Hospitals, pharmacies, care centers and other healthcare organizations are prime targets for malicious cyber-criminals. There are a few reasons for this: healthcare organizations deal with huge amounts of personal and private data, which can be hugely valuable for criminal groups. Healthcare organizations often cannot afford to invest in the latest and greatest security technologies, making them an easy target for every type of cybercrime from gift-card scams to sophisticated ransomware.
Exacerbating these issues, the healthcare industry has been under immense pressure over the past two years, dealing with unprecedented challenges during the course of a worldwide pandemic. The Coronavirus Disease 2019 (COVID-19) pandemic has resulted in widespread disruption to the healthcare industry. Alongside complex issues relating to ensuring sufficient healthcare capacity and resourcing, healthcare organizations and universities also faced heightened cyber-security threats in the midst of the pandemic. Cybercriminals have cynically exploited the COVID-19 pandemic, individual actors, and malicious nation-state-backed groups.
In 2021, there were a number of major healthcare-related data breaches, with over 40 million patient records compromised in the USA. This led to several warnings from the FBI about the risk of cyber-crime on the healthcare sector. In the wake of Russia’s invasion of Ukraine, the FBI has released further warnings of Russian hacks on US healthcare organizations. Healthcare related data breaches affected over 22.6 million total patients in 2021, with the single largest data breach reported affecting more than 3 million individuals.
The healthcare industry in India has faced more than 1.9 million cyberattacks in 2022, as per data published by the cybersecurity think tank CyberPeace Foundation and Autobot Infosec Private Ltd. The attacks came from a total of 41,181 unique IP addresses, which were traced back to Vietnam, Pakistan, and China. Recently India’s top government-run hospital All India Institute of Medical Sciences (AIIMS) New Delhi, was hit by a massive cyberattack, forcing it to shut down many of its servers and switch to manual operations.
Cyberattacks on healthcare have grown across the world as more hospitals and healthcare services providers are moving their operations and databases online. According to cybersecurity firm CheckPoint Research, healthcare suffered the highest number of ransomware attacks globally during the September quarter of 2022. Ransomware attacks against healthcare companies are increasing, leaving hospitals and other care facilities’ data vulnerable to cyber hackers demands.
Two-thirds (66%) of healthcare organizations were hit by ransomware attacks last year, up from 34% in 2020, according to a new report from cybersecurity firm Sophos. The near-doubling of cyber-incidents demonstrates how attackers have become “considerably more capable at executing the most significant attacks at scale.”
Cyber threats to the Health Sector
The healthcare industry has transformed rapidly in the last decade. Today, technology is an integral part of every healthcare aspect – be it drug discovery, research & development, digital promotions, and supply chain management. As healthcare becomes increasingly more digital through electronic health records (HER) adoption and telemedicine applications, the information systems the data runs on are becoming more vulnerable to cyber-attacks. Connectivity is also important as it improves health care and increases the ability of health care providers to treat patients. However, the risk of potential cybersecurity threats increases as more medical devices use software and are connected to the Internet, hospital networks, and other medical devices. Further complicating cybersecurity is the mobile device/application component which also introduces several vulnerabilities.
Advancements in technology have offered healthcare an opportunity to save lives and operate efficiently. This technology has created vulnerabilities to threats that infiltrate, steal, or hijack networks of confidential data and systems. Nation-states have used these opportunities to gather intelligence using software espionage tools and customized malware in social engineering attacks to steal intellectual property or gain competitive advantage. For instance, the second–largest healthcare insurance provider in the United States was affected by a foreign government attack in this way in 2014. Cyberterrorists, meanwhile, launch disruptive or destructive cyberattacks to cause physical destruction of property, loss of life and spread terror. Hacktivists are internet activists who attack cyber assets to draw attention to their political causes and tend to choose highly visible or high-profile targets.
For example, the use of telemedicine technology is expected to grow by over 18 percent annually through 2020. As the physicians are increasingly adopting telemedicine, and telehealth services that rely on the transfer of data from one location to another, whether it’s through interactive video consultations, store and forward technology or remote patient monitoring. Unfortunately, this data can be stolen or even manipulated during transmissions by cybercriminals looking to harm patient outcomes. To protect consumers and their own businesses, telemedicine providers should provide services via applications that use end-to-end encryption and other security technologies to prevent information theft or tampering.
