DNS Threat Intelligence for Healthcare Networks

Healthcare institutions are proving to be increasingly targeted for cyberattacks such as DDoS and ransomware, causing life-threatening impact as well as severe breach damage costs. As it ensures seamless connectivity to important systems and services, enabling timely access to critical information, DNS is a top target and attack vector for cybercriminals. It’s therefore no surprise that the IDC 2023 Global DNS Threat Report emphasizes specialized DNS Security, incorporating DNS Threat Intelligence, to be mandatory for proactive network security.

Enlarged threat landscape: NIS 2 Directive enforced for Healthcare 

To enhance cost-efficiency and quality of their services, healthcare organizations worldwide have turned to digital solutions. Electronic Patient Records (EPR) have brought new opportunities, but healthcare providers now have to manage a sprawling supply chain of hardware and software vendors. Multi-cloud apps, connected devices, remote access, and AI usage for clinical decisions have accentuated IT management complexity. Combined with a lack of investment in cybersecurity maturity, this has left healthcare networks extremely vulnerable. 

Cyberattacks and breaches hinder hospitals from delivering timely care, and often require healthcare facilities to pay substantial ransoms for retrieving stolen data and restoring IT systems. One of the most devastating attacks involved the use of a phishing email by the Conti Ransomware Gang to compromise the Irish Health Service Executive (HSE). With 80% of data in the system being encrypted, the national diagnostic imaging platform became inaccessible and radiotherapy services paused. And the loss of access to patient details, appointments, and medical records resulted in postponement of 50% of acute outpatient appointments and clinical interventions.

The level of danger has driven the WHO and law enforcement agencies to issue warnings in 2024 about the threat of cyberattacks to the healthcare sector. To address the growing digital risk, it’s important that healthcare enhances its level of readiness to defend itself and its digital assets against cyber-attacks. Unsurprisingly the NIS 2 directive features healthcare as an essential entity.

DNS attacks are top of mind: DNS threat intelligence is vital

Healthcare has now become one of the most targeted industries for cyberattacks such as DDoS, phishing, data theft and ransomware, often using DNS as an attack target or vector.  According to the IDC Threat Report, 87% of healthcare organizations were victims of DNS attacks, suffering an average of 7.1 attacks each, at a cost of $995K per attack (up from $906K in 2022 and $862K in 2021).

Top DNS Attack Types Suffered by Healthcare

• Phishing 49%
• Ransomware 31%
• DDoS 37%
• DNS Tunneling 34%

Impacts of DNS Attacks on Healthcare Organizations

• Cloud service downtime 50% 
• In-house app downtime 59% (highest across all industries)
• Data theft 21%
• Brand damage 36% 

The IDC report found each DNS attack takes an alarming 5 hrs 47 mins to mitigate. Considering the importance of stable networks for patient care, defenses being used to mitigate DNS attacks are worrying as they disrupt services like patient monitoring, diagnostic imaging, and medication dispensing systems, potentially causing harm or loss of life: 52% shut down the DNS, 37% disabled the affected apps, and 28% shut down part of their network infrastructure.  

The findings in the threat survey led to IDC Security Research Manager Romain Fouchereau stating:

“The impact caused by DNS attacks is real and ever-increasing, so the time to act is NOW! Consolidating DNS threat intelligence and observability across the security ecosystem enables proactive defense, reduces cyberthreats, and enhances protection.” 

The following sections take a deeper look at some of the impacts of DNS attacks on Healthcare, and how purpose-built DNS Security for Healthcare helps protect networks.

Ransomware: Protect using DNS Filtering

Today’s healthcare institutions are being targeted by well-equipped and well-funded professionals. These cybercriminals routinely launch ransomware attacks against critical infrastructures like hospitals, clinics, medical research laboratories etc. creating a direct threat to public health and safety. According to the US Department of Health and Human Services, in 2023 there were more than 630 ransomware incidents impacting healthcare worldwide. The top ransomware groups identified were LockBit, Cl0p, ALPHV, and BianLian. Notable ransomware incidents against healthcare have included Petya, WannaCry, GandCrab, Locky, and Ryuk. As an example, a large hospital network attacked by ransomware resulted in over USD $100 million in damages, with multiple sites and half a million patients being impacted: stolen patient data, payroll disruption, delays in patient care, ambulances diverted, EHR downtime. 

With modern ransomware actors often leveraging Ransomware-as-a-Service (RaaS), and critical Internet of Medical Things (IoMT) devices being used are potential targets in ransomware attacks, urgent steps are required to prevent significant downtime costs and damage. EfficientIP DNS Security helps considerably, with the IDC report showing 53% of healthcare organizations already use DNS security for ransomware and malware protection. Unusual traffic patterns can be identified via DNS traffic analysis, unveiling zero-day malicious domains which are being used by ransomware for data exfiltration. In addition, our DNS Filtering blocks access to known malicious domains – thus stopping ransomware from communication with its C2 servers, as well as preventing ransomware initiation by inhibiting access to known phishing sites.

