Libby Bevin

As the cybersecurity threat landscape evolves, attack vectors are becoming more sophisticated and widespread. Cybercriminals are also constantly improving their tradecraft. To guard against these sophisticated and malicious adversaries, you must actively seek out and mitigate cyber threats before they can cause too much damage.

This is where threat intelligence comes in.

Threat intelligence – also known as cyber threat intelligence, or “CTI” – is real-time, contextual data that can help you understand an adversary’s motives, targets, and attack behaviors. CTI helps you to create an up-to-date picture of your threat landscape, which then allows you to make more informed decisions about threat response and mitigation strategies.

Threat intelligence is not the same as threat analysis. In fact, threat analysis is only one part of the threat intelligence lifecycle. To succeed in today’s security landscape, you must gather, process, and analyze threat information to get true value out of it.

Threat intelligence should be a crucial element in your enterprise cybersecurity program. This article will show you why.

What Is Cyber Threat Intelligence?

Research firm Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

CTI provides crucial insights into Indicators of Compromise (IoCs), Indicators of Attack (IoAs) and attackers’ Tactics, Techniques, and Procedures (TTPs). These insights enable organizations to focus their detection and mitigation efforts in the right areas.

Threat intelligence helps security teams better understand adversaries’ decision-making process. Those teams can then implement robust security controls and measures to protect the organization from criminals armed with sophisticated attack weapons.

The Importance of Cyber Threat Intelligence

Raw threat data provides a good starting point to evaluate threats, but it isn’t terribly useful to create a full, current picture of your threat landscape. These various dots must be connected in a structured way to prepare and plan for future attacks. And to do so, security teams must understand the context and relevancy of each piece of threat data. That’s why they need cyber threat intelligence.

Threat data is basic, raw, and unstructured without relevant context or structure. CTI is contextual and structured information. It includes threat indicators, supporting evidence, and practical recommendations to guide actions that reduce the risk to the business.

CTI is more than collecting, gathering, processing, or filtering threat data. A TI feed involves the automation of all these processes. It also involves human analysis and requires expertise to:

• Evaluate the data for accuracy, relevancy, and timeliness
• Contextualize the data based on the organization or industry
• Tell a meaningful, usable, and actionable story of the enterprise threat landscape
• Provide direction and focus for threat detection and mitigation activities
• Enable more informed, data-backed security decisions

CTI should be part of your organization’s cybersecurity program because it can improve your threat detection and incident response capabilities. Ultimately, it can help the organization evolve from a reactive to a proactive stance in fighting threats and threat actors.

Who Benefits from Cyber Threat Intelligence?

Any organization can leverage CTI to strengthen multiple security functions.

Threat intelligence feeds integrate with existing security solutions to improve alert quality and reduce the need to manually investigate alerts. With CTI, security teams can automatically triage, filter, and respond to alerts. Since CTI provides actionable insights and detailed context, it becomes easier to prioritize the most important threats and vulnerabilities that may result in a cyberattack or data breach.

Security Operations Centers (SOCs), also known as a cybersecurity operations team, use CTI to prioritize threat mitigation and incident response based on risk and impact.

CTI also enables all these entities to identify, analyze, and respond to threats:

• Vulnerability management team
• Computer security incident response team (CSIRT)
• Fraud prevention team
• Risk analysis team

Timely and contextual TI also helps the board, the CISO, and other C-Suite leaders to understand and assess the risk landscape, explore options to address threats, and develop an actionable security roadmap to keep threat actors out of the enterprise IT ecosystem.

The Cyber Threat Intelligence Process

The CTI process transforms raw threat data into finished CTI that supports threat response and mitigation and guides security decision-making. It consists of six ongoing and inter-related steps:

Step 1. Gather requirements

During this first phase, you will determine the organization’s attack surface and TI needs; that information, in turn, will help to determine the CTI program’s methodology and goals. The goals should align with the organization’s core values and the needs of the stakeholders. (That is, the people who will consume and benefit from the finished TI.)

