportionately target the healthcare industry, which really boil down to just two reasons:
- High-value data — The data available to be stolen from healthcare organizations includes private financial data about both staff and patients, along with personal medical data about patients, both of which can generate high financial return for those able to carry off a large breach.
- More vulnerabilities and attack surfaces — The healthcare industry has been slower than others to adopt new technologies and implement cloud-based digital transformation. This is partly due to reliance on large numbers of legacy medical devices running obsolete software, and, paradoxically, on the unusually high incentives to protect private data, especially medical data. While most organizations have now overcome initial resistance to migrate workloads to the cloud (due to perceived security issues), much of this transformation has occurred in a hurry, thanks to — you guessed it — the pandemic. The sudden need to implement remote-work solutions, full-featured patient portals, and advanced telehealth solutions has in some cases meant that security took second place to a concern for maintaining operations.
Minimizing application-threat risks
Despite the increased frequency and sophistication of application-layer and website threats, there are steps that IT professionals in the healthcare industry are increasingly using to combat those threats and dramatically reduce the risk of a costly and disruptive data breach.
At the top of the list is a shift, both conceptual and technical, away from using point solutions to address specific vulnerabilities or threat modalities, in favor of adopting a platform approach that integrates multiple features and capabilities to provide comprehensive protection.
For example, Barracuda Cloud Application Protection combines full web application firewall (WAF) functionality with a complete set of advanced security services and solutions that protect applications against multiple types of threats, whether they are deployed on-premises, in the cloud, or in a hybrid environment.
Whatever solution or platform you choose should have the following capabilities:
- Protection against the OWASP Top 10 list of application threats, including SQL injection, cross-site scripting, and more
- Advanced bot protection to combat the vast proliferation of highly sophisticated bots being used to launch attacks
- Comprehensive protection against all types of distributed denial-of-service (DDoS) attacks
- API protection to combat the new and rapidly spreading threat of API-based threats
- Integration with DevOps to ensure that newly developed and updated applications are secure prior to deployment
- The ability to continuously monitor security-policy compliance across your entire cloud deployment
Barracuda WAF-as-a-Service serves as a foundation for a complete web application and API protection (WAAP) platform, delivering many of the capabilities listed above. In addition — and arguably more important — it stands out from other WAF solutions by being incredibly simple to configure, deploy, and use. This makes it ideal for organizations with limited IT security budgets, personnel, and skill-sets.
Understand your risk levels
The first step for any individual organization is to gain a full understanding of where your greatest vulnerabilities lie, in order to see the scale of the risks you face and to prioritize efforts to mitigate risks.
Barracuda Vulnerability Manager is a free online scanner that anyone can use to identify their specific vulnerabilities. It generates a comprehensive report that includes specific recommendations for remediation. It takes about 2 minutes to set up. Honestly, you should use it right now.
As more healthcare organizations adopt advanced, effective protections against the latest generation of targeted threats, we may even see a day in the near future when we’re no longer publishing blog posts about that industry being a prime target for cyberattacks.