17 steps to harden defenses against nation-state cyber attacks

A group representing healthcare security pros warns that hospitals and healthcare organizations could be top priority targets because of their relatively weak security.

17 steps to harden defenses against nation-state cyber attacks

Recent world events, such as the rising international tensions with Iran, are focusing more attention on the threat of nation-state sponsored cyberattacks against the nation’s information infrastructure. While U.S. government cyber defenses are believed to be strong, there’s growing concern that the nation’s healthcare system and individual provider organizations could fall prey to concerted attacks, according to recently published guidance from the Association for Executives in Healthcare Information Security.

The publication, prepared by the AEHIS Incident Response Committee, notes that “even a nation without great military might can possess the potential to unleash havoc” on IT infrastructure. “Even if not explicitly targeted, hospitals need to consider that their systems could still be impacted as collateral damage in a cyberattack scenario.”

The risks are great, according to a separate assessment by Caleb Barlow, CEO of cybersecurity firm CynergisTek, who expects Iranian cyberactors will initiate destructive “wiper” attacks to erase and disable key systems and cripple organizations on the US mainland. He predicts hospitals and healthcare organizations will be top priority targets because of their relatively weak security and the opportunity they present to generate significant cost and impact on the public.

To be prepared, hospitals must implement controls and plans to deal with state-sponsored cyberattacks, the AEHIS guidance urges, offering these 17 steps as essential in protecting healthcare organizations’ data assets.


If cyberattacks appear likely, ensuring that all connected systems are properly patched for known vulnerabilities is critical. “Particular attention should be placed on any public-facing systems and any systems that are used to connect to the internet or open email from third parties,” AEHIS notes. “For legacy systems that can no longer be patched, organizations may want to consider placing a firewall with IPS functionalities or, in the case of Web servers, a Web Application Firewall (WAF) in front of an asset as a means of providing a level of virtual patching.”

Disaster recovery and business continuity plans

All organizations should review and practice disaster recovery (DR) and business continuity (BC) plans to ensure that they can operate and maintain patient safety in the event of power loss, communications failures, or the loss of other critical infrastructure. “Backup systems should also be tested to ensure all data is being properly backed up and that restore functionality can be successfully achieved,” AEHIS suggests. “Ideally, staff should be cross trained in DR and BC planning in case a loss of mass transit, power grids or other element of critical infrastructure results in lack of availability of an employee.”


Hospitals should establish a list of regions of the world that they consider hostile and implement geoblocks in their firewalls and WAFs against network traffic stemming to and from them. Organizations also may want to consider implementing geoblocks in their spam filters. “While an attacker can bypass such blocks using a VPN or proxy, the presence of such geoblocks does require the attacker to put in a bit more effort and typically works to reduce the number of attacks an organization sees as a resul,” AEHIS notes.

Security information and event management alerts

Organizations should make use of SIEM alerts as part of their log management and incident identification strategies, AEHIS’ publication suggests. “Organizations may want to customize their SIEM ruleset to include any network traffic or communication going to or coming from any nations they deem hostile.” External threat intelligence can also warn of IP addresses, URLs or other indicators of compromise and can be fed into a SIEM to enable faster delivery of alerts for any suspicious cyber activities.

Threat intelligence

Threat intelligence is crucial—it can help security executives take a more proactive stance in putting blocks or other controls in place before a threat hits an environment. “When used in conjunction with a SIEM and/or enterprise detection and response, (threat intelligence) can help you to better identify threats you may already be facing,” the AEHIS guidance states.

Network segmentation

Network segmentation can reduce the amount of damage from attacks such as ransomware. The more segmented a network is, the more difficult lateral movement is, resulting in a higher probability that the damage will be contained. “Ideally, network segmentation should be done to the point of zero trust, but at a minimum, segmenting off any connected medical devices or other systems deemed critical for patient safety is a must,” the AEHIS guidance notes. “Ideally, organizations should isolate medical devices in a manner that minimizes connectivity and ports for optimal protection.”

Audit publicly exposed assets and services

Healthcare organizations often don’t fully understand on what assets are public facing. Security executives should identify public facing assets and question whether there is a need to have external connectivity or any connectivity. “If the asset does not require external connectivity, such access should be restricted. For assets deemed critical to being public facing, the organization should ensure that they are fully patched and hardened and that no unnecessary services are permitted or exposed,” AEHIS recommends.