At this point, you should also try to discover attackers’ TTPs and motivations. Also think about the actions required to strengthen enterprise defenses against existing and emerging threats.

Step 2. Collect raw data

After setting TI goals and objectives, start collecting data to satisfy those requirements. Seek out as many data sources as possible, both internal and external, including:

• Network traffic logs, event and application logs, firewall logs, DNS logs
• Security Information and Event Management (SIEM) platforms
• Records of past incident responses
• Open-source intelligence and publicly available intelligence sources, such as:
  • Social media
  • Forums
  • News reports
  • Blogs
  • Public block lists
  • Dark web

The collected data may consist of lists of IoCs such as bad IP addresses, malicious domain names, or file hashes. It may also contain vulnerability information such as personally identifiable information (PII) and raw code from paste sites.

Step 3. Process data

After collecting data, process and convert it into a format suitable for analysis by:

• Organizing data into spreadsheets
• Adding metadata tags to data points
• Decrypting encrypted files
• Filtering out false positives, false negatives, and redundant information

Depending on the size of the threat landscape, you may collect vast quantities of threat data. It’s impossible for human analysts manually to review and act on millions of log events and indicators every day. Simplify the effort by automating data collection and processing.

Automated solutions powered by machine learning (ML) and natural language processing (NLP) collect and process threat data from a wide range of data sources, enabling analysts to analyze and prioritize the most serious risks and protect the organization’s assets and sensitive information.

Step 4. Analyze data

Analyze the processed threat data to find potential security issues and fulfill the intelligence objectives and goals outlined in Step 1. Clarify the action items and recommendations for stakeholders.

Step 5. Disseminate information

The finished CTI must be presented in a format that stakeholders will understand. It should also be actionable and support the organization’s threat mitigation and incident response processes.

For example, executive decision-makers require strategic threat intelligence. This CTI presents a high-level, risk-based viewpoint that supports business decision-making.

But SOC analysts need tactical threat intelligence. It should contain detailed information about the threat actor’s TTPs and enable the analyst to identify IOCs or perform malware analysis.

Similarly, for threat hunters and incident response teams, the CTI must contain actionable information about a specific threat or upcoming attack. This type of intel is known as operational threat intelligence.

Step 6. Collect feedback

The threat intelligence process is not a one-time or linear effort. It’s an ongoing intelligence cycle. That’s why this last phase is important. During this step, stakeholders will review the finished TI and determine whether the intelligence satisfies their objectives. Ask for feedback and make the necessary adjustments for future TI operations.

What Does a Cyber Threat Intelligence Analyst Do?

A CTI analyst is a vital element of any threat intelligence program. These skilled professionals analyze CTI to identify security vulnerabilities and determine, assess, and counter the threat posed by threat actors. They also look for IOCs that may signify phishing attempts, malware or ransomware attacks, or attacks from external hosts.

CTI analysts perform penetration testing to identify vulnerable systems before adversaries can exploit them. They disseminate the collected and processed threat intel to stakeholders and recommend actions to mitigate potential threats. Their detailed reports enable decision-makers to prepare for security incidents that could harm the organization’s business continuity, financial stability, or reputation.

Analysts may work with security teams to develop and enforce security policies and standards. They may also monitor and audit security systems and deliver cybersecurity awareness training to employees.

Reciprocity ROAR Can Enhance Your Cyber Threat Intelligence

Make smarter, more informed security decisions with cyber threat intelligence and Reciprocity ROAR. This intuitive solution reveals security risk across your entire business. See where risks exist and where they are changing to improve risk management and monitoring.

Reciprocity ROAR offers a single source of truth, a pre-loaded content library, and built-in automation to help you stay ahead of ever-evolving security threats. Schedule a demo to know more about ROAR.

All organizations have a team of C-suite executives to set strategy and run the business. Typically that group looks quite similar from one organization to the next, with the chief executive officer, chief technology officer, and chief financial officer among the most important.

