Attackers are getting more polished in their approach. Crane Hassold of Abnormal Security talked with Chief Healthcare Executive about the evolving threats and what health systems should be doing.
The cybersecurity landscape continues to evolve, making it more challenging for healthcare organizations to protect themselves and their patients.
Hundreds of healthcare data breaches were reported in 2022, affecting millions of Americans. Experts warn that for most health systems, cyberattacks are almost inevitable.
Attacks are becoming more polished, and are increasingly targeting organizations by impersonating vendors and other third parties, said Crane Hassold, the director of threat intelligence at Abnormal Security, a cybersecurity firm.
It’s part of the growing threat of business email compromise, where bad actors send messages that appear to come from a legitimate or trusted source. Attackers will mimic a vendor and could send an invoice with a different address seeking payment. Hassold said there’s been a “big pivot” to third party impersonators, as opposed to actors pretending to be CEOs or other company executives.
“We've just seen an absolute boom in those this year,” Hassold said. “And when you look at why that is, you know, I think it's pretty clear that, that cybercriminals have identified third parties as a soft target that they can use to, you know, launch follow up second stage attacks with.”
Hassold spoke with Chief Healthcare Executive about evolving cybersecurity threats, how attackers are targeting human behavior, and what healthcare leaders can do to better protect themselves. (See part of our interview with Crane Hassold in this video. The story continues below.)
‘More sophisticated attacks’
Healthcare organizations have seen business email compromise for years, but attackers are taking different approaches. They’re moving away from pretending to be CEOs and asking unsuspecting employees to purchase a bunch of gift cards.
“Now we have sort of these much more sophisticated attacks that are leveraging third party impersonations that sort of go against the grain of what we've taught people to be looking out for,” Hassold said.
Hospitals are especially vulnerable to attackers posing as vendors or other third parties. Health systems can have hundreds of vendors supplying various goods and services.
And bad actors know some vendors may not have the resources to employ robust cybersecurity defenses, Hassold said.
“They’re a little bit of an easier target,” he said.
Cybercriminals will sit in the mailbox of a vendor and collect intelligence, Hassold said. They will learn who the vendor’s customers are, when payments are due, and they’ll gain an understanding of normal communications patterns. And they’ll steal invoices and ask the organization to pay, albeit with a different address.
These communications from attackers are much more convincing than the suspicious emails of years past, which would be rife with incorrect spellings and grammatical errors.
“The question goes from, who would actually fall for one of these, because all those red flags are usually there, to who wouldn't fall for one of them? Because they are much more realistic looking than some of the other sort of traditional BEC attacks, because they're using all of that real world intelligence they've been collecting for days, weeks or months,” Hassold said.
Third-party impersonation attacks pose a difficult challenge for healthcare organizations, because the organization “has absolutely no chance of stopping the initial malicious email that started the whole chain, because it's happening at a completely separate organization.”
Many of these emails from attackers don’t have attachments or links, Hassold said. Some that have links may have links that are “very dynamic,” Hassold said, with a different URL for each email that is sent.
Organizations need to employ strong cybersecurity defenses to detect such threats.
“The biggest thing is, regardless of the organization, making sure that its defenses are in place that are equipped to detect today's attacks, that are very different than what we saw, like, 10 years ago,” Hassold said.
Healthcare organizations must have a good understanding of their third-party ecosystem, and all the suppliers and vendors they are using. Hospitals also need to ensure that their vendors are deploying a certain level of defense against cyberattacks.
“The larger that ecosystem is, the higher the chance of one of those suppliers getting compromised, and trying to exploit you as an organization,” Hassold said.
Targeting behavior
These attacks aren’t succeeding because of the high-tech skills of cybercriminals, Hassold said.
“I think one of the biggest misconceptions of cyberattacks today is that they're these technically sophisticated things, when, for the most part, almost every cyberattack relies on manipulating human behavior and social engineering,” he said.
In a sense, attackers are appealing to human behavior just as other con artists have done for hundreds of years.
People generally want to help, and want to please others.
“At the end of the day, the reason social engineering works is because it's preying on the core components of who we are as human beings. You know, our initial instinct when we look at an email or we are communicating with someone is to trust what we see in front of us until we have something that tells us that we shouldn't,” Hassold said.
Business email compromise attacks are “relatively simplistic,” he said. They also don’t require enormous amounts of effort.
“From the attacker’s perspective, the return on investment, the ROI, is so much higher in a BEC attack than other types of cyber attacks,” Hassold said.
What health systems can do
Healthcare leaders play a critical role in improving cybersecurity. Analysts stress that hospital executives must make cybersecurity an organization-wide priority.
“In any industry out there, in order to be able to get to the best point of defenses that you could possibly have, you have to have buy-in across the board,” Hassold said. “You have to have executives that understand what the actual impact of different types of cybersecurity incidents could be not just on data, not just direct financial losses, but on things like your brand and your reputation.”
Cyberattacks have proven to be costly to health systems. The average healthcare breach now costs more than $10 million, according to a report from IBM Security.
Beyond the financial costs, cyberattacks pose serious risks to patient care, an area that some cybersecurity experts say is worthy of greater attention. Cyberattacks have led some health systems to delay appointments and procedures. When CommonSpirit Health was hit with a ransomware attack last fall, some patient appointments had to be postponed.
Hospitals are facing more ransomware attacks, cybersecurity experts say. Attackers are also increasingly going after private health information, which they are threatening to disclose unless a ransom is paid.
“The fact that they're stealing data now, especially when it comes to health records, that makes defending against and protecting against that initial attack so much more important,” Hassold said. “Because it's not just about data access. It's about data security at the end of the day.”
Health systems should employ cybersecurity awareness training, so employees understand the risks that attacks can pose to their hospitals and their patients.
But Hassold said training “is in no way, shape, or form, a silver bullet.”
“Security awareness training is helpful to show that exposure, but if an organization is relying on that to defend themselves, then they're going to be in for a big wake up call at some point,” Hassold said.
Health systems and hospitals must commit the time and resources to protect their organizations, employees and patients, he said.
“The threat landscape is constantly evolving, and understanding the risks that are out there and what's on the horizon is just so important,” Hassold said. “Because then you can start building up your defenses proactively, instead of always having to play catch up.”
“The biggest thing is just making sure that you have the right defenses in place to defend against today's modern cyber threats, which are much more focused on social engineering than it is about malicious attachments and malicious links and things like that.”