Because healthcare organizations are so heavily dependent on access to data — such as patient records — to maintain their operations, they are a frequent target for ransomware attacks. Even a short delay in access to records can result in negative outcomes for patients.
According to the report, these organizations saw a significant increase in malware or bot attacks, with socially engineered threats and DDoS steadily growing, as well. According to the research, the increase in attacks involves a range of attack vectors, including ransomware, botnets, remote code execution and DDoS attacks.
Ransomware showed the largest increase and poses as the most significant malware threat to healthcare organisations, when compared to other industry sectors. The primary ransomware variant used in attacks is Ryuk, followed by Sodinokibi. The report found the most disturbing ransom attack is one that seeks to take advantage of people who are dealing with health issues. Many ailments are treated with cloud-based monitoring services, IoT-embedded devices and self or automated administration of prescription medicines. Physicians were most concerned that future attacks could interrupt their clinical practices, compromise the security of patient records, or affect patient safety.
Covid-19 forced millions to work from home and fueled anxieties about the virus, presenting a tempting target for cyber criminals. Since the outbreak began various healthcare providers and academic institutions across the world have been targeted in a variety of complex and coordinatized cyber-attacks. A division of GCHQ, Britain’s signals intelligence agency, the NCSC said that since March 2020 it had taken down 15,354 campaigns using coronavirus to lure people into clicking links which could have led to phishing and malware. Many of the 22,000 malicious web addresses it tackled hosted scams playing on Covid-19 fears like pretending to sell personal protection equipment. This includes a desire to steal intellectual property such as data relating to COVID-19 vaccine development, modelling and experimental therapeutics.
Omer Dembinsky, manager of data intelligence at Check Point, says cyberattacks on the global healthcare sector are “simply getting out of control”. “This is because targeting hospitals equates to fast money for cyber criminals. These criminals view hospitals as being more willing to meet their demands and actually pay ransoms,” he says. “Hospitals are completely overwhelmed with rises in coronavirus patients and recent vaccine programmes – so any interruption in hospital operations would be catastrophic. “This past year, a number of hospital networks across the globe were successfully hit with ransomware attacks, making cyber criminals hungry for more,” says Dembinsky.
“Furthermore, the usage of Ryuk ransomware emphasises the trend of having more targeted and tailored ransomware attacks rather than using a massive spam campaign, which allows the attackers to make sure they hit the most critical parts of the organisation and have a higher chance of getting their ransom paid.”
For in-depth understanding on Healthcare Cybersecurity please visit: Protecting Healthcare Organization from Cyber Attacks: A Guide to Cybersecurity Best Practices
Improved ransomware outcomes
Almost all (99%) of healthcare organizations subject to ransomware attacks in 2021 got “some encrypted data back” compared with only 93% in 2020. Within this group, 72% were able to restore encrypted data from backup files; 61% also reported that they “paid the ransom to restore data”; and 33% used other means to restore data. These numbers show that “many healthcare organizations use multiple restoration approaches to maximize speed and efficacy” to restore data and operations. More than half of healthcare organizations (52%) reported using multiple restoration methods, according to Sophos.
Interestingly, 14% of healthcare organizations reported using “three methods in parallel” to restore their data, which was the highest rate across all sectors and double the global average.
Healthcare has been transformed with the adoption of electronic health records (EHRs). Compared to paper, the digital documents yielded huge in efficiency and the quality of patient care. The greater access to patient data helps doctors to provide high-quality patient care more efficiently. This leads to tremendous amounts of patient data which the hospitals and health organization are not equipped to protect it. Healthcare data is extremely desirable as it contains a wealth of personal information, including Social Security Numbers, addresses, credit card numbers, and birthdays.
The personal data hackers can obtain from breaching a healthcare institution can be utilized to open new credit cards, create government documents, and empty out bank accounts. Two other scenarios are even more damaging: using details that are specific to a terminal illness or lifelong disease and long-term identity theft. Cyber criminals can leverage sensitive healthcare information, such as sexually transmitted diseases or terminal illnesses, to coerce victims into doing what they want.