But do you also have a chief risk officer? Do you even need a “CRO”? What are the CRO’s responsibilities, anyway; and what is his or her role in enterprise risk management (ERM)?

This article will explore the scope of a chief risk officer’s duties, and how to determine whether your organization needs one on the executive team.

Why Risk Management is So Important

Modern-day organizations operate in a risky landscape. Any number of risks might jeopardize operations today or tomorrow. These risks could result in catastrophic damages and losses that could threaten the firm’s business continuity, competitiveness, and even existence.

To protect the organization, it’s crucial to identify and mitigate risks before they can cause damage. For this, an ERM program is vital. But such a program will not run by itself. A strong leader is required to implement the program, guide its long-term strategy, and give direction to day-to-day operations. This leader is the chief risk officer.

The CRO is a top-level executive in charge of identifying, analyzing, mitigating, and controlling risks that could damage the company. Many times the CRO is also tasked with assuring that the organization complies with government regulations such as Sarbanes-Oxley (SOX) or HIPAA, as well as internal standards and best practices.

The CRO’s role and responsibilities depend on the organization’s size, industry, risk landscape, and regulatory compliance commitments. That said, there are common traits for the CRO role across all organizations.

What Does a CRO Do

A chief risk officer (also sometimes known as a chief risk management officer) has two primary mandates: manage risk and manage compliance. The CRO is not necessarily expected to get involved in the detailed operation of these functions, but he or she is expected to oversee risk management and compliance and optimize the performance of those functions.

The CRO plays a key role in developing internal controls to minimize internal and external risk. As the most senior member of the organization’s risk management function, the CRO guides other risk personnel so they can effectively identify, analyze, and address the potential risks to the company.

The CRO also governs information security, cybersecurity, and compliance processes. He or she implements and monitors procedures to protect the company against fraud, safeguard its intellectual property, and reduce its risk exposure.

Often, CROs work with the risk team to track factors that may adversely impact the organization’s performance, financial stability, profitability, or compliance posture. In some companies, CROs also oversee internal audits to identify threats before those things result in adverse events such as cyberattacks, regulatory fines, or legal action.

CRO Roles and Responsibilities: Risk Management

Most organizations face many types of risks, such as:

• Operational risk
• Strategic risk
• Financial and credit risk
• Geopolitical risk
• Economic risk
• Environmental risk
• Competitive risk
• Regulatory and compliance risk

The CRO’s job is to look out for whichever of these risks that might affect the organization. He or she must work with their team to identify which of these risks are relevant to the company and its business units.

CROs must also implement procedures and workflows to assess, analyze, and prioritize these risks based on the risks’ likelihood of occurrence and potential impact. The company may also designate the CRO as the senior executive in charge of conducting risk assurance and due diligence before a merger, acquisition, or business deal.

The CRO must lead efforts to set and measure risk appetite and determine how much risk the organization is willing and able to tolerate. Further, once a risk has been identified, analyzed, and prioritized, it must be addressed using the right risk mitigation strategy: accept, avoid, transfer, or reduce the risk.

As part of the risk management team, the CRO sets the mitigation strategy for all identified risks and prepares a plan to manage them. The CRO also implements and supervises the day-to-day operational framework (policies, procedures, best practices) for risk identification and mitigation.

As part of their risk management obligations, CROs must regularly audit procedural issues that could increase the company’s threat exposure to any kind of risk. For example, if the company collects, handles, or stores sensitive data such as personally identifiable information (PII) or personal health information (PHI), the company and CRO must secure this data and protect its confidentiality, integrity, and availability.

The CRO must implement controls to prevent security lapses that may result in a cyber attack or data breach. If such a lapse does occur, the CRO must address the issue while minimizing losses. Equally important, he or she must implement measures to plug weaknesses and assure that the lapse doesn’t happen again.

