How the military-derived “cyber kill chain” model can help health systems fight cybercrime

cybersecurity, cybercrime,

cybersecurity, cybercrime,

As cybercrime continues to plague the healthcare industry, a model that focuses on identifying and blocking each step of a cyberattack could help providers stay one step ahead of the hackers.

The need for effective cybersecurity protocols in health systems is more pressing than ever. In the first six months of 2021, data breaches jumped by 27% to 343 compared with the same period last year, according to a recent report. Many providers have already been the victim of a ransomware attack this year, including large and well-resourced ones like Trinity Health and UPMC.

The answer to healthcare’s cybersecurity woes may lie in models adopted from other industries, like the “cyber kill chain” model, said Steve Winterfeld, the advisory chief information security officer at Akamai Technologies, a cybersecurity firm.

The model was developed by defense contractor Lockheed Martin as a military operations framework. Using the model, the military can outline all the steps of a potential attack and then work out strategies to stop it at each step. The same model can be used to detail the steps involved in a healthcare ransomware attack, enabling organizations to defend themselves at each point, Winterfeld said, in a phone interview.

“The reason we call it a kill chain is you can stop [the hackers] when they are conducting reconnaissance, you can stop them at the attack, you stop them when they are establishing command and control [over your systems],” he said. “That old saying that the defender has to get it right every time and the attacker has to get it right only once isn’t true if you use this methodology. [The attackers] now have to get it right multiple times to be successful.”

Once they have outlined the steps of a cyberattack, health systems can consider implementing a combination of defense strategies. For example, they can eliminate system vulnerabilities through patching, curb malicious attachments sent via email through filtering and prevent access to infected websites through a secure web gateway, Winterfeld said.

The model helps health systems adopt a programmatic, rather than a reactive, stance to cybersecurity.

“It gives you a way to look from the start to the end of what could happen to you and evaluate [your response] at each phase,” Winterfeld said. “Rather than a point solution, you are asking yourself [how to ensure] prevention-detection-response throughout the lifecycle of an attack.”

But, while the “cyber kill chain” model can help health systems figure out what needs to be done, that doesn’t mean the health systems necessarily have the wherewithal to do so. Implementing this model needs significant financial and human resources, said Mike Kijewski, CEO of cybersecurity company MedCrypt, in an email.

These requirements come at a time when most hospitals are facing a severe money crunch, made worse by Covid-19.

“J.P. Morgan reported that they spend $660 million a year on cybersecurity, or about 0.5% of their entire revenue,” Kijewski added. “Hospitals need to be able to spend the same proportion of their budget on cybersecurity, but few have the resources available to do it.”

Yet strained resources notwithstanding, hospitals face a choice: Refrain from adding technology that is expensive but helps to prevent an attack or risk the expense and reputational damage of experiencing one

And as cybercrime worsens, models like “cyber kill chain” may help them put up an effective defense against the various bad actors looking to infiltrate their systems.

Photo: sdecoret, Getty Images