Protect ing Hea lthcare from Cybera t tacks - Who's Next?

1

Solutions Architect, Proofpoint

Chris Montgomery

DISCLAIMER: The views and opinions expressed in this presentation are solely those of the author/presenter and do not necessarily represent any policy or position of HIMSS.

Managing Director & Healthcare CISO, Proofpoint

Ryan Wit t

2#HIMSS21

Welcome

Managing Director & Healthcare CISOProofpoint, Inc.

Ryan Wit tSolutions Architect

Proofpoint, Inc.

Chris Montgomery

Healthcare OverviewThe leader in protecting people from advanced threats and compliance risk

Magic Quadrant leadership across:

Enhancing knowledge of HC

security challengesSecure Email Gateway

Information Archiving

Security Awareness Training

Leading Visionary

Leader for 7consecutive years

Leader for 6consecutive years

Leader for 7consecutive years

Cloud Access Security Broker

Healthcare Advisory Board

Trusted protection partner for health institutions

70% of 10 largest health systems

60% of top 30 not for profits

80% of top 20 hospitals

50% of top 10 children’s hospitals

70% of the “Blues”

74% of HC accountsin F100

twenty largest pharma orgs60%

3

4

Cybersecurity Current State

Protecting Healthcare from Cyberattacks - Who's Next?

#HIMSS21

2020 Was All About People Being Attacked…

5

2020 Cybersecurity Survey

#HIMSS21

…And The Impact On Patient Safety…

6

2020 Cybersecurity Survey

#HIMSS21

…And the Initial Point of Compromise

7

2020 Cybersecurity Survey

89% ViaEmail

#HIMSS21 8

• 2021 Data Breach Investigation Report (DBIR)

• Significant pivot from network to people based attacks

2021?? Same Story, Different Year

Targeted Threat Landscape by Attack Type: 2020 –2021

Spoiler Alert –it’s all about people being

attacked

BEC:51%

Everything else: 49%

Source: Coveware Q4’20 Ransomware Report

Source: FBI/IC3 Source: 2021 Verizon DBIR

It’s Not Just Ransomware…

Ransomware: 90% successful attacks

via email

BEC: Larger losses than all

other threats combined

Data Breaches: 85% involve human element

Top 3 enterprise risks are all people-centric

Supplier Fraud Accounts for Healthcare Largest Losses

11

Other BEC variants

Supplier Fraud

Source: Proofpoint/HIMSS: Addressing supply chain risk and patient safety, 2021

97%of monitored healthcare organizations have received a threat from a supplier domain via impersonation or BEC

different domains

200K10K

emails from over

Average healthcare organization received

98% received an email-basedthreat

Modern Threat Landscape

More complex multi-stage threats

Malicious URLs

from file sharesin Q4 2019

SharePoint

One DriveOffice Forms

All Others

53.7%of malicious URLs from legitimate file shares

from Microsoft

Attacker Innovation: RYUK Infection Chain

Source: Proofpoint threat data

98% of Proofpoint customers attacked

by a supplier/vendor

59,809,708malicious messages from Microsoft in 2020 from

2,510,154compromised accounts

Microsoft still not stopping many threats, but enabling millions

Compromised accounts fuel the entire threat landscape

Changing nature of work creates perfect storm for insider risk

Source: Proofpoint research

31% increase in insider threat incidents

$11.45M average incident loss

Source: Ponemon Institute, 2020 Cost of Insider Threats Global Study

Work From Anywhere Accelerates Risks

14

Real World Healthcare Attack Examples

Protecting Healthcare from Cyberattacks - Who's Next?

#HIMSS21

How COVID-10 Impacted Cybersecurity • Initially, significant portion of campaigns

featured COVID themed lures

• Early-stage campaigns focused on stoking a strong emotional response– PPE, ventilators

• Mid-stage campaigns focused on tax rebates, government policy updates, work from home incentives

• Late-stage lures focused on delivery service, vaccines, etc.

15

#HIMSS21

Case Study – Pharma Life Science

16

• From TA505, known for large scale

crimeware campaigns

• Favored malware - SDBot RAT and

Get2 Downloader

• Targeted pharma market (78% of

250K message campaign)

• Focused on COVID-19 clinical

researchers

#HIMSS21

Case Study – Health Insurers

17

• Lure – “Updating Our Privacy Policy Settings”

• Email spoofed to make it look like it comes from “Blue Cross Blue Shield Association”

• Link to a cloned portal purporting to be from Blue Cross Blue Shield of Michigan

• Goal – credential harvesting

#HIMSS21

Case Study – Targeted Credential Phishing (Provider)

18© 2019 Proofpoint. All rights reserved

• Low volume, highly targeted

• Lure – Imposter email purporting to come from institution CEO re COVID travel restrictions

• Requested employees to download document from spoofed Microsoft website

• Once credentials provided, redirects to genuine WHO website to substantiate lure

• Goal – Credential Phishing

#HIMSS21

Case Study – Children’s Hospital

19

• Lure – “Get Your Economic Stimulus

Payment”

• Use of Social Engineering –

referenced “US CARES Act”

• Target – pediatric care institutions

• Goal – PII / PHI, presumably for

identify theft

20

Who in Healthcare is Being Attacked

Protecting Healthcare from Cyberattacks - Who's Next?

#HIMSS21

Getting to Know Healthcare’s Very Attacked People

21

Attacker’s View of 10 Hospital Health System

23

The Malware Elephant in the Room

Protecting Healthcare from Cyberattacks - Who's Next?

The Plague of Ransomware

“But the fact remains, despite the best possible efforts, our nation’s health-care providers —and all organizations— remain vulnerable to threat actors. ”

https://www.sandiegouniontribune.com/opinion/commentary/story/2021-06-10/opinion-scripps-ransomeware-attack-cybersecurity

#HIMSS21

How Does Ransomware Enter Healthcare

25

Clicks on Malicious MessagesRepresent Attacker Success

#HIMSS21

How Cyberattacks Become a Patient Safety Issue

26

Ransomware Explodes in Q2 2021

Who Are Ransomware Actors Targeting?

Spoiler Alert –it’s all about people being

attacked

Attackers Focus on Release of Information Department

Spoiler Alert –it’s all about people being

attacked

#HIMSS21

Ransomware Actors Feel the Heat

29

#HIMSS21

Recommendations • Adopt a people-centric security posture

• Use data on who’s being attacked to influence security strategy

• Train users to spot and report malicious emails

• Deploy robust email security and ability to prevent exfiltration (DLP)

• Build strong business email compromise defense system

• Adopt Zero Trust to enable remote working

• Isolate risky websites, URLs, and “happy clickers”

• Secure O365 and other cloud apps

30

#HIMSS21

Thank you!

Ryan WittManaging Director & Healthcare CISOProofpoint, Inc.rwitt@proofpoint.com Twitter: @WittRZ LinkedIn: https://www.linkedin.com/in/ryanzwitt/

31