Safeguard Against Healthcare Cyberattacks With Defense In Depth

In 2024, the healthcare sector experienced significant cyberattacks, notably the Change Healthcare and Ascension cyber incidents. These attacks underscored the critical need for robust and layered security measures in healthcare and other industries. The recent breaches highlight how multifaceted and coordinated security strategies, combined with advanced identity orchestration, can protect organizations from complex cyber threats such as ransomware, fraud, and insider attacks.

In February 2024, Change Healthcare, a subsidiary of UnitedHealth Group, was hit by a ransomware attack that severely disrupted its operations. This attack, attributed to the BlackCat ransomware group, affected numerous medical practices and significantly hindered the company's ability to process patient claims and manage billing and pre-authorization services. The breach led to the payment of a $22 million ransom to prevent the leak of sensitive health information and is expected to cost the company over $1.6 billion in recovery efforts​​.

Just a few months later, Ascension Health, the largest nonprofit and Catholic health system in the United States, experienced a similar attack. The ransomware attack on Ascension disrupted clinical operations across its 142 hospitals, leading to emergency rooms being diverted, electronic medical records becoming inaccessible, and elective procedures being postponed. The attack, suspected to be the work of the Black Basta ransomware group, has raised significant concerns about patient safety and the integrity of healthcare services​.

Preventing future healthcare attacks such as those above is imperative. Layered security, also known as defense in depth, involves multiple security measures at various levels of an organization's IT infrastructure. This approach ensures that if one layer fails, additional layers provide backup protection. Key components of layered security include:

1. Perimeter Defense: Traditional firewalls and intrusion detection/prevention systems that guard the network's boundary.

2. Endpoint Security: Protecting individual devices through antivirus software, endpoint detection and response (EDR), and regular patching.

3. Network Security: Implementing secure network protocols, segmentation, and traffic monitoring to prevent lateral movement within the network.

4. Application Security: Ensuring applications are secure from development through deployment, including regular updates and vulnerability management.

5. Data Security: Encrypting sensitive data both at rest and in transit to protect against unauthorized access.

    

Identity and Access Management (IAM) plays a critical role in layered security by ensuring that only authorized users have access to sensitive systems and data. By incorporating robust governance, authentication, and authorization mechanisms, IAM helps prevent unauthorized access and minimizes the risk of security breaches. Enterprise-grade IAM platforms, like Ping Identity’s, are an essential component of a comprehensive defense in depth (DiD) strategy, enhancing the overall security posture of organizations. Here are five examples of how:

1. Access Management

   • Robust Authentication: Implementing multi-factor authentication (MFA) and continuous adaptive risk-based authentication are essential for verifying user identities and preventing unauthorized access.

   • Fine-Grained Authorization: Solutions like PingOne Authorize provide policy-based access controls (PBAC) that dynamically adapt to changing contexts and ensure only authorized users can access sensitive information​​.

      

2. Zero Trust Architecture

   • Continuous Verification: Adopting a Zero Trust model means never trusting by default, regardless of whether access requests originate from inside or outside the network. Continuous verification of user and device identities is crucial.

   • Microsegmentation: Segmenting networks to isolate and contain potential breaches reduces the attack surface and limits the lateral movement of threats within the network​​.

      

3. Advanced Threat Detection and Response

   • AI and Machine Learning: Leveraging AI-driven threat detection helps identify and respond to anomalies in real-time. AI can analyze vast datasets to detect patterns indicative of potential threats, allowing for proactive security measures​​.

   • Behavioral Analytics: User and Entity Behavior Analytics (UEBA) can monitor and analyze user activities to detect unusual behavior that may indicate a security threat.

      

4. Data Encryption

   • In-Transit and At-Rest Encryption: Ensuring that sensitive data is encrypted both during transmission and while stored helps protect against data breaches and unauthorized access.

   • Secure APIs: Implementing API security measures to ensure data integrity and confidentiality when data is accessed through APIs.

      

5. Comprehensive Monitoring and Incident Response

   • Continuous Monitoring: Implementing continuous monitoring solutions to detect and respond to threats in real-time. This includes network traffic analysis, endpoint monitoring, and anomaly detection.

   • Incident Response Plans: Developing and regularly updating incident response plans to ensure quick and effective action in the event of a breach. This includes coordination with external cybersecurity experts and law enforcement agencies.

As part of a defense in depth (DiD) strategy, advanced IAM platforms, such as the Ping Identity Platform, offer advanced identity orchestration capabilities. Identity orchestration is the automated coordination and management of cybersecurity tools, point solutions, and processes to streamline and enhance threat detection, response, and remediation efforts. Effective orchestration integrates various security measures to provide a unified defense mechanism.

• Automated Response: Orchestration tools can automate responses to certain types of threats, reducing the time to containment and mitigation.

• Centralized Management: A centralized orchestration platform, like Ping’s DaVinci, provides a holistic view of the security landscape, enabling better decision-making and quicker identification of vulnerabilities.

• Interoperability: Ensuring that all cybersecurity tools work seamlessly together enhances overall effectiveness and reduces gaps in the security posture.

   

Defense in depth (DiD) is a critical piece of a cybersecurity strategy, but to most effectively prevent breaches, fraud, and ransomware, healthcare organizations should also take the following actions: 

1. Implement MFA Everywhere: Ensure that MFA is enabled for all users, particularly for critical systems and administrative accounts. This adds an essential layer of security against credential theft.

2. Regular Security Audits: Conduct frequent audits of security policies and configurations to identify and rectify potential vulnerabilities before they can be exploited.

3. Employee Training: Educate employees about phishing, social engineering, and other common attack vectors to reduce the risk of human error leading to a breach.

4. Incident Response Planning: Develop and regularly update an incident response plan to quickly address and mitigate the impact of security incidents when they occur.

5. Utilize Advanced Threat Protection: Deploy solutions that provide real-time monitoring and analysis of security threats, enabling swift identification and response to suspicious activities.

    

The cyberattacks on Change Healthcare and Ascension Healthcare serve as stark reminders of the vulnerabilities within the healthcare sector. For CISOs, implementing a layered security strategy combined with advanced orchestration is not just an option but a necessity. By integrating robust IAM solutions, adopting a Zero Trust framework, leveraging AI-driven threat detection, and ensuring continuous monitoring and rapid incident response, healthcare organizations can significantly enhance their security posture and protect against the evolving landscape of cyber threats.

For more information, read our paper Improve and Secure Healthcare Delivery with Digital Identity.