Some other risk-related responsibilities that are part of the CRO job description include:

• Perform risk assessments (such as cybersecurity risk assessments), develop risk heat maps, and develop action plans to manage and mitigate risks
• Update existing policies and procedures to address new vulnerabilities and emerging risks
• Guide disaster recovery and business continuity planning efforts
• Create and disseminate risk analysis reports to different stakeholders, including board members and the C-Suite management team
• Establish a strong risk culture and a common “risk language” across the enterprise
• Incorporate risk management plans and priorities into the organization’s strategic vision and objectives
• Implement and manage the risk oversight function
• Develop budgets and plan resources for risk-related projects
• Guide enterprise-level decision-making based on the organization’s risk appetite and risk posture

CRO Roles and Responsibilities: Compliance Management

In addition to risk management and control, compliance management is also the CRO’s responsibility. Depending on its industry and other factors, the organization may have to comply with certain regulatory or legal requirements. These requirements could be at the international, federal, state, and local levels.

A CRO must identify and mitigate the company’s compliance risk – that is, the probability that the company might not meet its responsibilities under applicable laws and regulations. To mitigate this risk, the CRO must manage and optimize the organization’s compliance program, to assure consistent compliance with all regulatory requirements. Here’s where the CRO’s contributions are invaluable.

For example, healthcare organizations that collect and process health information must comply with the Health Insurance Portability and Accountability Act (HIPAA). Non-compliance can result in costly fines and even jail terms. The CRO assures that the organization has implemented the necessary procedures and controls to ensure continual compliance with HIPAA requirements.

Similarly, organizations that collect or process the personal information of European Union (EU) residents must comply with the data privacy requirements of the General Data Protection Regulation (GDPR). Like HIPAA, GDPR non-compliance can result in painful regulatory penalties and unwanted headlines in the news. It is the CRO’s responsibility to assure that these consequences don’t come to pass.

Why the CRO Position Is Vital

Every organization in every industry faces various threats and risks that could negatively impact its operations, financial stability, compliance posture, employees, and stakeholders. Some risks could even threaten the company’s existence.

The CRO implements and manages the risk management initiative to prevent, or at least mitigate, these risks. He or she does not manage all the risks directly; for example, the CRO is not responsible for the financial risks associated with a bank’s investment strategies. Rather, the CRO is responsible for assuring that a program exists for the bank to analyze its financial risks, and that bankers follow it to keep financial risks at a minimum.

Put more simply: executives in the operating business units still “own the risk,” while the CRO gives them the tools and procedures to manage those risks smartly.

A successful risk manager typically has a postgraduate or master’s degree, usually in business administration. He or she also brings years of experience, analytical skills, communication skills, and decision-making ability.

The CRO should also have a deep understanding of the business and its risk landscape. The combination of crucial skills and capabilities allows the CRO to identify, assess, and mitigate external and internal risks to the organization.

As risks evolve and become more complicated, every company needs a competent CRO for strategic planning and to set the long-term direction of its ERM program. They also need the CRO to implement and monitor the program’s short-term tactical implementation.

CROs also secure the resources, funds, and tools required to execute the company’s risk management and compliance management mission. They play a crucial role in guiding the firm’s risk communication workflows. They also drive org-wide commitment to risk mitigation and help promote proper risk-averse behaviors at every level of the enterprise.

Improve Risk Management with Reciprocity ZenRisk

Competent and experienced chief risk officers require the right risk management tools. An automated platform such as ZenRisk enables CROs to optimize their risk management framework. They also get greater visibility into the risk landscape to better manage risks and protect the organization from adverse consequences.

ZenRisk provides a holistic view of organizational risk and “operationalizes” enterprise risk management. From one centralized application, CROs and their teams get the advantage of risk heatmaps and dashboards to address many kinds of threats, vulnerabilities, and incidents.

They can even evaluate risks across systems and business divisions using customizable risk calculations, multivariable scoring, and standardized frameworks from SCF and NIST.

Schedule a demo to learn how ZenRisk can help your organization set up a successful risk program.

