What Is an Advanced Persistent Threat (APT)?
by Chloe Bowen
The term advanced persistent threat, or APT, refers to a cyberattack that aims to compromise and steal data or take over direct surveillance of a system for an extended period of time.
Generally speaking, hackers have a specific goal in mind, with planned steps to breach a system and steal sensitive information for financial or political gain. Attackers often create APTs that hide under the radar for a prolonged period of time. Detection often occurs at an “advanced” stage within the attack, after a breach has been happening for months or even years.
Advanced persistent threats cause extensive privacy breaches
The National Institute of Standards and Technology for the U.S. Department of Commerce (NIST) defines an advanced persistent threat as “an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors including, for example, cyber, physical, and deception.”
It goes on to define the basis of most APT objectives as “establishing and extending footholds within the IT infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization, or positioning itself to carry out these objectives in the future.”
A system takeover from an advanced persistent threat can have destructive short and long-term effects on a company. This is especially true for organizations that house sensitive data, such as social security numbers or credit card information.
For healthcare providers dealing with electronic protected health information (ePHI), an advanced persistent threat can be extremely troubling. Any compromise in the ePHI system, including unauthorized access or stolen medical records and sensitive patient information, can lead to a HIPAA violation.
SEE ALSO: The Complete Guide to HIPAA Violations
Advanced persistent threats and zero day exploits
The U.S. Department of Health and Human Services (HHS) defines an advanced persistent threat as a “long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target’s information systems,” and it emphasizes caution around zero day exploits. A zero day exploit takes over an organization’s systems through unknown vulnerabilities that are often found in hardware, software or firmware. Hackers perform background research prior to beginning their attack to find this kind of unsecured threat vector.
The combination of both the zero day exploit and an APT can cause irreversible damage to an organization’s most critical systems, attacking a multitude of interconnected networks throughout an organization in one fell swoop.
In 2017, The United Kingdom’s National Health Service was devastated by the WannaCry cyberattack, an advanced persistent threat that infected up to 70,000 different devices across a multitude of systems throughout 150 different countries, including the United States and Canada.
This attack forced the NHS to turn away patients for non-urgent care due to its inability to access patient records that had been breached.
Security measures for covered entities
Even if the information under attack was not directly stolen, you are required to contact HHS to report an advanced persistent threat right away, much in the same way you would notify them of a data breach.
According to HHS, the notification must include “the nature and extent of the health information involved,” along with details on whether the information was viewed or accessed, and mitigation plans to prevent such attacks in the future. From there it is determined whether or not the media needs to be involved in the notification process.
Whether or not your business has experienced an APT, it is imperative that you have a plan in place to mitigate the risk of attack, such as:
- Implementing and maintaining a risk management system that identifies various levels of vulnerabilities throughout your hardware and software
- Performing weekly system audits that identify and track changes or abnormalities
- Limiting employee access to ePHI
- Encrypting all ePHI and email containing sensitive patient information
- Establishing a security protocol training program to teach employees how to identify and report abnormal activity in your system
- Conducting periodic risk analyses
- Developing a disaster recovery plan
APTs remain a hot-button issue in healthcare
As the healthcare digital transformation continues, many companies are moving to electronic systems for both patient records and correspondence. Understanding cybersecurity risks and adding the right tools to your digital arsenal helps you protect ePHI.
Paubox’s convenient solution integrates with both Google Workplace and Microsoft 365 to protect your messages. You won’t have to think about which messages to secure because all emails are encrypted by default. The recipient reads the encrypted messages directly from their inbox, avoiding extra steps such as portal logins or passwords.