The most vulnerable sector to cybersecurity attacks isn’t Wall Street, the military, or even Silicon Valley. It’s our healthcare system.
by: Marc Castejon
photo: Anna Katina
featured: Marc Castejon
Listen to article
At 7:44 am (UTC) on May 17, 2017, a ransomware virus was released in Asia that spread to over 200,000 computers in 150 countries, shutting down thousands of healthcare systems and causing over a billion dollars in damage. All in less than 24 hours. Two years later, the number of fatalities still remains unknown. Today, this is known as the infamous WannaCry attack and has so far resulted in a grand total of zero arrests.
Since then, government agencies have been working overtime to harden the cybersecurity of their respective healthcare industries, but with little success. In the following year, over a third of all ransomware attacks targeted the healthcare industry, double that of the second most targeted – manufacturing.
Fast forward to 2020 and the COVID-19 pandemic has simply served to encourage cybercriminals in their attacks on healthcare facilities. In March alone, attacks against the World Health Organization has more than doubled. Hospitals in the Czech Republic have been forced to cease operations at the height of the virus’s spread. And the president of the European Commission, Ursula von der Leyen, has released a video statement warning of the unprecedented levels of online fraud and cybercrime that seek to profit off of the public’s panic.
“They follow us online and exploit our concerns about the coronavirus. Our fear becomes their business opportunity,” said von der Leyen. The sad reality is that the more desperate we are, the more likely it is that an attack will be successful. From a hacker’s perspective, our weakest moment is also our most vulnerable. While hospitals face enormous strains on their resources, the only way to effectively prevent attacks is by turning this challenge into an opportunity to further invest in cybersecurity protections and partnerships.
How to Respond
Far too often, we find that our clients limit the scope of penetration testing to the issues that they think they can successfully pass. While there may be a reason for this decision (e.g. there’s no point in taking a test you already know that you’ll fail), this approach can also breed a sense of complacency and false security. Instead, at Silent Breach, we encourage our clients to build their scope around the most realistic attack vector, rather than the most simplistic or tidy route. In these times, more than ever, it’s crucial to build our cybersecurity programs with the main objective of protecting against real-life threats, instead of mere compliance with company or industry policies.
Perhaps the best example of this reluctance to test against realistic, yet unsatisfying, scenarios can be found in regard to simulated social engineering campaigns. Time and again, Silent Breach data suggests that the weakest link of nearly ever organization is its people. Using simple, yet effective techniques, Silent Breach ethical hackers have found that a layered attack — combining phishing, vishing, as well as targeted spearphishing attacks — can critically breach 90% of businesses within one week, all without writing a single line of code. The reality is that it’s far easier (and cheaper) to fool people than it is to fool a machine. By leaving this out of our own scope, we ensure that hackers will include it in theirs.
In other words, it’s precisely in the areas where we are the most vulnerable and at the moment when we are the most desperate that hackers will focus their attacks. With that in mind, we encourage every organization to think like their attackers, consider their weakest links, and turn that output into the scope of their next security tests, resources allocations, and training sessions. And remember: “That’s out of scope,” said no attacker ever.