Continuous network recovery

Healthcare organizations typically have a difficult time maintaining accurate and comprehensive equipment inventories, so they should implement continuous network discovery tools to enable it to monitor for new or unauthorized devices being connected to it, and then profile those devices—doing so will enable security staff to promptly identify the type of device, the operating system, firmware levels and more. These tools also can correlate vulnerability intelligence to underscore known vulnerabilities and identify how to minimize them.

Incident response planning and testing

Organizations need to ensure that they have an up-to-date incident response plan and that the plan has been recently tested. Familiarity with the plans and its protocols will help maximize efficiency and efficacy of response, thus minimizing the impact of an incident. “Additionally, the IR plan should provide contingent modes of communication should there be interruptions to the services that the IR plan is dependent on,” the guidance suggests. The AEHIS IR Committee makes a variety of table top exercises available to hospitals and healthcare organizations.


With the number of attack approaches rapidly increasing, it’s more important than ever for organizations to have a way to detect new malware. A sandbox enables security executives to execute office documents, executable files, files exchanged with external organizations and URLs to be tested for behaviors that are potentially malicious. For example, sandbox functionality can be incorporated into spam filters for execution of URLs and attachments, as well as firewalls for execution of transferred files.

Application white-listing

Having this capability prevents any process or executable file that is not explicitly approved from running in an organization. “Application whitelisting should be strongly considered for any system that is public facing as well as any system whose operation is deemed critical to patient safety,” AEHIS urges. It is “a highly effective means of keeping a system from falling victim to a cyber-attack. Combining application whitelisting with zero trust network segmentation principles is a highly recommended security architecture.”

DNS sinkholing

Healthcare organizations have a variety of medical, IoT and OT devices, and it’s typically not possible to run an endpoint security suite to protect them—so it’s not always possible to know the threats with which these devices have come into contact. DNS sinkholing provides a way to identify devices that may be trying to communicate with known malware or command and control domains. “Geoblocking can potentially be incorporated into a DNS Sinkhole, and a SIEM alert can easily be set up for any device that connects to the sinkhole,” the AEHIS guidance notes.

Two-factor authentication

Account credentials that enable access to an organization’s network are more widely available than commonly understood. In addition, persistent hackers can harvest credentials through phishing, social engineering, brute-force password gambits and other techniques, so eventually, someone in your organization will have their credentials compromised. “Two-factor authentication greatly mitigates this risk by ensuring that a compromised username and password pair does not guarantee an attacker access,” AEHIS says. This security control is especially recommended for any form of administrative account or account used to remotely access systems.” In addition, all external access should use a secure, virtual private network.


Local Administrator Password Solution (LAPS) is a utility created by Microsoft that enables the randomization of the password of the local administrator of each domain-joined machine. This can help prevent the lateral movement of attacks through an organization, mitigating many of the commonly used “pass the hash” techniques that are used by attackers to jump from a compromised machine to another system in the environment. Thus, LAPS can help mitigate the distribution of a threat in an environment.


Certain technologies leave “bread crumbs” throughout an organization to entice attackers to go after decoy assets. They enable security executives to perform early breach detection, because these decoy assets would not be accessed in the course of doing legitimate business processes. Also, the attack methods used against decoy assets to help identify IOCs and other information that can be used to project real assets.

Enterprise detection and response

This technology enables the recording and analysis of all events occurring on an endpoint computer system, helping security executives to uncover potentially suspicious activity and perform threat hunting. EDR also enables detailed incident investigation, and it thus enhances an organization’s ability to detect attacks that traditional signature-based defenses would probably miss.

Security education and awareness

All organizations should regularly perform phishing education and other forms of security awareness education. In addition, IT executives should perform some research and use their threat intelligence resources to identify common methods of attack used by the hostile nations that are threatening a cyberattack. Provider organizations then can offer crafted awareness campaigns that highlight these attack methodologies and what should be looked out for.

For more information

The AEHIS guidance can be found here.

More for you

Loading data for hdm_tax_topic #care-team-experience...