“When sensitive patient information is breached, it poses significantly longer-term risks compared to other sectors – sometimes indefinitely,” Frank Dickson, program vice president for security products research at IDC, said in a press release. “Healthcare data is especially attractive to hackers because it’s far more valuable than other kinds of data that can be accessed and exploited. When healthcare data is stolen, damage cannot be fully mitigated. A credit card can be cancelled or a bank account can be closed, but private patient data circulates endlessly which opens opportunities for various types of fraud to occur again and again from a single breach.”
Therefore they become easy targets for hackers to launch ransomware attacks under which a busy hospital suddenly cannot use any of its electronic medical records or other computerized systems. The victim of a ransomware attack, the hospital will not regain access without paying those who locked down the records — if at all.
The worst cyberattack in Singapore’s history, which involved the theft of medical information linked to the prime minister as well as 1.5m patients, was executed by a state-sponsored espionage group called Whitefly, according to Symantec. March 2019 report said that in the 12 months to mid-2018 Whitefly launched attacks against a number of organisations mostly based in Singapore, including multinational corporations with operations in the city state. Symantec also found that tools used by Whitefly in Singapore had been deployed against defence, telecoms and energy entities in south-east Asia and Russia as well as a UK-based hospitality company. “It now appears that the SingHealth breach was not a one-off attack and was instead part of a wider pattern of attacks against organisations in the region,” the report said. In 2019, data breaches cost the healthcare industry $4 billion, with organizations paying out $423 per breached patient record. This number doesn’t even factor in the costs tied to potential HIPAA fines and productivity loss.
In a cyber attack in December 2020, data on the Pfizer/BioNTech COVID-19 vaccine was stolen and released online illegally. Organisations spend millions of dollars to discover a new drug to manage a rare disorder and the whole drug data, trial data and patient data being compromised. This can severely derail the whole drug discovery process and end up jeopardising the future of the organisation.
Another category of possible attackers is the insider threat. Insider threats may be borne out of negligence, like opening a phishing email by mistake. According to a recent report on hacking of healthcare providers, insider threats, such as staffers falling for phishing attacks, play a leading role in healthcare breaches overall. The report from Protenus indicated that 41% of data breaches in 2017 were tied to insider errors or wrongdoing. A 2014 report by Forrester Research stated that lost or stolen mobile devices were implicated in 39% of healthcare security breaches.
Denial of service attacks may affect patient safety
These cyber threats don’t just mean financial losses for the patients. They could mean the loss of a human life. Hackers may use malware for device reprogramming which alters device function. Malware attacks can shutdown healthcare devices and equipment, including pacemakers, insulin pumps, and light scopes, and even add tumors to MRI scans.
At another hospital, hackers find a way to connect to the software that controls IV pumps, changing their settings so they no longer deliver the correct doses of medication. “There were several reports of UK hospitals unable to administer X-rays. The computer equipment attached to the X-ray machines was compromised and attacked by ransomware and rendered inoperable for some period of time.” Patients could be harmed or even die. Many people — both patients and health-care workers — could be inconvenienced by systems going down.
Supply Chain Vulnerability
Entry points that threat actors can use to compromise the hospital supply chain range from manufacturers to distribution centers and transportation companies, from third-party contractors to developers of software and mobile apps hospitals use, from past to non-core services staff.
“Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers,” Sterling OEM, Trendmicro pointed out. “Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their products and software for cybersecurity risk and maybe outsourcing resources as well.”
Education is key to procurement personnel to know that the supplier has been vetted to eliminate gray market equipment making its way into a hospital or medical facility. As a reseller, Sterling Sr. VP, Jeff Moore states in a recent article published by MeriTalk, “The bottom line is that facilities need comprehensive assessments of their suppliers to understand the total risk. Training procurement staff and buyers to look beyond the Bill of Materials (BOM) and the part number is essential.”
As healthcare organizations grow, they increase in complexity. Without a secure supply chain, healthcare facilities may face more uncertainty. At the end of the day, healthcare facilities need to know their resellers and have a detailed Supply Chain Risk Management (SCRM) plan in place so customers can be assured of secure product procurement
Health Sector Vulnerability
The current pandemic situation in the EU and worldwide provides a fertile breeding ground for various campaigns. In no particular order, the following conditions are being exploited making the sector even more vulnerable: High demand for certain goods like protective masks, disinfectants and household products; Decreased mobility and border closures; Increasing reliance on teleworking, often with little previous experience and planning; and Increased fear, uncertainty and doubt in the general population.
