The following is a guest article by Pascal Geenens, Director of Threat Intelligence, Radware.
Enterprise healthcare environments faced some unique cybersecurity threats, according to Radware’s 2021 Q1 DDoS Attack Report, which provides an overview of cyberattack activity experienced by a cross section of Radware’s clients during the first quarter of the calendar year 2021. It offers a pertinent analysis of distributed denial of service (DDoS) attack activity by industries, attack vectors, DDoS attacks on applications and on-premise vs. cloud.
We know from prior research by Radware, that healthcare providers are focused on ensuring their healthcare data is secure and their services and applications remain online. The two areas of greatest concern for them include safeguarding sensitive data and ensuring availability. The transition to public clouds, network-connected devices and the move towards online and application-based services mean more vulnerabilities and more data breaches. And when healthcare services and applications go down, healthcare providers report that productivity/operational loss, negative customer experience and intellectual property loss result.
The recent DDoS Attack report uncovered informative trends affecting all enterprises as well as those specifically in healthcare.
Healthcare trends:
While healthcare organizations are always at risk of cyberattacks, during the first part of Q1 2021 attackers primarily focused on biotechnology and pharmaceutical organizations. The number of attacks targeting hospitals increased during the second half of Q1 2021. While smaller in size on average than those experienced by other industries, they still threatened the integrity of operations.
In addition, while distributed denial of service (DDoS) attacks have traditionally impacted public assets, damaging an organization’s reputation through public exposure, healthcare is different. Those back-end infrastructure attacks are occurring more frequently during weekday business hours – with little activity over weekends or holiday periods — impacting day-to-day operations such as the connectivity to cloud-based applications by employees or the remote access for those still working from home.
This led Radware researchers to conclude that the pandemic played a large part in recent cybercriminal strategies. To overcome the pandemic, organizations, including healthcare enterprises, began relying on remote operations and teleworking. DDoS actors found new opportunities in targeting the internet connectivity of organizations and their branches to impact the organizations’ productivity. With limited bandwidth, attackers can achieve more impact and disrupt a branch or an organization’s operations.
Attacks on healthcare were predominantly during weekdays, much lower activity over the weekend.
Other Major Findings:
Among the major findings, compared to Q4 of 2020, the total attack volume in Q1 of 2021 increased by 31%, while the total number of attacks decreased by 2%. The largest recorded attack in Q1 of 2021 was 295Gbps, up from 260Gbps in Q4 of 2020. The total volume and total packets for March of 2021 were similar to levels witnessed in November 2020.
The period between December and February was characterized by larger volumes and higher amounts of packets, caused mainly by the intensity of the attacks from the second wave of the ransom DDoS campaign. This is reflective of the fact that by the end of 2020, extortionists started circling back to earlier victims who did not pay ransom in earlier attempts, reusing their attack research and increasing the pace of their campaign to benefit from the surging Bitcoin value.
The average attack size in Q1 of 2021 was down from over 315Mbps in December to levels just below 150Mbps. In March 2021, one in every 1,000 attacks was greater than 10Gbps compared to three per 1,000 attacks in December of 2020.
The report also emphasized the need for hybrid cloud protection. It found that on-premise detection and mitigation alone prevented 85% of cyberattacks. The other 15% required cloud protection. Because of the latency introduced by cloud protection, enterprises sometimes rely only on-premise protection. The report suggests this is a mistake, because even though only 15% of attacks required cloud protection, those attacks represented 92% of attack volume and 84% of the packets. In hybrid deployments, the cloud handles the volumetric attacks while on-premise will typically handle low-and-slow and low-volume DoS attacks, as well as anomalies and intrusions.
Conclusion
Healthcare and security teams have limited resources and numerous priorities. Although keeping patient data available and secure is critical, it is increasingly difficult due to the array of attack vectors and cybersecurity knowledge required to mitigate them. Lastly, several mergers of healthcare providers have introduced additional complexity in networks that can overwhelm security teams.
In addition, the pandemic created unprecedented change and uncertainty. Remote access and online services, such as streaming doctor/patient consultations and online form submissions, have seen exponential growth. Healthcare organizations have had to manage and secure large volumes of patient data and provide 24×7 access to critical applications to ensure a quality user experience and the ability to protect lives. As a result, healthcare remains one of the highest at-risk industries from cybercriminals.
