How to Harden Defenses against Nation-State Cyber Attacks


The nation’s healthcare system and individual provider organizations might be at increased risk of cyber-attacks, launched from countries that have tense relations with the United States. Cyber-security needs to be stepped up.

That’s the conclusion from the Association for Executives in Healthcare Information Security (AEHIS), which has issued a security checklist for healthcare. While the risk applies to almost all businesses and organizations, some experts warn that the healthcare industry faces a punctuated risk.

Some have even predicted “wiper” attacks from Iran, that could erase and disable critical systems in an effort to severely harm US organizations. Healthcare organizations are seen as having weak security. Disrupting their networks and records could be costly and have a huge impact on the public.

“Healthcare systems in general are becoming increasingly dependent on information systems, and by extension, patient care is becoming increasingly dependent on fully functional Electronic Health Records (EHR), Picture Archiving and Communication Systems (PACS), and other systems …,” reads the report, prepared by the AEHIS Incident Response Committee. “It is imperative that hospitals consider implementing controls and plans to deal with the potential that hospitals may one day be faced with the threat of a state-sponsored cyber-attack … .”

The AEHIS report lists 17 steps to defend against nation-state cyber-attacks. We have briefly listed them below. Our team at Emerge IT can explain these further, do a full assessment of your network, and tell you how your organization stacks up to this list:



Ensure that all connected systems are properly patched. Focus on any public-facing systems and endpoints that connect to the Internet or are used to open email from third parties. Use routine vulnerability scanning to ensure that patches are not being missed.

Verify Disaster Recovery and Business Continuity Plans

All organizations should run through their disaster recovery and business continuity plans to ensure that they can remain operational and maintain patient safety in the event of communication failure, power loss, or loss of other infrastructure.


All hospitals should establish a list of world regions that could be hostile and implement geoblocks -- in their firewalls and WAFs -- against network traffic reaching to and from those nations.

Security Information and Event Management (SIEM) Alerts

Organizations should make use of a SIEM in their log management and incident identification strategies. The SIEM ruleset can be customized to include any network traffic or communications going to or coming from any hostile nations.

Threat Intelligence  

Threat intelligence is critical and can help put blocks in place before a threat occurs. It should be used in conjunction with SIEM and/or an Enterprise Detection and Response (EDR) alert system.

Network Segmentation

Network segmentation won’t prevent a threat from hitting your network. But it will limit the damage to the segmented area of the network that is attacked.

Audit Publicly Exposed Assets and Services

Many hospitals don’t know what network assets they have that are public-facing. Each of those assets needs to be identified, protected and reviewed as to whether it needs connectivity.

Continuous Network Discovery

These tools let an organization monitor for unauthorized devices connecting to its network. It also will identify the type of device.

Incident Response (IR) Planning and Testing

All hospitals, businesses and organizations need an up-to-date incident response plan and identified contingent methods of communicating in the event of interruption.


A sandbox allows isolated execution of documents and files exchanged with external organizations and URLs. Sandboxes can detect malicious behavior and are a recommended addition for firewalls and spam filters.

Application Whitelisting

Application Whitelisting keeps any process that is not approved by your organization from running in your environment.

DNS Sinkholing

Healthcare environments run an array of IoT and OT devices that are not covered by an endpoint security suite. DNS Sinkholing identifies a device that might be trying to communicate with malware or Command-and-Control domains.

Two-Factor Authentication

Two-factor authentication lessens risk by ensuring that a compromised username and password pair does not give an attacker access to your organization’s systems.

Local Administrator Password Solution (LAPS)

LAPS prevents the lateral movement of attacks through an organization as it thwarts many pass-the-hash techniques, used by attackers.


Deception technologies encourage an attacker to go after decoy assets. They distract an invasion and help with early breach detection because decoy assets would not be touched in the legitimate course of business.

Enterprise Detection and Response (EDR)

EDR functionality lets all events on an endpoint computer system be recorded and analyzed. It allows for detailed incident investigation and increases an organization’s ability to detect attacks.

Security Education

All organizations should use threat intelligence to identify common methods of cyber-attacks used by the hostile nations. Specific education campaigns throughout the organization are recommended.

Emerge can help you prepare for a cyber-attack. Give us a call at 859-746-1030.