Protecting Healthcare from Cyberattacks - Who's Next?
Transcript of Protecting Healthcare from Cyberattacks - Who's Next?
Protect ing Hea lthcare from Cybera t tacks - Who's Next?
1
Solutions Architect, Proofpoint
Chris Montgomery
DISCLAIMER: The views and opinions expressed in this presentation are solely those of the author/presenter and do not necessarily represent any policy or position of HIMSS.
Managing Director & Healthcare CISO, Proofpoint
Ryan Wit t
2#HIMSS21
Welcome
Managing Director & Healthcare CISOProofpoint, Inc.
Ryan Wit tSolutions Architect
Proofpoint, Inc.
Chris Montgomery
Healthcare OverviewThe leader in protecting people from advanced threats and compliance risk
Magic Quadrant leadership across:
Enhancing knowledge of HC
security challengesSecure Email Gateway
Information Archiving
Security Awareness Training
Leading Visionary
Leader for 7consecutive years
Leader for 6consecutive years
Leader for 7consecutive years
Cloud Access Security Broker
Healthcare Advisory Board
Trusted protection partner for health institutions
70% of 10 largest health systems
60% of top 30 not for profits
80% of top 20 hospitals
50% of top 10 children’s hospitals
70% of the “Blues”
74% of HC accountsin F100
twenty largest pharma orgs60%
3
4
Cybersecurity Current State
Protecting Healthcare from Cyberattacks - Who's Next?
#HIMSS21
2020 Was All About People Being Attacked…
5
2020 Cybersecurity Survey
#HIMSS21
…And The Impact On Patient Safety…
6
2020 Cybersecurity Survey
#HIMSS21
…And the Initial Point of Compromise
7
2020 Cybersecurity Survey
89% ViaEmail
#HIMSS21 8
• 2021 Data Breach Investigation Report (DBIR)
• Significant pivot from network to people based attacks
2021?? Same Story, Different Year
Targeted Threat Landscape by Attack Type: 2020 –2021
Spoiler Alert –it’s all about people being
attacked
BEC:51%
Everything else: 49%
Source: Coveware Q4’20 Ransomware Report
Source: FBI/IC3 Source: 2021 Verizon DBIR
It’s Not Just Ransomware…
Ransomware: 90% successful attacks
via email
BEC: Larger losses than all
other threats combined
Data Breaches: 85% involve human element
Top 3 enterprise risks are all people-centric
Supplier Fraud Accounts for Healthcare Largest Losses
11
Other BEC variants
Supplier Fraud
Source: Proofpoint/HIMSS: Addressing supply chain risk and patient safety, 2021
97%of monitored healthcare organizations have received a threat from a supplier domain via impersonation or BEC
different domains
200K10K
emails from over
Average healthcare organization received
98% received an email-basedthreat
Modern Threat Landscape
More complex multi-stage threats
Malicious URLs
from file sharesin Q4 2019
SharePoint
One DriveOffice Forms
All Others
53.7%of malicious URLs from legitimate file shares
from Microsoft
Attacker Innovation: RYUK Infection Chain
Source: Proofpoint threat data
98% of Proofpoint customers attacked
by a supplier/vendor
59,809,708malicious messages from Microsoft in 2020 from
2,510,154compromised accounts
Microsoft still not stopping many threats, but enabling millions
Compromised accounts fuel the entire threat landscape
Changing nature of work creates perfect storm for insider risk
Source: Proofpoint research
31% increase in insider threat incidents
$11.45M average incident loss
Source: Ponemon Institute, 2020 Cost of Insider Threats Global Study
Work From Anywhere Accelerates Risks
14
Real World Healthcare Attack Examples
Protecting Healthcare from Cyberattacks - Who's Next?
#HIMSS21
How COVID-10 Impacted Cybersecurity • Initially, significant portion of campaigns
featured COVID themed lures
• Early-stage campaigns focused on stoking a strong emotional response– PPE, ventilators
• Mid-stage campaigns focused on tax rebates, government policy updates, work from home incentives
• Late-stage lures focused on delivery service, vaccines, etc.
15
#HIMSS21
Case Study – Pharma Life Science
16
• From TA505, known for large scale
crimeware campaigns
• Favored malware - SDBot RAT and
Get2 Downloader
• Targeted pharma market (78% of
250K message campaign)
• Focused on COVID-19 clinical
researchers
#HIMSS21
Case Study – Health Insurers
17
• Lure – “Updating Our Privacy Policy Settings”
• Email spoofed to make it look like it comes from “Blue Cross Blue Shield Association”
• Link to a cloned portal purporting to be from Blue Cross Blue Shield of Michigan
• Goal – credential harvesting
#HIMSS21
Case Study – Targeted Credential Phishing (Provider)
18© 2019 Proofpoint. All rights reserved
• Low volume, highly targeted
• Lure – Imposter email purporting to come from institution CEO re COVID travel restrictions
• Requested employees to download document from spoofed Microsoft website
• Once credentials provided, redirects to genuine WHO website to substantiate lure
• Goal – Credential Phishing
#HIMSS21
Case Study – Children’s Hospital
19
• Lure – “Get Your Economic Stimulus
Payment”
• Use of Social Engineering –
referenced “US CARES Act”
• Target – pediatric care institutions
• Goal – PII / PHI, presumably for
identify theft
20
Who in Healthcare is Being Attacked
Protecting Healthcare from Cyberattacks - Who's Next?
#HIMSS21
Getting to Know Healthcare’s Very Attacked People
21
Attacker’s View of 10 Hospital Health System
23
The Malware Elephant in the Room
Protecting Healthcare from Cyberattacks - Who's Next?
The Plague of Ransomware
“But the fact remains, despite the best possible efforts, our nation’s health-care providers —and all organizations— remain vulnerable to threat actors. ”
https://www.sandiegouniontribune.com/opinion/commentary/story/2021-06-10/opinion-scripps-ransomeware-attack-cybersecurity
#HIMSS21
How Does Ransomware Enter Healthcare
25
Clicks on Malicious MessagesRepresent Attacker Success
#HIMSS21
How Cyberattacks Become a Patient Safety Issue
26
Ransomware Explodes in Q2 2021
Who Are Ransomware Actors Targeting?
Spoiler Alert –it’s all about people being
attacked
Attackers Focus on Release of Information Department
Spoiler Alert –it’s all about people being
attacked
#HIMSS21
Ransomware Actors Feel the Heat
29
#HIMSS21
Recommendations • Adopt a people-centric security posture
• Use data on who’s being attacked to influence security strategy
• Train users to spot and report malicious emails
• Deploy robust email security and ability to prevent exfiltration (DLP)
• Build strong business email compromise defense system
• Adopt Zero Trust to enable remote working
• Isolate risky websites, URLs, and “happy clickers”
• Secure O365 and other cloud apps
30
#HIMSS21
Thank you!
Ryan WittManaging Director & Healthcare CISOProofpoint, [email protected] Twitter: @WittRZ LinkedIn: https://www.linkedin.com/in/ryanzwitt/
31