Data Theft: Detect early via DNS traffic analysis to meet regulatory compliance

Dozens of data breaches have been reported within the last few months alone. Norton Healthcare in Kentucky confirmed threat actors gained unauthorized access to personal information affecting 2.5 million patients and employees. In Asia, the Indian Council of Medical Research stated that 81.5 million Indian citizens may have had their Covid test and other health data exposed to a huge data breach by a threat actor going by the name of “pwn0001”.

In an attempt to strengthen protection of sensitive patient data, healthcare regulations are becoming more and more strict. Trying to comply with  HIPAA, HITECH, HICP, NIST, NIS 2, GDPR, and PDPA has become a daunting challenge for healthcare providers, accentuated by device proliferation, network complexity, and the increasing processing of patient data for AI and ML processing.

Regulations require any entity involved in a patient’s care to protect medical data. This includes security access to information stored in EPRs. DNS security is a specialized layer of defense which complements security systems to strengthen protection of sensitive patient data. The IDC threat survey found that 59% of healthcare respondents consider DNS security helps prevent data exfiltration by detecting improper DNS flow and blocking related traffic. With EfficientIP DNS Guardian, access to patient data can be automatically protected by analyzing DNS traffic to detect DNS tunneling or C&C.

Connected devices: DNS Security enables Zero Trust to secure IoT

Hospitals today deliver patient care using telemedicine apps, robotic equipment, and connected machines such as MRI and heart rate monitors. Juniper Research forecasts that by 2026 hospitals worldwide would deploy 7.4 million IoMT devices, with on average each hospital running 3,850 devices. IoT has revolutionized healthcare but at the same time opened it to cybersecurity risks. Any device which becomes infected with malware can be used to orchestrate ransomware, exfiltrate patient data, or quickly spread infection on the network. Healthcare cybersecurity provider Cynerio reported that 56% of hospitals have had their IoT/IoMT devices attacked in the past two years, and 88% of data breaches involved IoT devices. 

Cybercriminals using IoT devices as entry points to IT infrastructure often leverage DNS as an attack vector. DNS Security should therefore be a “no brainer”, but surprisingly only 45% of healthcare IT personnel view DNS as being of high importance for protecting IoT devices – well below the average across all verticals of 54%.

EfficientIP DNS Security allows you to make DNS an early point of detection in order to automatically secure all devices and safeguard patient data. Botnet activity, for example, can be combated by intelligently controlling which apps or infrastructure components each IoT device is allowed to access, helping accelerate Zero Trust strategies. Zero Trust lets healthcare organizations take advantage of the many benefits of connected clinical devices without exposing them to cyberthreats and ransomware. With 75% of institutions planning, piloting or running Zero Trust today, 89% consider DNS filtering valuable for controlling IoT device access via allow & deny lists. By blocking lateral movement of threats, DNS naturally becomes your first line of defense.

DNS Threat Intelligence Enables Proactive Network Security

But it’s important to understand that the protection provided by the security mechanisms described above is further maximized when combined with DNS-centric intelligence. When it comes to cybersecurity defense, threat intelligence is now confirmed as a vital element. Over half of the healthcare organizations surveyed by IDC consider it a vital component of their defense strategy. 85% of malware uses DNS to develop its attack, so any effective security strategy relies on specialized DNS Threat Intelligence. One in four healthcare institutions already make use of DNS data for their threat intelligence, with this number expected to rise rapidly in the next two years. As highlighted in the IDC report, key to having effective DNS threat intelligence is a quality DNS threat feed.

Implementing and offering DNS threat intelligence raises IT teams to a proactive level of defense, to better protect against phishing and malware. EfficientIP, as a leader in DNS security, provides a cloud-based DNS intelligence portal benefitting from our high-quality DNS threat intelligence feed which leverages a massive volume of DNS intelligence data. Valuable security event information and contextual data can be automatically shared with multiple vendor platforms such as NAC, SIEM, or SOAR tools to simplify and accelerate remediation for SOCs. As a complement, our DNS observability product brings insightful DNS analytics to facilitate troubleshooting and investigation. 

Key DNS Security takeaways from the IDC Threat Report

DNS services are imperative for keeping doctors, patients, and devices connected to the Internet and cloud services/apps. The EfficientIP DNS Security solution helps protect healthcare devices, users and apps against data theft, ransomware and other damaging attacks such as DDoS which cause downtime of critical apps and services. 

Three key takeaways from the IDC Report are:

1. Move to proactive defense by using DNS threat intelligence feeds
2. Strengthen your security posture with DNS Observability
3. Accelerate threat remediation by integrating DNS data into your network security ecosystem