Modern organizations operate in a challenging threat landscape. It’s impossible to eliminate all the threats that might affect their systems, data, or people, but organizations can minimize the possibility that these threats result in catastrophic damages.

This is where strong cybersecurity and robust cybersecurity governance come in. Cybersecurity and cybersecurity governance go hand in hand because both are required to address and mitigate cyber risks.

But what is cybersecurity governance? How does it differ from cybersecurity management? How can organizations set up an effective cybersecurity governance process?

Read on for the answers to all these questions.

What Is Cybersecurity Governance?

Research firm Gartner defines security governance (or cybersecurity governance) as a “process for overseeing the cybersecurity teams who are responsible for mitigating business risks”. Cybersecurity governance determines how organizations prevent, detect, and respond to cyber threats and cyberattacks. That’s why it is critical for proper risk and security management.

Effective cybersecurity governance focuses on risk management and security awareness to reduce the size of the risk landscape. It helps the organization to define its risk appetite and oversee risk mitigation activities. A strong governance program also creates an accountability framework and defines who is responsible for making the decisions that assure adequate risk mitigation.

A proper cybersecurity governance system will assure that the organization’s cybersecurity program aligns with its business objectives. Good governance will provide a strategic view of how enterprise security is controlled, and help the company achieve its cybersecurity and risk management goals.

The Importance of Cybersecurity Governance

Historically, cybersecurity was viewed as a technical or operational issue rather than an enterprise-wide concern. Most companies also manage cybersecurity risk simply by implementing standard cybersecurity frameworks. Their tendency to view cybersecurity as a back-office function, rather than to define a comprehensive cybersecurity approach, often results in inadequate responses to cyber threats.

Cyber governance provides a more pragmatic approach to govern cybersecurity risk that is aligned with enterprise risk, privacy requirements, and the law. It enables proper risk prioritization and informs security efforts based on business priorities and strategic goals.

When a robust governance process is in place, organizations can effectively mitigate identified risks, address threats, and meet their regulatory and compliance responsibilities. They also view cybersecurity as an enterprise risk management issue.

The C-suite can set the right strategy and “tone at the top” for the cybersecurity program. Doing this assures that everyone in the enterprise works towards the same goals: to protect the company’s assets within its risk management context and security strategy.

Moreover, cyber governance eliminates the need to adhere rigidly to an existing cybersecurity standard by the ISO or NIST. Instead, the organization can adapt these standards and set its own cybersecurity direction, based on the organization’s unique business context.

Good governance also supports a thoughtful, principles-based approach that allows for the:

• Regular testing and security updates of processes and infrastructure
• Quick recognition of cybersecurity incidents and fast incident response
• Flagging and analysis of newly identified risks
• Integration of risk and control activities
• Collection of high-quality assessment data for future security refinements
• Development of a future-focused cybersecurity awareness mindset

Cybersecurity Management vs. Cybersecurity Governance

“Cybersecurity governance” and “cybersecurity management” are often used interchangeably, even though the two are different ideas.

Cybersecurity management refers to the day-to-day “operationalized” approach to security. It is about defining, building, and strengthening security controls to protect the organization from cyberattacks.

Governance emphasizes strategic planning. It goes beyond building security controls to increasing accountability, determining who is authorized to make security decisions, and assuring that all cybersecurity activities support overall strategic goals.

Cybersecurity management is concerned with recommending security strategies and mitigating risks. It is about the implementation of cybersecurity controls, policy enforcement, short-term planning, and resource usage.

Governance provides an oversight and accountability framework to ensure that: 1) risks are adequately mitigated; 2) every part of the cybersecurity program has an owner; and 3) security strategies align with business objectives and compliance regulations. It is mainly about establishing accountability, strategic planning, resource allocation and optimization, policy enactment, and overseeing cybersecurity controls.

A 5-Step Process to Implement a Cybersecurity Governance Program

It’s important to implement the cybersecurity governance program thoughtfully. An effective program can help to decrease the organization’s risk, while a slipshod program can increase risk, result in a sub-par decision-making process, and reduce accountability.

