The healthcare sector should be the last industry cyber criminals attack, but no exceptions are made when threat actors are looking to make money. Lately, the healthcare industry has seen an uptick in attacks and there are five attack vectors that are of major concern. From medical clinics to hospitals, there appears to be no sign of attacks slowing down within healthcare. Let’s look at the top 5 most common types of cyber threats in the healthcare industry.
When it comes to healthcare, ransomware is the most common attack vector for cyber criminals. It’s become such an issue, that the National Health Information and Analysis Center, the Financial Services Information Sharing and Analysis Center, and the Center of Internet Security teamed up to host country-wide trainings on how to defend against ransomware.
Between July 1 and September 30, 2021, researchers found 68 healthcare ransomware attacks globally. The United States was home to 60 percent of those attacks, with France, Brazil, Thailand, Australia, and Italy following. Medical clinics are the most frequently attacked sub-industry for ransomware attacks, with ten ransomware gangs taking center stage.
Top 10 Global Ransomware Gangs for Q3
|
Pysa |
|
AstroLocker |
|
DoppelPaymer |
|
LockBit |
|
Hive |
|
Ragnarok |
|
CLoP |
|
Ryuk |
|
Groove |
|
Vice Society |
While some ransomware gangs try not to focus on attacking healthcare facilities, the Hive ransomware gang intentionally attacks the industry. In September 2021, the gang was responsible for attacking four healthcare facilities in the United States. One of the facilities, a medical center in Missouri, was a victim of Hive and had patient information stolen from its servers. After stealing the information, the ransomware gang posted it online – including names, medical information, and Social Security numbers. Hive was also responsible for a ransomware attack against Memorial Health which resulted in emergency room diversions and appointment cancellations.
Hive uses phishing emails to gain access to networks and RDP to navigate the network. Fortunately, the attack didn’t cause care disruptions; however, other healthcare facilities, like Springhill Medical Center are not as fortunate.
In 2019, Springhill Medical Center was attacked by a ransomware gang and that attack led to a baby’s death. The baby was born with its umbilical cord wrapped around his neck, depriving him of oxygen during delivery. A heartrate monitor usually detects and informs hospital staff of life-threatening situations, but the monitor never alerted staff due to its system being compromised by a ransomware attack. The doctor delivering the baby stated that she would have delivered her via cesarean section had she been able to see the heart monitor’s readout. She stated that the situation was preventable. As a result, the baby was born with severe brain damage and died nine months later. The hospital had to defend themselves in a trial related to the attack in September 2021.
The ransomware gang, Ryuk, was suspected of being the culprit due to their track record with attacking medical facilities between 2019 and 2020. The recent healthcare cyber attack they were responsible for was locking up Universal Health Services’ systems for days in September 2020, which resulted in delayed lab results and patients being diverted to other hospitals. However, it is still not confirmed who is to blame for the ransomware attack and whether or not the attackers will be charged with ransomware-related homicide.
The FBI calls business email compromise (BEC) the “Billion Dollar Scam”. The tactic involves attackers using spoofed emails (spear-phishing emails) or compromised accounts to persuade employees to transfer large sums of money to fraudulent accounts. Typically, the attacker pretends to be someone of authority or power within the medical facility, like the CEO or Vice President. Before sending the spoofed email pretending to be someone from the organization, attackers do thorough research on how the CEO might sound so that victims are more likely to believe their scam. In addition to spear-phishing emails, attackers will also spoof a website or use malware to infiltrate hospital networks to gain access to email chains about billing and invoices.
Image 1: Stages of Spear-Phishing Campaigns
Source: Avertium
One of the most recent instances we have of a BEC attack is a California hospital that was attacked between December 2020 and April 2021. The attack happened when an employee clicked on a malicious link in their work email, thus opening the door for other email accounts to be compromised. The organization noticed suspicious activity in March 2021 and terminated authorized access to compromised email accounts.
