By Jessica Amado, Head of Cyber Research at Sepio Systems |
Healthcare is one of the most targeted industries for cyberattacks. Specifically, healthcare delivery organizations (HDOs) are the top target for data breaches, accounting for 73% of all such incidents[1]. Ransomware is another type of attack the healthcare sector frequently falls victim to, impacting more than 30% of HDOs in the last year[2].
Cyberattacks on healthcare providers can have extremely severe consequences due to the nature of the industry’s operations. Further, the traditional healthcare environment is becoming increasingly complex and reliant on technology, providing more entry points to HDOs. Hence, as healthcare becomes more exposed, security measures need to be amplified, and Zero Trust (ZT) is often the solution.
The cyber vaccine
ZT is a security concept that eliminates the automatic trust given to internal users and devices. By recognizing that threats also exist within the infrastructure, ZT extends beyond traditional security perimeters. ZT assumes that everything (be it people, devices, workloads or applications) is not to be trusted. Access to resources is based on the principle-of-least-privileged (PLP), meaning that only those whose role requires access to the resource will receive it. To determine access decisions, ZT verifies the identity of the requesting asset.
Protection gets enhanced by microsegmentation; assets must request access to each segment, thus enabling granular policy application. Segmenting the network also limits the blast radius of an attack (should there be one) by preventing lateral movement.
A stronger immune system
ZT is beneficial for HDOs as it minimizes the risk of unauthorized network access. In doing so, the thousands of devices relied on by healthcare entities, including critical IoMT, are better protected. Microsegmentation prevents bad actors from taking over devices through lateral movement. Hence, should an attacker manipulate a more accessible device, say a laptop or smartphone, ZT prevents the attacker from using such devices as a pathway to more valuable assets. Microsegmentation is paramount to strengthening security as currently, 99% of lateral device-to-device communication is unnecessary, thereby creating a needlessly large attack surface[3].
Highly valuable data – both Personal Identifiable Information (PII) and Protected Health Information (PHI) – are, too, less exposed to threat actors thanks to ZT. A bad actor can’t access substantial amounts of data thanks to PLP and microsegmentation. Should a data breach occur, the perpetrator would have limited access to data, thereby minimizing the damage caused.
However, ZT is a security concept; it relies on a holistic approach to cybersecurity. In other words, various technologies and policies work together to enforce ZT. Hence, ZT is dependent on the efficacy of the policies and technologies implemented by the enterprise. So, just how productive is ZT when policies and technologies are inadequate?
The variant Zero Trust can’t see coming
When segmenting the network, the enterprise must ensure that assets get grouped strategically, otherwise ZT is redundant. A report by CyberMDX revealed that 93% of network segments contained a mix of medical devices and non-medical devices3. So, despite segmentation getting implemented, medical devices are still at high risk, thus counteracting the purpose of ZT.
While improper segmentation could be due to a lack of security considerations, unidentified risks might also cause such outcome. Gaps in asset visibility prevent enterprises from fully grasping the extent of their risk posture. As a result, assets do not get properly segmented, despite the enterprise thinking otherwise. IoMTs often operate using highly vulnerable Raspberry Pis, yet this risk gets missed due to the visibility blind spot. Hence, such devices are not appropriately separated and thus put other devices at risk.
Visibility issues mean that ZT can get bypassed, even when appropriately enforced. The technologies that ZT relies on fail to cover Layer 1, a vulnerability exploited by hardware-based attacks. Rogue Devices – which operate on Layer 1 – manipulate the gaps in asset visibility by spoofing legitimate devices. In doing so, ZT grants access to the requested resource since the device’s true identity does not get recognized. By impersonating legitimate devices, Rogue Devices bypass the principles of PLP and microsegmentation and move laterally across the network. An attacker only needs to manipulate one device to initiate their attack, and the accessibility of HDOs minimizes the challenge. The perpetrator can simply walk into a healthcare entity, swiftly attach a compromised USB device to one of the many endpoints and walk out – all without raising alarms.
Infected and undetected
The ability for bad actors to bypass ZT through a hardware-based attack is a significant threat to HDOs. PII and PHI are entirely exposed and subsequently get sold on the dark web for identity fraud. Identity fraud using PHI is extremely difficult to mitigate as this information is engrained within us and cannot get changed. Moreover, the identity thief can put the victim’s life at risk if they use the stolen identity to obtain prescription medication.
Bypassing ZT means attackers can gain access to/control over IoMTs through lateral movement. An attack on these cyber-physical systems threatens patient safety as IoMTs carry out critical tasks, such as heart-rate monitoring, IV infusion, MRI scanning, and more. Should IoMTs become inoperable due to a ransomware attack, life-saving treatment cannot get administered. The consequences of ransomware attacks on IoMTs are severe, even fatal.
Conclusion
In today’s technologically advanced world, an HDO’s cybersecurity capabilities directly impact patient care. Adopting a ZT approach will greatly enhance the security posture of these advanced, complex environments. However, the efficacy of ZT depends on asset visibility and this is a major challenge. To ensure enterprises implement appropriate policies, and that the ZT architecture makes accurate access decisions, there must be complete asset visibility. You can’t protect yourself from something you don’t know exists, and just because you’re asymptomatic, it doesn’t mean you aren’t infected. HDOs know this better than anyone, and it’s time to apply the same concept to cybersecurity.
About The Author
Jessica Amado is Head of cyber research at Sepio Systems, where she researches and covers multiple aspects of hardware-related cyber threats. She is a Regent’s University London graduate with First Class Honors in Global Business Management with Leadership and Management and holds an IDC Master’s in Government with Specialization in Homeland Security and Counterterrorism.
[1] Fortified Health Security. 2021 Mid-Year Horizon Report.; 2021.
[2] Sophos. The State Of Ransomware In Healthcare 2021.; 2021.
[3] CyberMDX. The Big Healthcare CIO Factbook.; 2021.