Here is a five-step process that can help organizations to establish and optimize their cybersecurity governance programs:

Step 1. Get top-level and enterprise-wide commitment

Successful cybersecurity governance needs both a strong tone from the top and an enterprise-wide lens. To this end, senior leaders should be committed to governance, including the chief information security officer (CISO), CEO, and board members. They should assure that the governance plan:

• Fits strategic goals
• Is aligned with enterprise risk management
• Is fully documented and available across the organization

They should also communicate clearly, to the entire workforce, that attention to cybersecurity is important.

Step 2. Assess the current state

Before setting up a program, first understand what that program is meant to do or improve; perform a cybersecurity risk assessment to determine and prioritize security gaps, threats, and vulnerabilities. Based on this assessment, create a roadmap to close the gaps and adopt a “security by design” approach to strengthen security controls.

Step 3. Define policies and goals

The best place to start creating the roadmap is to define the risk management goals upfront. During this step, the organization should also:

• Clarify the acceptable level of risk and how this level will be maintained
• Establish KPIs to measure the success of the governance program
• Communicate the policies and goals to relevant stakeholders

Step 4. Standardize your processes and workflows

Standardized processes, workflows, and standard operating procedures can reduce the risk of errors or oversight. They can also help simplify cybersecurity and risk management by eliminating the need to monitor and protect a patchwork of different solutions or systems (devices, software, applications, and so forth).

Step 5. Enforce the plan and regularly measure governance performance

After setting the governance goals, standardizing enterprise processes, and getting enterprise-wide commitment, the board of directors or C-suite should designate someone to enforce and oversee the governance program.

The top brass should also measure and monitor the program’s performance using the KPIs and metrics identified earlier. Regular assessments are vital to measure what matters and create a plan to strengthen the organization’s security posture.

The organization’s security culture and hygiene also affect its cybersecurity and cyber governance. That’s why it’s crucial to increase cybersecurity awareness with regular training at every level of the enterprise.

3 Major Challenges to Cyber Governance

Many organizations successfully define a cybersecurity approach to protect their intellectual property and information systems in an expanding threat landscape. They face multiple challenges, however, while implementing and enforcing cybersecurity governance.

Lack of cybersecurity strategy and goals

A long-term cybersecurity strategy is a high-level roadmap describing how the organization will maintain or improve its risk management approach. Without this strategy, it’s impossible to implement a strong enterprise-level policy to manage risk and protect the organization.

Most companies struggle to develop the strategy because they fail to:

• Understand how cybersecurity risk relates to business operations
• Identify cybersecurity needs
• Define the program’s scope and objectives
• Determine resource requirements
• Determine their risk appetite

Lack of standardized, repeatable processes

Standardized business processes assure a shared understanding and consistent management of risks throughout the enterprise. Without standardized processes, the cybersecurity governance program is likely to be ad-hoc and ineffective, leading to increased data breaches and cybercrime.

Lack of resources, enforcement, oversight, and accountability

Adequate resources are vital to set up a strong governance model and effective security program that align with the cybersecurity strategy and goals. A lack of resources is usually the result of talent shortages, funding unavailability, or poor resource planning.

Another common challenge is the lack of senior leadership support and a strong tone at the top. Both these shortcomings can result in risk management and governance failure. A failure to enforce governance and accountability across all personnel levels also affects the effectiveness and performance of the governance program.

It’s vital to understand and address these challenges to establish and maintain an effective cyber governance program.

Improve Cyber Governance with Reciprocity ROAR

Cybersecurity is not an easy endeavor, and neither is cybersecurity governance. As we have seen, organizations struggle with several challenges that affect their governance capabilities and performance.

Reciprocity ROAR enables enterprises to simplify and improve cyber governance. This all-in-one platform for risk management, compliance, audits, and governance provides a single, integrated experience across all these initiatives.

