Endpoint Detection & Response (EDR) , Endpoint Protection Platforms (EPP) , Endpoint Security
How Overreliance on EDR Is Failing Healthcare Providers
Healthcare Providers Must Revisit Endpoint Security to Mitigate CyberthreatsRansomware attacks have far-reaching consequences on healthcare organizations, extending well beyond financial losses. A University of Minnesota School of Public Health study found that hospital volume dropped by 17% to 26% during the first week of an attack. Between 2016 and 2021, disruptions from ransomware attacks resulted in an estimated 42 to 67 deaths of Medicare patients.
Healthcare providers handle sensitive information of millions of people, and that makes them a target. They swim in an ocean of rules and regulations, and their compliance is constantly scrutinized.
It's easy to forget - at least until your next physical - that chasing compliance and protecting patients' data are not the top priorities of healthcare providers. These organizations often hold something more precious than our records: They care for our health. Simply put - they keep us alive.
How is it then that these organizations - the ones we turn to in the darkest moments of our lives, the praised first responders when pandemics hit - are featured in cybersecurity news seemingly every other day? And usually not with a success story.
The answer lies in the calculated decision-making of cybercriminals.
Healthcare Cyber Breaches: A Growing Concern
Healthcare is a prime target for ransomware attacks because of the life-or-death stakes, access to sensitive data, operational disruptions and potential regulatory fallout, making providers more inclined to pay ransoms.
Healthcare organizations were the target of more than 21% of attacks in 2023-2024, up from 18% in the previous year, according to research by Barracuda Networks. High-profile attacks on organizations including Change Healthcare, Ascension and MediSecure highlight the sector's vulnerability, where data is often exfiltrated before being encrypted, exacerbating the risks.
It's Time to Revisit Our Approach to Healthcare Cybersecurity
A decade ago, a hospital made headlines for being hit by ransomware. In response, the hospital head said he could not justify investment in cybersecurity because "unlike a new CT scanner," cybersecurity doesn't affect patient outcomes. This didn't age well. The healthcare industry is now acutely aware that cybersecurity is essential for both patient safety and the continuity of care.
Many organizations continue to rely solely on endpoint detection and response, or EDR, solutions to meet regulatory standards. But compliant has never been a synonym for secure. EDR solutions are designed to detect specific threats, but their scope is limited, making them vulnerable to sophisticated attacks that bypass traditional defenses.
As is often the case, the devil is in the details. Stolen credentials are sold on the dark web, users run as admins, legitimate tools are used to steal cookies and hijack the web sessions, weak multifactor authentication is used and servers sit unprotected because their attack surface is small.
George Kurtz, CEO of CrowdStrike, perhaps said it best in response to a senator's question during congressional hearings in 2021 on the SolarWinds breach: "… Once you have admin access on a particular system, if you are shutting it down, you can do pretty much whatever you want on it."
EDRs Lack Foundational Controls
Let's consider a few inherent EDR shortcomings that stem from the solution's focus, threat model and operational model:
- EDR is not user-aware. It does not have a way of authenticating the user and relies on the operating system. Whoever has the password is the right kind of user for EDR.
- EDR does not differentiate between an administrator and a regular user. There are several published techniques of tampering with EDR without tripping the wire using elevated access, such as removing EDR hooks.
- EDR focuses on malicious files and behaviors. A "legitimate" user leveraging legitimate tools will likely never draw attention.
- Credential theft from the operating system, third-party software and browser credential stores is protected from a malware perspective, while access to LSASS dumps, NTLM hashes, PuTTY files, cookies and web session data is not universally blocked.
- Users typing passwords is business as usual for EDR. Keyloggers will likely be found and terminated, but more sophisticated attacks, including phishing, can leak passwords.
- If attackers successfully bypassed EDR once, without proper infrastructure and system hardening, they can return for a second ransom payment.
- Many out-of-the-box detections in EDR systems often need to be disabled or excluded in a production environment false because of false positives caused by in-house-developed applications and accepted user behaviors that can be difficult to differentiate from an attacker's tactics.
- Comprehensive 360-degree identity security, application control and isolation, strong continuous MFA, credential theft protection, role-based least privilege, local administrator account security and other critical foundational endpoint security technologies are not part of EDR solutions.
Preventing Cyberattacks: The Ultimate Defense Strategy
Healthcare organizations often lack the necessary preventative, identity-centric component in their endpoint security strategies. By incorporating endpoint identity security into their systems, healthcare organizations can unprivilege the attacker, reduce the endpoint's attack surface, prevent administrator and regular user credential compromise and enable an end-to-end passwordless user experience on endpoints. This approach enables a more secure user experience from login to browsing, minimizing the risk of breaches.
Healthcare Cannot Afford to Put All Its Eggs in an EDR Basket
In a defense-in-depth cybersecurity approach, EDR, while useful, should never be the only line of defense. The industry must adopt a holistic security strategy that includes endpoint identity security as a foundational control. By doing so, healthcare organizations can better protect their networks, safeguard patient data and ensure the continuity of critical services.
For a deeper dive into this subject, check out our e-book, "Why EDR Isn't Enough to Stop Cyberattacks."