As the goals of securing as much ransom money and sowing as much discord as possible continues to grow, one of the most preferred methods threat actors have to accomplish these goals is to target the supply chain.
Supply chain attacks enable bad actors to threaten multiple organizations with just one attack by exploiting third-party vendors, like software providers, who have access to their customers’ systems. The nature of the original attack on the third-party vendor can range from social engineering tactics like phishing to exploiting unpatched software vulnerabilities, but what makes them so effective is the trickle-down effect that comes later. When one vendor is compromised, everybody in their system is at risk, and attackers will often pursue industries that have long, entangled supply chains — like healthcare.
Attacks on the supply chain pose an especially significant threat to our healthcare systems, with the potential to wreak havoc on our hospitals, pharmacies, doctor’s offices, and nursing homes. Arctic Wolf Labs found that the median ransomware demand in the healthcare industry last year was $450,000, but money isn’t the only thing at stake in these kinds of attacks. Bad actors holding medical data hostage and turning off medical equipment can directly threaten thousands of lives, and the longer the intrusion persists, the greater the risk. In a poll of 653 healthcare professionals conducted by the Ponemon Institute last October, two-thirds of respondents said that their organizations had experienced a supply-chain attack in the past two years, with 77% of that group reporting that the attack had disrupted patient care.
Supply chain attacks are effective against their targets in their current form, and as organizations like hospitals and pharmacies rely more on software to manage patient data and operations, threat actors will only be more inclined to capitalize on their vendors’ weak security.
A recent example occurred last year, when Swedish healthcare firm Ortivus — who serves as a provider for the United Kingdom’s National Health Service (NHS) — suffered an attack on their systems, which prevented several ambulances throughout the U.K. from accessing patient records. Those situations are untenable for victims and lead to faster payouts for attackers than they may find from other industries. But there are steps that organizations at risk can take to position themselves well against any potential supply chain attacks.
Because supply chain attacks escalate through third-party vendors, savvy security leaders should be ultra aware of the security posture of their software providers and any other partner that an attacker could leverage against them. In practice, that means establishing a baseline set of cybersecurity standards and requiring your suppliers to follow them, like using multi-factor authentication (MFA), holding regular security trainings and implementing zero trust principles in their environment. An organization that validates these standards at least annually will be much more resilient against supply chain attacks than one who assumes that their vendors are secure.
If data is compromised from a supply chain attack, though, the residual fallout can be minimized with proper data management like consistent backups, documentation, and an incident response plan that can be put into action at a moment’s notice. If a hospital, or any other organization, has an off-site cache of their data, they won’t have to acquiesce to ransom demands to unlock stolen data and can resume normal operations much faster than they would otherwise be able to. In the world of healthcare, every second matters.
