This post is also available in: 日本語 (Japanese)
According to the 2021 Unit 42 Ransomware Threat Report, the healthcare sector was the most targeted vertical for ransomware in 2020. The report noted that ransomware operators likely targeted the sector, knowing that healthcare organizations were under enormous pressure from an influx of COVID-19 patients. They could not afford to have their systems locked out and thereby would be likely to pay a ransom. In May 2021, the FBI issued an alert stating that the Conti ransomware group, which had recently taken down Ireland’s healthcare system, had also attacked at least 16 healthcare and first-responder networks in the U.S. the previous year.
The research firm, Comparitech, tracked more than 92 individual ransomware attacks in the U.S. healthcare sector in 2020 — a 60 percent increase over the previous year. This affected more than 600 clinics, hospitals and organizations, including more than 18 million patient records. Estimated costs of these attacks reached nearly $21 billion. We have concluded that threat actors target healthcare organizations based on several factors:
- The Value of the Data Organizations Control and Maintain — Since many threat actors are motivated largely by monetary rewards, they target organizations that have valuable financial and/or data assets that can be converted to funds. Healthcare organizations gather a very broad span of information on their patients, including full contact information, Social Security numbers, payment card data, sensitive health information and healthcare insurance information. Many healthcare delivery organizations (HDOs) also make research part of their operations, which adds to this vast pool of highly valuable data. In total, this provides threat actors with opportunities for data theft, fraudulent insider acts and criminal schemes, such as waging insurance fraud.
- The Perceived Security Posture of the Organization — Healthcare organizations include small and large organizations, spanning from device manufacturers to technology suppliers and HDOs, and each has a unique dedication to security. So, it’s important to not apply generalizations. However, threat actors may well do just that. Healthcare is often considered lean on highly skilled IT/security manpower. The less secure a sector appears to be, the more attacks they will likely receive.
- The Security Posture of the Organization — Attackers are naturally going to be more successful if there are vulnerabilities in the organization’s defensive armor. With the growing complexity in the IT landscape, many healthcare organizations (and other organizations) are struggling to close every gap. Today’s threat actors are highly skilled at scanning for any open port, exposed cloud misconfiguration or other vulnerability. And, the incidents for which we are called to assist correlate to one or more vulnerabilities left open.
- Criticality of Ongoing Operations — We know that certain tactics rely on the organization’s need to keep systems up and running in order to keep core operations functional. Healthcare organizations cannot afford discontinuity in patient care. Outages (system-wide, partial or localized) are unacceptable, which can force systems, such as a network switch, to go without patching/rebooting or proper maintenance for years. If the organization does not have an incident response (IR) plan to restore operations from backups, they may feel more compelled to pay attackers. And, even if the organization does have an IR plan and backups in place, some organizations still pay the ransom because backup systems may also get impacted or the volume of data and systems to restore is beyond what the backup systems are capable of handling in a reasonable amount of time. Regardless of the overall quality of the backup solution, if attackers are able to lock up just one important system that hasn’t been recently or properly backed up, organizations may find themselves in the position of having to consider paying for the decryption key.
Let’s assess what the healthcare threats cited earlier and what that suggests about these organizations’ defensive postures and the threat actors who target them.
First, ransomware relies on an organization’s need to keep core systems up and running. Applications such as EMR and PACS are most critical as they are used 24/7 for the purposes of accessing patient records, which contain vital information around disease, medication, etc. Not having access to these applications inhibits the ability to provide patient care. The healthcare sector is hardly the only sector that has a continuous operations imperative. Ransomware is also waged heavily against other sectors that require continuous operations.
Threat actors are motivated by financial fraud. They typically exploit the invoicing process, take over email accounts and pose as a legitimate executive or staff member to authorize payments, then divert funds to their own accounts. Healthcare organizations frequently send and receive invoices for expensive medical services, solutions and technology. Cybercriminals see healthcare organizations as an opportunity to potentially steal significant monetary assets from organizations and patients alike.
Finally, the inadvertent disclosure of data, such as accidentally exposing sensitive data stored in an internet-facing cloud database or internet application, can (and does) affect any industry. Healthcare organizations have increasingly embraced cloud computing and third-party solutions to keep up with business demands and medical innovations. Despite seeming to be outsourced, these solutions and providers require diligent application of organization-side security controls and monitoring. Cortex Xpanse typically finds customers have at least 30% more assets than they realize. As complexity increases, so does the attack surface. Threat actors are continuously scanning for any opportunity to make a move, and because healthcare is a desirable target, these opportunities are likely to be discovered and exploited if not found and addressed.
There are many best practices to secure against these threat tactics, including employing advanced, capable products, such as Next-Generation Firewalls (NGFW) with machine learning and Extended Detection and Response (XDR) platforms.
Besides having proper backups and IR processes in place, below are our top 10 recommendations to defend against a range of threats:
- Deploy a Zero Trust architecture to secure your organization’s data, assets and people.
- Implement multi-factor authentication (MFA) for all internet-accessible devices and accounts.
- Keep an inventory of devices and software.
- Secure configurations for hardware devices and software.
- Perform continuous vulnerability management.
- Limit the use of administrative accounts.
- Encrypt laptops and mobile devices.
- Maintain and monitor audit logs.
- Educate users against the dangers of phishing and social engineering.
- Keep backups segregated and/or offline.
Some sectors receive more targeted attacks than others, and the more often threat actors are successful, the more often the attacks will occur. Part of threat actors’ targeting strategy is to use tactics that are most likely to earn financial rewards and be successful, and for that reason, healthcare is bearing much of the brunt of ransomware, business email compromise (BEC) and inadvertent disclosure-related attacks.
Ransomware, in particular, is the top threat for healthcare organizations and ransomware operators now use double-extortion tactics that combine data exfiltration on top of encrypting data using data disclosure to force payment from organizations that may have proper backup and IR processes in place to quickly recover.
Ensuring that healthcare organizations are attentive to their end-to-end security needs is not only essential, it is increasingly imperative during times of health crisis like the COVID-19 pandemic. Learn about our cyber incident response and protection for healthcare organizations.