Image 1: Stealing Credentials
Source: Avertium
The attackers allegedly accessed and exfiltrated claims information, dates of birth, lab results, addresses, and other private patient information. The hospital notified patients of the breach in September 2021, but one patient decided to sue the healthcare system for breach of contract, negligence, and violating California consumer privacy and medical confidentiality laws. The patient’s lawyer stated that the breach could have been preventable had the organization trained their employees on how to avoid becoming a victim of phishing attacks.
Sometimes, organizations are so enthralled with keeping track of outside threats, that they forget to be conscious of threats within their very own organization. Insiders often have access to systems and networks which puts them in the perfect position to compromise them. They may also have knowledge of vulnerabilities or of the network set up.
Some insiders are just careless, accidentally losing work devices with sensitive information, but others are malicious and intentionally cause devastation to an organization. According to HealthItSecurity.com, the healthcare industry isn’t proactive when it comes to stopping insider data breaches. In a report published by Verizon, researchers found that the healthcare industry was the only industry that had more inside threats(56%) than external threats (43%).
In 2011, a night security guard employed at a Texas hospital built a botnet using the hospital’s network. He recorded himself moving around the hospital, going from desk to desk using a Ophcrack CD and the botnet, which was on a USB flash drive. He used his credentials to gain access to different areas and showed the viewers of his YouTube channel how he removed the hospital’s antivirus software from the system to install the botnet.
After installing the botnet, he showed viewers how he accessed the infected machines remotely. The security guard was part of a hacking group that was using botnet machines to attack other hacking groups, including Anonymous. It wasn’t until an analyst from McGrew Security noticed screenshots of the hospital’s HVAC system online, that the FBI was notified, and the security guard was arrested.
Each year, insider threats are consistently named as the biggest risk to healthcare data. With remote work and telehealth becoming more available, it’s important for healthcare organizations to be proactive with training employees on best cyber security practices, as well as keeping a watchful eye on who they hire.
Unfortunately, data breaches are familiar territory for the healthcare industry and the sector experiences more data breaches than any other sector. There are several ways the breaches happen, with the most common being credential-stealing malware, employee negligence, and insider’s disclosing patient data.
Patient data is the most valuable data for attackers to steal. It’s more valuable than credit card information and social security numbers. Credit card information sells for about $1 to $2 on the dark web, while patient data can sell for as much as $363. Because the data is more valuable, cyber criminals have more incentive to attack medical databases. Another factor for cyber criminals looking to reap the rewards of stolen medical data is the weak and outdated systems of healthcare organizations. The industry has been slow to update their cybersecurity technology and they often times have substantial financial resources. Cyber criminals know this and assume money will be easy to collect.
Attackers infiltrate systems through IoT based medical equipment and devices connected to centralized networks. In October 2021, Macquarie Health Corporation, based in New South-Wales, had to take its servers offline to recover from a data breach. The group runs 12 hospitals across Australia and had over 6,700 legal documents containing patient information posted on the dark web.
In our previous threat report, we discussed DDoS and how the Meris botnet is infecting systems on a global scale, primarily focusing on the technology industry. Did you know that DDoS attacks are popular within the healthcare industry as well? This technique is used by cyber criminals to overwhelm networks, causing a major problem for healthcare systems that need to access their network for proper patient care.
In 2018, Boston Children’s Hospital was attacked by hacktivist group, Anonymous. The group launched a massive DDoS attack against the hospital as retaliation for the hospital’s involvement in a child custody case. The attack disrupted the hospital’s network for two weeks, causing the hospital to lose over $300,000 trying to mitigate the attack. Not only did Anonymous disrupt the hospital’s network, but the attack also caused Harvard University and all of its hospitals to lose internet access as well. DDoS attacks can occur in a variety of ways, but this particular attack is the most common way a healthcare entity could be victimized.
The healthcare industry is two to three times more likely to be a target for cybercrime than any other industry. Cyber security firm, Herjavec Group, reported that healthcare accounts for 18% of the nation’s gross domestic product (about $3.5 trillion) and they expect it to soar over the next decade. They also predict that global healthcare spending will increase dramatically from $8 trillion in 2013 to more than $18 trillion in 2040.
Most attackers won’t consider patients or vulnerable people when they see an opportunity. As previously stated, healthcare information is the most profitable information to sell on the black market, but there are other reasons why the industry is a constant target for cyber criminals.
