Defending healthcare cloud environments from cyberattacks

Cloud computing exploitation cases skyrocketed by 95% between 2021 and 2022 and cases involving adversaries targeting cloud environments have nearly tripled, increasing 288% year-over-year, according to CrowdStrike’s 2023 Cloud Risk Report. 

With domestic and international cybercrime groups becoming increasingly active, it’s more important than ever for healthcare systems to defend their cloud environments from threats by understanding the latest attack vectors and identifying hidden vulnerabilities.  

How can healthcare organizations stay one step ahead of cybercriminals and secure their cloud environments from potentially damaging attacks?  

An increasingly threatening landscape for cloud environments

Cybercriminals have a nearly endless number of tricks up their sleeves, and they often work in groups to take advantage of each other’s resources and expertise.  According to the 2022 Cloud Risk Report (The Rise of the Cloud-Conscious Adversary), top adversary networks active in 2022 and 2023 include Scattered Spider, Cozy Bear, Cosmic Wolf, and Labyrinth Chollima, many of whom have roots in foreign nations with sociopolitical incentives to attack US-based organizations.

These groups use a variety of tactics to gain access to cloud environments and either ransom or steal sensitive data, including using the Azure run command feature to execute a PowerShell script to run a remote management tool to gain and modify user access privileges for purposes of installing ransomware. Some groups have subverted authentication with a single-sign-on (SSO) provider (with multifactor authentication [MFA] enabled) by stealing session cookies stored in Chrome browser profiles, while others have used stolen credentials, allowing them to interact with the cloud environment using the command line to change security settings.

Poor identity and credential management create significant vulnerabilities  

Nearly half (47%) of critical misconfigurations in the cloud are related to poor identity and entitlement practices, allowing adversaries to use valid accounts to gain initial access to systems, according to the 2023 CrowdStrike Cloud Risk Report.

As a result, more than 40% of cloud intrusions observed over the last year started with valid credentials, CrowdStrike found, and 67% of cloud security incidents involved identity and access management (IAM) roles with elevated privileges beyond what was required.  

Threat actors who find their way into cloud systems can elevate privileges themselves, either by finding accounts with more access or by resetting existing credentials to provide the freedom they need to gain access to valuable data.  

Healthcare organizations can combat this tactic by employing robust MFA technologies, placing limits on session time before requiring a new log in, and adopt technology to flag unusual sign-in activities on accounts with access to protected information.  

Adjusting default settings to meet organizational needs   

Default settings typically pay some degree of attention to security but may not be optimally configured to meet the needs of every organization, especially in an industry as tightly regulated as healthcare.  More than one-third (36%) of detected misconfigurations are related to insecure default settings that were not properly updated, CrowdStrike found, leaving organizations open to threats.  

 For example, databases or object caches that are made public without sufficient authentication and authorization controls can expose the entire database or cache to data theft, destruction, or tampering.  And cloud applications or workloads that are created support a short-term project, but are abandoned afterward, can leave sensitive data exposed to adversaries.  

Organizations need to regularly review their default settings and take stock of legacy applications to be sure these factors do not contribute to vulnerabilities and potential data breach events.  

Preparing for the future of cloud computing cyberattacks  

 Healthcare organizations and bad actors are in an ongoing arms race, and the pace isn’t likely to slow down any time soon.  As organizations continue to develop more sophisticated cloud infrastructure to manage increasing data needs, they need to be vigilant about how growing complexity affects the challenge of maintaining optimal security.  

Security leaders will need to pay particular attention to identity, credentialing, and access controls to eliminate the “easy” way in for adversaries.  Only provide the minimum required permissions for the user to fulfil their job functions to avoid giving threat actors a springboard for lateral movement.  

Other top tips for preparing for the future of cybercrime include:  

• Enhance visibility into security gaps to spot misconfigurations before they become an entry point for adversaries.  Internal and external application security testing is key, and should ideally be conducted prior to deployment.  
• Adopt real-time monitoring capabilities to identify suspicious behavior or unauthorized activity as quickly as possible.  Ensure the most important metrics and events are adequately represented in the monitoring scope and choose software that can handle the growing complexity of multi cloud environments.  
• Ensure timely patching to plug holes before they become problems.  Regular security updates, as well as timely sunsetting of legacy applications, can significantly reduce the likelihood of a bad actor exploiting a known vulnerability.  Special care should be taken to patch known remote code execution and SSRF vulnerabilities in public-facing applications running in the cloud.  

By taking a proactive stance with cloud security, healthcare organizations can protect themselves from an increasingly dangerous cloud computing environment and do their best to avoid cyberattacks with potentially devastating impacts on patient care operations and organizational reputation.  

To learn more about the cloud risk landscape and how to combat vulnerabilities, download Crowdstrike’s 2023 Cloud Risk Report by clicking here.   

ABOUT CROWDSTRIKE   

CrowdStrike (Nasdaq: CRWD), a global cybersecurity leader, has redefined modern security for healthcare organizations with the world’s most advanced cloud-native platform for protecting critical areas of risk — endpoints and cloud workloads, identity and data.    

Powered by the CrowdStrike Security Cloud and world-class AI, the CrowdStrike Falcon® platform leverages real-time indicators of attack, threat intelligence, evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities.       

Purpose-built in the cloud with a single lightweight-agent architecture, the Falcon platform delivers rapid and scalable deployment, superior protection and performance, reduced complexity and immediate time-to-value.   

CrowdStrike: We stop breaches.    

Learn more: https://www.crowdstrike.com/solutions/healthcare/   
Follow us: Blog | Twitter | LinkedIn | Facebook | Instagram  
Start a free trial today: https://www.crowdstrike.com/free-trial-guide/