Hospital Resiliency
Landscape Analysis
Study Objectives
This report aims to discuss the dramatic increases in cyber-attacks to the HPH Sector intended to cause disruption to the care continuum. The Landscape Analysis conducted a deeper investigative study into both the methods that cyber adversaries are using to compromise US hospitals, disrupt operations and extort for financial gain. It then benchmarked these results to specific practices of the Health Industry Cybersecurity Practices (HICP) in order to outline the most meaningful protections to these specific threats.
The study’s two objectives were:
- To develop a clear understanding of the current cybersecurity capabilities and preparedness across participating U.S. hospitals, as well as their ability to combat cyber threats
- To share the analysis and findings with the HSCC CWG for consideration as one of several inputs for informing prioritized cybersecurity practices for U.S. hospitals, as well as other considerations the U.S. government might undertake to improve U.S. hospitals’ cybersecurity resiliency
Threats Identified
The Landscape Analysis included a review of active threats attacking hospitals and the cybersecurity capabilities of U.S. hospitals. Included within the Landscape Analysis are the results of investigations into:
- The tactics and techniques that threat actors use to compromise hospitals
- The current state of participating hospital cybersecurity resiliency (using the Health Industry Cybersecurity Practices (HICP) as a framework).
Summary:
Threat Analysis
The assessment, based on the data sources used, identified numerous cybersecurity threats to U.S. hospitals such as:
- Ransomware and Ransomware-as-a-Service (RaaS) attacks
- Cloud exploitations by threat actors with data suggesting a 95% increase from 2021 to cloud exploitations cases
- Phishing/Spear-Phishing attacks, specifically those attacks that overcome MFA through social engineering
- Software and zero—day vulnerabilities
- Distributed Denial of Service attacks (DDos)
Threat Analysis – Key Take-aways
- Human Directed Attacks make up 71% of attacks
- Access Broker theft up 112% used by the human directed attacks
- Time to move off initial intrusion point is 1 hour 28 minutes (this is the lateral movement off the originally compromised host to another state to obfuscate)
Data Set | Demographic Background of Data |
---|---|
CHIME Data |
|
Censinet/AHA/KLAS Study |
|
2023 H-ISAC Threst Study |
|
HC3 Threat Data |
|
Verizon 2022 DBIR Report |
|
Key Observations
The analysis from the two (2) quantitative studies combined with participating hospital conversations resulted in a series of 10 key observations:
- Directly targeted ransomware attacks aimed to disrupt clinical operations are an outsized and growing cyber threat to hospitals
- Variable adoption of critical security features and processes, coupled with a continually evolving threat landscape can expose hospitals to more cyber-attacks
- Adoption of MFA is taking place in over 90% of surveyed hospitals- why not 100%?
- 89% of the hospitals surveyed indicated that they were conducting regular vulnerability scanning at least on a quarterly basis
- 86% of the hospitals surveyed responded that their users are informed and trained on performing their cybersecurity related duties and responsibilities
- The delivery of in-home care, accelerated by COVID-19, is growing and expanding the cyber threat landscape
- Hospitals report measurable success in implementing email protections, which is a key attack vector
- Supply chain risk is pervasive for hospitals. Only 49% of hospitals state they have adequate coverage in managing risks to supply chain risk management
- Medical devices have not typically been exploited to disrupt clinical operations in hospital
- There is significant variation in cybersecurity resiliency among hospitals
- The use of antiquated hardware, systems, and software by hospitals is concerning
- 96% of small, medium, and large sized hospitals claim they were operating with end-of-life operating systems or software with known vulnerabilities, which is inclusive of medical devices.
- Cybersecurity insurance premiums continue to rise
- On average, cybersecurity premiums increased by 46% in 2021. Five of fifty-six hospitals surveyed in 2022 experienced increases more than 100%, whereas 32 experienced increases just below 35%.
- Securing cyber talent with requisite skills and experience is challenging
- Adopting HICP improves cyber resiliency
An interesting correlation that was uncovered during analysis was a strong connection between those who have adopted HICP and robust NIST CSF coverage. This indicates that organizations that focus on HICP Practices will gain value and benefit towards managing implementation of the NIST CSF cybersecurity framework.
NOTE: For the purposes of this study, the scope was narrowed to those activities that protect access to patient care and safety and reduce the negative impact of cyber threats on clinical operations. Breaches of sensitive data, although equally important, are not the focus of this study - unless the breach has a direct impact on patient care and safety
Correlation of HICP and NIST Coverage
Quantified Association of HICP Coverage
Landscape Analysis: HICP Practice Adoption
No Action Required - Significant Progress Made | Urgent Improvement Needed | Additional Research Required | Further Attention Required (Not Urgent) |
---|---|---|---|
|
|
|
|
The HICP Publications specifically address the above areas identified “urgent Improvement needed”.
Technical Volume 1 and 2 provides detailed information and guidance to assist your organization with your own review of your current state.
Industry Coverage of HICP
Based on the Censinet/AHA/KLAS Study 2023, on average, hospitals claim to have 72.05% of the HICP practicescovered, with email protection being the highest amount of coverage and medical device security being the lowest.