Experts say there are a number of reasons for the increased risk — and challenges, some unique to health care, in mitigating it. Health organizations often lack the infrastructure to identify and track threats, the capacity to analyze and translate the threat data they receive into actionable information, and the capability to act on that information. There are Security vulnerabilities in off-the-shelf software due to poorly designed software security features. “Health care has an open, sharing culture — as is appropriate to support its primary mission — but this culture also complicates the issues of security and privacy,” said the June 2017 Report on Improving Cybersecurity in the Health Care Industry, produced by the Health Care Industry Cybersecurity Task Force of the U.S. Department of Health and Human Services.
The Public Accounts Committee (PAC) said the health service had taken insufficient action to protect itself from hacking almost a year since the most devastating attack in its history. The National Audit Office said a cyber-attack which crippled a third of NHS hospitals in May 2017 could have easily been prevented. NHS officials warned that future attacks could be “more sophisticated and malicious” than that which led to the cancellation of 20,000 NHS operations and appointments.
But the report reveals hospitals could have acted far sooner, with officials warned repeatedly about the WannaCry virus before the attack, with ‘critical alerts’ sent out in March and April. The virus spread via email, locking staff out of their computers and demanding £230 to release the files on each employee account. Hospital staff reported seeing computers go down ‘one by one’ as the attack took hold. Doctors and nurses were locked out, meaning they had to rely on pen and paper, and crucial equipment such as MRI machines were also disabled by the attack.
The average healthcare organization spent $1.4 million to recover from a cyberattack, according to a recent report from Radware. The number is slightly lower than other industries, which spent $1.67 million. The Radware 2018-2019 Global Application and Network Security Report researchers surveyed 790 IT executives and found a 50 percent growth in organizations estimating the cost of a cyberattack to be greater than $1 million. In fact, those executives are increasingly shifting away from lower estimates. About 54 percent of respondents said revenue-killing operational and productivity loss felt the greatest impact of a cyberattack, while 43 percent pointed to negative customer experience. Another 37 percent said they saw reputation loss after a cyberattack.
Cyber security recommendations
There are a number of steps healthcare organizations should take to prevent data breaches. Experts recommend healthcare organizations implement strong email security solutions; this can help to prevent the delivery of phishing attacks and business email compromises. Strong endpoint security can prevent viruses and malware attacks, as well as ensure strong web security is in place.
ENISA can provide some advice to support the sector, taking into account the situational evolution and most common incidents since the beginning of the pandemic.
- Share the information with healthcare staff in the organisation, build awareness of the ongoing situation and, in the case of infection, ask staff to disconnect from the network to contain the spread. Raise awareness internally in healthcare organisations and hospitals by launching campaigns even during the time of crisis (i.e. to inform hospital staff not to open suspicious emails).
- In case of systems compromise, freeze any activity in the system. Disconnect the infected machines from others and from any external drive or medical device. Go offline from the network. Immediately contact the national CSIRT.
- Ensure business continuity through effective backup and restore procedures. Business continuity plans should be established whenever the failure of a system may disrupt the hospital’s core services and the role of the supplier is such cases must be well-defined.
- In case of impact to medical devices, incident response should be coordinated with the device manufacturer. Collaborate with vendors for incident response in case of medical devices or clinical information systems.
- One preparedness measure is network segmentation. With network segmentation network traffic can be isolated and / or filtered to limit and / or prevent access between network zones.
Security awareness training can also be an important tool to help improve awareness around security issues and how to limit the risk of cyber-attacks in a healthcare setting.
Many experts are also recommending healthcare organizations implement Zero Trust Network Architecture. This is an important step to help limit the risk of supply chain and vendor attacks affecting healthcare organizations.
Cybersecurity Risk management
Because cybersecurity threats cannot be completely eliminated, manufacturers, hospitals, and facilities have to work to manage them to protect patient safety. At a macro-level, organizations may leverage the NIST Cybersecurity Framework (i.e., identify, protect, detect, respond, and recover) as a tool to help understand, manage, and communicate their cybersecurity risk. Hospitals can review their security policies to uncover any vulnerabilities before an attach happens.
