Five steps to navigating Clop-dominated risks in Healthcare

In cybersecurity, the Healthcare and Public Health (HPH) sector faces an ever-evolving array of threats. The notorious Clop ransomware group has recently made headlines, targeting organizations with sophisticated attacks. These incidents underscore the need for robust cybersecurity measures, particularly in managing application assets and user access management.

The clop threat: A wake-up call for healthcare security

Clop, a Russian-speaking group linked to the infamous TA505 and FIN11, has aggressively targeted the HPH sector. Known for leveraging vulnerabilities in systems like MOVEit and GoAnywhere MFT, Clop has demonstrated the ease with which attackers can exploit weaknesses in digital infrastructure. These attacks, mainly using the GoAnywhere MFT zero-day vulnerability (CVE-2023-0669), added to CISA’s Known Exploited Vulnerabilities Catalog, highlight the urgent need for healthcare organizations to reassess their cybersecurity strategies.

CISA’s guidance: A roadmap for enhanced security

The Cybersecurity & Infrastructure Security Agency (CISA) provides a blueprint for addressing these emerging threats. Central to their recommendations is the importance of comprehensive asset management, especially in applications. Healthcare organizations are advised to maintain a detailed inventory of all applications, assess their security posture, and ensure they are updated with the latest security patches.

Access management is another critical area. The rise in sophisticated attacks like those by Clop emphasizes the importance of robust access control mechanisms. This includes implementing phishing-resistant authentication methods, such as FIDO2, strict access controls, and regular audits to ensure that only authorized individuals can access sensitive data.

The risk of nonstandard applications

In the backdrop of these threats, nonstandard applications present a unique challenge. These applications often rely on traditional password-based authentication and lack integration with identity providers (Azure AD, Okta, Sailpoint, etc.). Outside of not supporting SSO, these applications also lack support for lifecycle management, i.e., joiners, movers, and leavers. What is normally automated through your identity provider, now becomes a slog of manual and error-prone work for your IT team. This disconnect makes nonstandard applications vulnerable targets for threat actors like Clop.

Applications that fall into this category have many names (nonstandard, decentralized, disconnected, or unmanageable applications). No matter what you call them, they are a considerable risk for the HPH sector. Research from the Ponemon Institute found that 63% of organizations experienced an incident caused by nonstandard applications.

Empowering the healthcare sector

By aligning with CISA's guidance and understanding the tactics of groups like Clop, healthcare organizations can better prepare themselves against these threats.

Healthcare organizations should consider the following steps:

1. Conduct comprehensive application asset inventories
   Regularly update and review the list of all applications and devices used by the organization. This includes on-premises, cloud, IT, and OT. Web proxies have traditionally been used to block access to undesirable sites, but with the advent of SaaS, these tools have been incapable of preventing the spread of Shadow IT. HPH organizations need to investigate mechanisms that intercept new subscriptions when they are being created–not after. We just might have such a solution here at Cerby.
   
   
2. Implement robust access controls for all applications
   Utilize advanced authentication methods (FIDO2) and ensure regular audits of access permissions. This is a lot in one short sentence. Still, given the risks mentioned above of nonstandard applications disconnected from your identity plane, this is both a risk and a source of productivity loss. Ponemon Institute researchers found that manual work in nonstandard applications, involving an average of 8 staff members in provisioning and deprovisioning, costs $648,000 annually, diverting significant resources from more productive tasks (like reducing cyber risk).
   
   
3. Stay informed on emerging threats
   Keep abreast of the latest cybersecurity developments and advisories from agencies like CISA and H-ISAC. If your company is not involved with H-ISAC, consider making it a priority in 2024.
   
   
4. Continuously educate and train staff
   Regular training sessions on cybersecurity best practices can significantly reduce the risk of social engineering attacks. While this seems a no-brainer, most non-security staff struggle with basics like strong passwords and 2FA. Platforms that automate these critical yet tedious steps will be a pathway in the future for reducing business email compromise.
   
   
5. Develop a cybersecurity roadmap and risk register
   A clear and concise plan that outlines the organization's cybersecurity strategy, risk register, and response plan. While some organizations have risk registers, progress often breaks down when translating risk to the board. Risk registers should be considered the account that holds all known risks. Cybersecurity practitioners then own framing these risks and the investments required to buy them down until they are acceptable to the business.
   
   

Navigating the complex cybersecurity landscape, especially in healthcare, demands a strategic focus on access management. Organizations must adopt proactive, vigilant approaches, aligning with best practices in access control as recommended by agencies like CISA. In an era where threats like Clop are prevalent, prioritizing robust access management for all applications, not just those connected to your identity provider, is necessary and a cornerstone for maintaining a resilient and secure healthcare data environment.

For more insights contact us and follow us on social at @CerbyHQ.