Medical devices that are on a network are an easy way for attackers to gain entry. Because the machines are constantly changing and newer version are created every year, those in charge of online security and patient data have a hard time keeping up. The devices are designed for medical reasons, but they aren’t made with security in mind. The devices don’t store data, but they can be used to launch attacks on servers that do store data due to their lack of security.
Remote work and inconvenience are additional reasons why the healthcare industry is at risk for attacks. Medical professionals are often overworked and on time constraints. They may not consider online security to be a priority when their primary role is to save lives. Lack of proper authentication measures for devices and lack of time to devote to ensuring security are issues in this sector that must be addressed. Not wanting to disrupt convenient working practices to implement new technology may end up costing the industry more than time.
Insider threat remediation is expensive and could end up costing the healthcare industry around $10.81 million. DDoS, ransomware, BEC, and data breach attacks put the healthcare industry in devastating situations daily. That’s why it’s important to get ahead of the curve by being proactive with protecting your organization, instead of waiting to put out a massive fire. If you are a member of the healthcare sector and need to implement best practices, take a look at Avertium’s recommendations.
Ransomware
Insider Threats
Data Breaches
Business Email Compromise
DDoS
Hive Ransomware
Pysa
AstroLocker
DoppelPaymer
LockBit
Ragnarok
CLoP
Ryuk
Vice Society
DDoS – (Distributed Denial of Service) – takes advantage of capacity limits that apply to any network resources. A DDoS attack sends multiple requests to the compromised web resource, trying to exceed the site’s capacity. This prevents the site from functioning properly.
IoT (Internet of Things) – computer hardware, such as appliances, machines, and sensors. They transmit data over the internet or other networks.
Ransomware – malicious software that infects a device and stops users from accessing data and files until a ransom is paid.
BotNet – – a network of computers infected by malware that are remotely controlled by an attacker.
Spearphishing – attackers use carefully crafted emails to get victims to respond. Research is done prior to sending to better tailor the email for that person.
Ophcrack CD – a windows password cracker.
HC3 Identifies Top 10 Ransomware Threat Actors in Q3 2021 for Healthcare (healthitsecurity.com)
Cl0p Ransomware Contact Domain IP Exposed - Pastebin.com - AlienVault - Open Threat Exchange
Hive Ransomware Continues to Attack Healthcare Providers (healthitsecurity.com)
Ragnarok ransomware IOCs - 16 October 2020 - AlienVault - Open Threat Exchange
Baby's Death Alleged to Be Linked to Ransomware | Threatpost
Ryuk Ransomware Now Targeting Webservers - AlienVault - Open Threat Exchange
IOCs DoppelPaymer - AlienVault - Open Threat Exchange
Ransomware: In the Healthcare Sector (cisecurity.org)
Cyberattacks have become vastly more sophisticated (biopharma-reporter.com)
Business Email Compromise — FBI
Insider Threats: In the Healthcare Sector (cisecurity.org)
Healthcare Industry Worst in Stopping Insider Data Breaches (healthitsecurity.com)
3 Ways Healthcare Orgs Can Work to Prevent Insider Security Threats (hitconsultant.net)
Security Guard installs Botnet on Hospital Network – CYBER ARMS – Computer Security (wordpress.com)
Data Breaches: In the Healthcare Sector (cisecurity.org)
Roundup: Health Care Data Breaches and Defenses in the News (securityintelligence.com)
California Hospital Sued Over Data Breach - Infosecurity Magazine (infosecurity-magazine.com)
DDoS Attacks: In the Healthcare Sector (cisecurity.org)
Healthcare Data Breaches & DDoS Attacks: A Rising Threat? | Verizon
9 Reasons Healthcare is the Biggest Target for Cyberattacks (swivelsecure.com)
PYSA Ransomware Gang adds Linux Support - AlienVault - Open Threat Exchange
Vice Society ransomware joins ongoing PrintNightmare attacks - AlienVault - Open Threat Exchange
This document and its contents do not constitute and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of the Client's compliance with any law, regulation, or standard.