It is critical for stakeholders to develop a shared understanding of the risks posed by cybersecurity vulnerabilities and threats to medical devices and the IT networks to which these devices connect. This required Improved information sharing of industry threats, risks, and mitigations.
Additionally, the rise and sophistication of ransomware attacks that hold IT systems and patient-critical devices hostage continues to grow, as evidenced by hospital ransomware attacks of 2016, Manufacturers should work towards increasing the security and resilience of medical devices and health IT. Timely security software updates and patches should be provided to medical devices and networks and to address related vulnerabilities in older medical device models (legacy devices). Users should follow best practices for installing and testing the updates.
Report on Improving Cybersecurity recommends establishment a Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures. It is important to have good backups, so that even when cyber attacks happen you’re able to recover.
Performing risk assessments on a regular basis you will have enough information to implement the right security measures. The risk assessments of healthcare entities shall ensure that they are compliant with HIPPA (Health Insurance Portability and Accountability Act) requirements in terms of technical, physical and administrative processes. It is a necessity for any healthcare entity to meet the HIPPA standards and by performing regular security assessments ensure that the PHI (Protected Health Information) of patients is secure.
Ransomware attacks don’t start with ransomware. Ryuk and other types of ransomware exploits usually start with an initial infection with a trojan. Often this trojan infection occurs days or weeks before the ransomware attack starts, so security professionals should look out for Trickbot, Emotet, Dridex and Cobalt Strike infections within their networks and remove them using threat hunting solutions – as these can all open the door for Ryuk.
Raise your guard on weekends and holidays – most Ransomware attacks over the past year have taken place over the weekends and during holidays when IT and security staff are less likely to be working.
Use anti-ransomware solutions – although ransomware attacks are sophisticated, Anti-Ransomware solutions with a remediation feature are effective tools which enable organisations to revert back to normal operations in just a few minutes if an infection takes place.
Curb Access to Patients’ Data
In March 2018, Verizon analyzed that healthcare is the industry to have the highest recorded internal breaches which form 58% of the overall tracked cyber attacks in healthcare. Hackers seek to reach patients’ data so that they can exploit them for some monetary benefits. One of the ways to reduce this risk is to establish controlled access to the patient’s database. A regular audit of access will help you understand who has accessed the data and when.
Authentication and Password management
Strong measures to authenticate providers and users is critical to the establishment of the trust relationship in the delivery of health care. Instead of relying on only password authentication, this may require promoting the use of multi-factor authentication, and leveraging biometrics.
Passwords are the direct key for hackers to gain access to personal data. Using the same passwords or easily guessed passwords may put your data at risk. The convenience of having one password will lead to the catastrophic threat of data loss. The three steps that an organization should follow when it comes to password management are – Restrict access to main accounts; Change passwords regularly and Use multi-factor authentication to access secure data
Multi-factor authentication (MFA) is a method of computer access control in which a user is granted access only after successfully presenting several separate pieces of evidence to an authentication mechanism – typically at least two of the following categories: knowledge (something they know), possession (something they have), and inherence (something they are).
Cybersecurity Awareness and Training
Increase health care industry readiness through improved cybersecurity awareness and education. “Securing digital assets can no longer be delegated solely to the IT department,” they continued. “Rather, security planning needs to be infused into new product and service offerings, security, development plans and new business initiatives.”
Every sector faces challenges in meeting its need to recruit and retain qualified cybersecurity professionals. It is necessary to develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities. Healthcare organizations must thoroughly educate their current and future employees on all HIPAA rules and regulations that include patient privacy Additionally, they should establish a culture of security and remind employees to be on the lookout for unattended medical devices and/or paper documents. Hospitals should have a legal team in place in the event a breach does occur to deal with the investigation, patient lawsuits, and civil rights and HIPAA fines.
Henry Ford Health System was breached during October 2017 due to the improper care of healthcare records by the employees. The hacker stole the data of 18,470 patients which had the patient names, date of births, medical record numbers, health insurer, and other medical conditions. It has been observed that the weakest cybersecurity link in healthcare is the user. Therefore, the staff should be trained on all the latest security protocols at regular intervals. A little ignorance on the part of any member of staff could result in a hefty ransom.