With ROAR, security, risk, and compliance teams can see information security risk across the business. Greater visibility improves risk management and governance and helps mitigate business exposure.

Schedule a demo to try Reciprocity ROAR for yourself.

Healthcare organizations such as hospitals and clinics are vulnerable to all manner of cyberattacks, particularly phishing and business email compromise (BEC) scams, man-in-the-middle (MitM) attacks, and data breaches. Third-party risks and ransomware risks are also serious security problems in healthcare, especially in the post-COVID era.

The medical world had already noted such cyberattacks years ago. The COVID-19 pandemic only underlined those worries about cyber attacks. It has also forced organizations to consider how they can strengthen their cybersecurity controls.

Cyberattacks and breaches first surged in 2020. Then they hit an all-time high in 2021, when breaches exposed the protected health information (PHI) of 45 million people – a 32 percent jump from 2020. The average cost of such data breaches also rose to a record high of $9.4 million last year.

How can healthcare organizations respond to this difficult cybersecurity climate? This article will consider that question.

What Kind of Cyber Attacks Affect Healthcare Organizations?

In late 2020, the FBI, the Department of Health and Human Services (HHS), and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity update to healthcare providers. The update called the cybersecurity threat to healthcare “credible, ongoing, and persistent.”

Here are five of the most pressing cyber threats targeting healthcare organizations:

Ransomware

Roughly one-third of healthcare organizations were hit by ransomware in 2020. These attacks resulted in a slew of problems for hospitals all over the United States:

• IT outages that lasted for several days
• Exposure of patient information to hackers
• Forced replacements of computing systems
• Difficulties accessing information about appointments and surgeries
• Forced, pre-emptive email shutdowns

Ransomware attacks have hit hundreds of hospitals in recent years. A threat actor deploys ransomware on one or more healthcare computer systems; once the attacker gains entry to the system, the ransomware allows him or her to encrypt the target’s files and data. The attacker then demands payment from the organization in return for unlocking access to the encrypted data.

Ransomware attacks can prevent doctors and nurses from accessing patient electronic health records (EHRs). Medical devices such as monitors could stop working, so the staff won’t get the information and alerts that are essential for patient safety and care.

Phishing and Business Email Compromise

According to the HIPAA Journal, phishing attacks are “a greater threat to the healthcare industry than any other attack vector.” In such attacks, the attacker sends fake emails to employees that seem like they originated from a reputed sender.

The email instructs victims to click on a link to a web page where they will be asked to enter their login credentials or some other sensitive data. The message may also ask them to download an attachment infected with malware or ransomware.

The malware may create gateways for the hacker to enter the organization’s computer network and access PHI or other sensitive information. By accessing PHI, the attacker may be able to steal patient identities (which he or she then sells on the black market for profile) or commit insurance fraud.

Business Email Compromise (BEC) is a special type of phishing scam in which attackers spoof the email of a senior executive at the target, and then trick subordinate employees into transferring money to a fraudulent account. According to the Center for Internet Security (CIS), this scam has increased by 1,300 percent since 2015.

BEC attacks are often successful because attackers properly “mimic” a person of power and target only a few people (generally those who handle finances). Such emails can escape basic security strategies like email filtering and could result in the loss of money, PHI, or even prescription drugs.

Man-in-the-Middle (MitM) Attacks

In an MitM attack, an “eavesdropper” hijacks communications between two authorized parties and then alters or copies the in-transit data without the knowledge of either party. The attacker can also alter sensitive EHRs and PHI or insert ransomware into sensitive files.

MitM attacks often become possible because organizations employ a strategy intended to improve data security on their internet transactions. Their use of Secure Hypertext Transport Protocol (HTTPS) requires the installation of trusted certificates on client devices, making it harder to verify the certificate chain and leaving connections vulnerable to malicious MITM attacks.

Data Breaches

The healthcare sector experiences one of the highest incidences of data breaches. Major causes of breaches are credential-stealing malware, insiders who purposefully or accidentally disclose sensitive patient data, and lost computing devices.

