With the rise in APT attacks against healthcare, resilience needs an architecture shift

The cyber threats against the healthcare sector are no longer typical. Though ransomware and data exfiltration remain prevalent, healthcare delivery organizations should be concerned about the rise in advanced persistent threat (APT) actors. Resilience is the solution.

APT cyberattacks occur when a threat actor penetrates the network and does not immediately deploy malware or another payload. As CHIME’s National Security Advisor Lisa Gallagher said during her ViVE session, Another Mountain to Climb on the Path to Cyber Resilience, these actors move evasively across the network looking for vulnerabilities and mapping a plan to execute a highly effective attack.

“We don’t know always something is in there,” said Gallagher, noting APTs are difficult to detect. “And that’s the scariest part for me.”

APT actors emerge from the shadows

Undetected threat actor presence is a common theme in breach reports to the Department of Health and Human Services (HHS), particularly via email, legacy servers, and phishing attacks. But when tied to ransomware or other disruptive attack methods, the risks are far more severe than the loss of patient data.

In November 2021, an Indiana health system reported that the ransomware gang Vice Society gained access to its networks six months before they were detected on the network. The attackers used that time to not only steal troves of patient data and leak it online to try strong-arming the provider into paying a ransom, but they also disabled security protections well ahead of a ransomware attack.

The actors first gained access using a malicious internet protocol address and proliferated undetected on the network for months. The August ransomware attack forced the health system into electronic health record (EHR) downtime procedures for several days, which included the diversion of ambulances to nearby hospitals.

The Change Healthcare cyberattack that occurred last year employed similar tactics: ransomware, data theft, and hiding in the network for at least four days before deploying the payload that crippled large swaths of the prescribing network and patient care across the country. The implications are still being uncovered.

Confirmed data published in JAMA Network Open in 2023: “Hospitals adjacent to healthcare delivery organizations affected by ransomware attacks may see increases in patient census and may experience resource constraints affecting time-sensitive care for conditions such as acute stroke.” These findings suggest that targeted hospital cyberattacks may be associated with disruptions of health care delivery at other, nontargeted hospitals within a community and should be considered a regional disaster.

According to Gallagher, provider organizations should be concerned about the patient safety impacts incurred by APT and similar types of attacks and take a more proactive approach to improve their defenses.

Resilience in healthcare needs to include cyber instances because “attacks are going to happen,” she advised. The term “resonates with the executive suite and the board of directors because we need a resilient business. We need operational resilience.” That includes cyber resilience, she added.

However, provider organizations and their leadership are still trying to determine what that means practically. For Gallagher, it starts with reframing the conversation. Risk and how it’s managed is a common conversation in the healthcare space, but leaders must talk about how their actions are contributing to operational resilience.

That can mean making changes to the architecture of the network to create “penetration resistance,” Gallagher explained. The NIST SP-800-160 V2 guidance document (“Developing Cyber-Resilient Systems: A Systems Security Engineering Approach”) includes IT architecture-focused means to effectively put measures in place that help network defenders anticipate, detect, withstand, recover from, and adapt to an APT in the network prior to an attack.

Gallagher noted that the NIST guidance advises evaluating the way the system is currently architected and making proactive changes that would help prevent and detect APTs.

“We want to keep the threat actor out … but there’s no way we’re going to prevent 100% … then we’re in the business of detecting an active presence,” she added.

What’s also important is the post-mortem: following the chain of the attack to find the access point, or vulnerability, to close that security gap and prevent a recurrence. This NIST-centered approach defines resilience as a systems engineering activity or sub-discipline to create “survivable and trust-worthy systems.”

“We can take this sort of abstract construct of cyber resilience and put some concrete definition around it to understand it as an engineering discipline, which will allow us to make proactive decisions and tweak the architecture,” said Gallagher.

Why resilience requires an architecture shift for APTs

By using the NIST SP-800-160 V2 guidance, provider IT and cyber architects can create a more tangible view of what cyber resilience means for the healthcare space — including measurable benchmarks and lists of actions to enact within their environment. Gallagher noted, “No more guessing, no more trying to figure out what the term means.”

“Not only can you implement these approaches, but you can observe how well they’re working,” she added. “You can measure how well they’re contributing to cyber resilience and operational resilience.”

Given the continued APT threats against healthcare, provider organizations can no longer wait to implement measures able to maintain operations, treat patients, process payments, and keep emergency rooms open. That means learning lessons from past APT penetrations and attacks and taking actions now that would prevent the inevitable bad day from their organization.

Leveraging frameworks to build measurable resilience

Resources in healthcare may remain constrained, but by leveraging the tools within your organization and relying on free resources from NIST, MITRE, and even the HHS Cyber Performance Goals, cyber resilience becomes more tangible, and entities can better detect and recover from APT and similar attacks.