Last year, Crypsis, a Palo Alto Networks Company, released our 2020 Incident Response and Data Breach Report, which analyzed data from over 1,000 incident response and digital forensic investigations we led the previous year.
It wasn’t surprising to us to discover Healthcare was the sector most affected by security incidents. These organizations experienced the highest rates of ransomware (22 percent of all our 2019 ransomware cases) and the second highest rates of business email compromise (BEC). Healthcare companies also suffered a relatively high number of inadvertent data disclosure incidents (the accidental exposure of data due to improper security controls).
Fast forward to the present: healthcare continues to be heavily targeted. In October, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Department of Health and Human Services (HHS) released a joint cybersecurity alert regarding an increased and imminent cybersecurity threat to the U.S. healthcare system. According to a recent Palo Alto Networks Unit 42 blog, threat operators have displayed a heightened interest in targeting the healthcare and the public health sector, potentially disrupting healthcare services and operations. The research team observed the use of Trickbot malware, a well-known modular trojan, which can lead to stolen information, network reconnaissance, and the installation of other malicious files, including Ryuk ransomware.
Healthcare is designated as one of the 16 critical infrastructure sectors by CISA because of its criticality to our national health and our dependence on it in the face of national crises, such as natural catastrophe or pandemics such as COVID-19. Thus, its security defenses are equally important to ensure continuity of operations. In this blog, we will review the reasons healthcare organizations are targeted more than other sectors, the primary threats posed to their operations, and best practices they can deploy to better defend against these attacks.
Why Are Healthcare Organizations Hacker “Favorites?”
Our data suggests that threat actors have evolved beyond the mass-distributed phishing tactics of former years (the “spray and pray” approach) to become more targeted in selecting their victims so that they can increase their efficiency and monetary rewards. We have concluded that threat actors target organizations based on several factors:
- The value of the data they control and maintain. Since many threat actors are motivated largely by monetary rewards, they target organizations that have valuable financial and/or data assets that can be converted to funds. Healthcare organizations gather a very broad span of information on their patients, including full contact information, Social Security numbers, payment card data, sensitive health information, and healthcare insurance information — making such targeted attacks a good opportunity for data theft, fraudulent insider acts, and criminal schemes, such as waging insurance fraud.
- The perceived security posture of the organization. Healthcare organizations include small and large organizations and span from device manufacturers, to technology suppliers and healthcare delivery organizations (HDOs), and each has a unique dedication to security. So, it’s important to not apply generalizations. However, threat actors may well do just that. Healthcare is often considered lean on cash and highly skilled IT/security manpower, and thus commensurate security defenses. The less secure a sector appears to be, the more attacks they will likely receive.
- The actual security posture of the organization. Attackers are naturally going to be more successful if there are vulnerabilities in the defensive armor. With the growing complexity in the IT landscape, many healthcare organizations (and, indeed, organizations of all types) are struggling to close every gap. Today’s threat actors are highly skilled at scanning for any open port, exposed cloud bucket, or other vulnerability; and the incidents for which we are called to assist correlate to one or more vulnerabilities left open.
- Criticality of ongoing operations. We know that certain tactics rely on the organization’s need to keep systems up and running in order to keep core operations functional. Healthcare organizations cannot afford discontinuity in patient care; system-wide outages or inaccessibility of data needed to provide care is unacceptable. If the organization does not have a solid incident response plan to restore operations from backups, they may feel more compelled to pay attackers. Regardless of the overall quality of the backup solution, if attackers are able to lock up just one important system that hasn’t been recently or properly backed up, organizations may find themselves in the position of having to consider paying for the decryption key.
Threat Tactics: Why Are Some Tactics Used More Frequently on Healthcare Organizations?
Let’s assess what the healthcare-targeted threats cited earlier suggest about these organizations’ defensive posture and the threat actors who target them.
First, ransomware relies on an organization’s need to keep core systems up and running; serving patients continuously is essential, and we believe it is for this reason that ransomware attacks increased against healthcare organizations during the COVID-19 pandemic. The Healthcare sector is hardly the only sector that has a continuous operations imperative: ransomware is also waged heavily against other sectors that require continuous operations. Financial Services was the second-most affected sector, as large firms can lose millions of dollars per hour of downtime, making them a target of choice.
In 2019, attacks against healthcare organizations accounted for 15 percent of all Crypsis BEC investigations. Threat actors here are motivated by financial fraud. They typically exploit the invoicing process, taking over email accounts and posing as a legitimate executive or staff member to authorize payments, diverting funds to their own accounts. Healthcare organizations frequently send and receive invoices for expensive medical services, solutions, and technology. Cybercriminals see healthcare organizations as an opportunity to potentially steal significant monetary assets from organizations and patients alike.
Finally, the inadvertent disclosure of data, such as accidentally exposing sensitive data stored in an internet-facing cloud database or internet application, can (and does) affect any industry. Healthcare organizations have increasingly embraced cloud computing and third-party-provided solutions to manage IT complexity. Despite seeming to be outsourced, these solutions and providers require diligent application of organization-side security controls and monitoring. As complexity increases, so, too, does the attack surface. Threat actors are continuously scanning for any opportunity to make a move, and because healthcare is a desirable target, these opportunities are likely to be discovered and exploited eventually if not found and addressed.
What Can Healthcare Organizations Do to Protect Themselves?
There are many best practices to secure against these threat tactics, including employing advanced, capable products, such as next-generation firewalls with machine learning and advanced endpoint detection and response solutions.
For a complete list of proactive security techniques, we recommend reading our 2020 Incident Response and Data Breach Report’s detailed Prevention Pro Tips. For a quick view, below are the Crypsis Top Ten recommendations to defend against a range of threats:
- Implement multi-factor authentication (MFA) for all internet-accessible devices and accounts
- Inventory devices and software
- Use secure configurations for hardware devices and software
- Perform continuous vulnerability management
- Limit the use of administrative accounts
- Encrypt laptops and mobile devices
- Maintain and monitor audit logs
- Implement email and web browser protections
- Educate users against the dangers of phishing and social engineering
- Keep backups segregated and/or offline
Securing Healthcare: Understanding the Risks and Threats
Some sectors receive more targeted attacks than others. The more attacks received, the more likely they will be successful. Part of threat actors’ targeting strategy is to use tactics that are most likely to earn financial rewards and be successful, and for that reason, healthcare is bearing much of the brunt of ransomware, business email compromise, and inadvertent disclosure-related attacks. Ensuring that healthcare organizations are attentive to their end-to-end security needs is not only essential, it is increasingly imperative during times of health crisis, such as presented today through COVID-19.