According to the Verizon Data Breach Report of 2021, financially motivated external actors were responsible for 61 percent of breaches in 2021. PHI is a highly valuable “prize” because one patient record can sell for as much as $363 on the black market. If the attacker can get his hands on large numbers of medical records, he stands to earn huge profits.

PHI is also attractive because criminals can use it to perpetrate frauds, file fake insurance claims, purchase or resell medical equipment, and obtain prescriptions for their own use or for resale on the black market.

The Impact of COVID-19 on Cyberattacks in Healthcare

When the pandemic first struck in 2020, the volume and intensity of cyberattacks on U.S. hospitals and their IT systems increased. Data breaches increased by 55 percent from 2019 levels, and more than 1 million people were affected in almost every month of the year. Moreover, the average cost of a healthcare breach was $7.13 million, the highest among all industries that year. The COVID-19 pandemic was primarily responsible for this surge in criminal activity.

Following the pandemic, more hospitals started setting up makeshift sites for virus and vaccine testing. Many also rolled out telemedicine systems and had to deal with an expanded remote workforce and COVID-positive patients swamping their wards.

The pandemic forced many organizations to reallocate resources and funds to virus response efforts, sometimes resulting in smaller cybersecurity budgets and teams to deal with ransomware threats or phishing scams. In addition to ignoring or delaying many routine security measures, that also led to fewer efforts to validate the security measures of third-party vendors.

Weaker cybersecurity allowed cyberattackers to renew their activities, and more threats started coming from ransomware gangs and financial scammers. Many state-backed hackers ramped up their efforts to steal vaccine-related research and other data from healthcare systems.

Improper records disposal, compromised remote technology, and device theft also led to an uptick in breaches and ransomware attacks. The risk of supply chain attacks also increased as more hospitals and medical centers used a patchwork of goods and systems from third parties.

How Hospitals Can Protect Themselves From Cyber Attacks

As cyberattackers become smarter, healthcare organizations must strengthen their protection of assets and data. For example, they must implement strong security controls to assure that sensitive information is only accessible on a need-to-know basis.

Healthcare organizations should also establish a risk management program to assess cyber risk and identify security gaps. One way to do this is by adopting standard frameworks such as the NIST Cybersecurity Framework.

Healthcare providers must maintain secure data backups to assure seamless access in case of a breach or ransomware attack. They must also encrypt in-transit and at-rest data to prevent misuse or compromise by unauthorized or malicious users.

Other crucial cybersecurity best practices for healthcare organizations are:

• Whitelisting of devices, users, and applications, plus blacklisting of unsafe websites
• Vendor due diligence for managing third-party risk
• Regular assessments of third-party risk and cyberdefenses
• Cybersecurity training on the proper usage, handling, and storage of PHI, identification of phishing emails, and prevention of ransomware attacks
• Multi-factor authentication (MFA) and other strong access controls to restrict access to authorized users
• Regular patching of all devices, operating systems, and software
• Incident response planning to effectively deal with a cyberattack

Improve Cybersecurity with ZenGRC

The COVID-19 pandemic has increased the risk of data breaches and serious cyberattacks against the healthcare sector. Hospitals and other organizations cannot afford to grow lax about their cyberdefenses. If anything, they need a way to boost these defenses.

A strong defense starts with improved visibility into the threat landscape. This is where a cutting-edge risk management platform such as ZenGRC can help. ZenGRC shows where risk is changing to help hospital cybersecurity teams stay ahead of ever-evolving threats.

ZenGRC operationalizes risk management across threats, vulnerabilities, and incidents from one centralized platform. It also simplifies risk calculations, evaluations, and communication for more robust enterprise risk management.

With ZenGRC, hospitals, clinics, and other healthcare providers can continuously monitor cyber threats and implement measures to mitigate business exposure.

Schedule a demo to see how ZenGRC can help you prevent healthcare hacking and set up a successful cybersecurity program.