ReliaQuest is proud to announce the publication of our Health Care and Social Assistance (HSA) Sector Threat Landscape report, which provides a detailed overview of the evolving cyber threats that this industry faces. The HSA sector is an attractive target for cybercriminals due to its extensive use of internet-accessible applications, remote work infrastructure, and its storage of sensitive patient data.
In this blog, we will summarize the key themes of the report, including the top MITRE ATT&CK techniques used against this sector, initial access techniques, and the cyber threat forecast.
Top MITRE ATT&CK Techniques Targeting the Sector
Over the past year, the most common MITRE ATT&CK techniques observed in the HSA sector include:
- T1566.002 – Phishing: Spearphishing Link (51.55%)
- T1566.001 – Phishing: Spearphishing Attachment (26.75%)
- T1190 – Enterprise: Exploit Public-Facing Application (24.76%)
- T1566 – Phishing (18.09%)
- T1133 – Enterprise: External Remote Services (11.97%)
Initial Access Techniques
Attackers targeting the HSA sector primarily use spearphishing with links and attachments. Nearly 30% of incidents across all sectors began with spearphishing, with the HSA sector disproportionately accounting for 13% of these attacks. HSA organizations are prime targets for spearphishing due to the fast-paced environment in hospitals and medical establishments.
Other prevalent techniques include the exploitation of public-facing applications and the abuse of external remote services. Many HSA organizations prioritize patient care over security, leading to outdated or unpatched applications, as well as legacy and end-of-life devices. These factors create easy entry points for threat actors, who exploit vulnerabilities such as unpatched software, misconfigurations, or weak authentication mechanisms to gain unauthorized access.
GreyMatter Insights
Reducing the mean time to contain (MTTC) incidents is critical for maintaining business continuity and minimizing the impact of cyber threats. The HSA sector faces unique challenges due to its critical nature of data, strict regulatory requirements, and the potential detrimental impacts on patient health if services are disrupted by a cyber attack.
Our analysis found that:
- The average MTTC for HSA organizations using manual response strategies is approximately 2 hours and 34 minutes. This is an improvement compared to the eight hours and 56 minutes for organizations in other sectors that do not use automation.
- The HSA sector is more likely than other sectors to adopt automation, such as GreyMatter Automated Response Playbooks (ARPs) in their cybersecurity response efforts.
- Organizations using GreyMatter Automated Response Playbooks (ARPs) have reduced their MTTC to an average of just one minute for relevant alerts. ARPs have proven to significantly mitigate threats and minimize disruptions, allowing organizations to quickly contain threats and maintain operational continuity.
Cyber Threat Forecast for HSA Sector
Phishing and Social Engineering: The HSA sector is particularly vulnerable to phishing and social engineering attacks due to a lack of cybersecurity training, especially in publicly funded and understaffed organizations. This vulnerability is exacerbated during peak periods, such as the COVID-19 pandemic, when overworked teams may unintentionally neglect cybersecurity protocols. We expect an increase in AI-generated phishing emails and voice/video attacks. To counter these threats, HSA organizations should implement robust verification processes, establish clear cybersecurity policies, and deploy advanced email filtering solutions.
Hacktivism: Hacktivist groups like Killnet, Anonymous Sudan, and Noname057(16) have increased DDoS attacks on HSA organizations, especially following the Russia-Ukraine war. To mitigate these threats, HSA organizations should ensure redundancy for critical systems, establish alternative communication channels, configure network equipment to prioritize health services, and monitor hacktivist channels for early warnings.
Infostealers: The rise in online health care data storage has led to an increase in infostealer-based attacks aimed at compromising credentials and stealing sensitive patient information. HSA organizations should adopt a Digital Risk Protection (DRP) strategy to monitor for exposed credentials, scan dark web sources, and limit session durations to reduce the risk of credential theft.
Key Takeaways
The HSA sector is at a critical juncture, confronting a myriad of sophisticated cyber threats that exploit its unique vulnerabilities. The prevalence of phishing and vulnerable remote services highlights the urgent need for advanced defensive measures. Many health care organizations, particularly those in publicly funded systems, lack robust cybersecurity training, leaving staff susceptible to phishing attacks. Additionally, the rise in AI capabilities allows threat actors to automate and streamline their operations, increasing the frequency and sophistication of phishing attacks.
The surge in infostealer-based attacks further complicates the threat landscape for HSA organizations, necessitating robust Digital Risk Protection (DRP) strategies and tailored defensive technologies. To effectively navigate these challenges, HSA organizations must invest in automation, AI-driven solutions, and proactive threat hunting to enhance their ability to swiftly detect and mitigate threats.