With increasing concerns for cybersecurity in the healthcare industry, analysis into the anatomy of cyberattacks will provide a fighting chance to counter them.
There are few industries where the cybersecurity stakes are higher than in the healthcare space, with medical organizations running the risk of life-threatening disruptions at the hands of malicious hackers. Beyond the more dire consequences, the sensitive nature of the data these organizations store (e.g. identity card numbers, blood types, patient history, etc.) means that patients could become the victims of impersonation, fraud, theft, and manipulation if their data were exposed through an insecure service provider.
Making matters worse, the healthcare industry is historically behind other sectors in terms of cybersecurity practices. With costly and high-profile cybersecurity incidents such as the recent SingHealth breach, which left nearly 1.5 million patient records compromised, including names, National Registration Identity Card (NRIC) numbers, address, gender, race and date of birth. Another such incident would be the HIV registry breach which exposed personal information of over 14,200 individuals, hackers have no intentions of shifting their sights away from healthcare organizations.
A recent study by Frost & Sullivan found that cyber-attacks can cost healthcare organizations in Asia Pacific a staggering US$1.745 trillion in economic loss. Further research suggests that cybercriminals interest in the sector is growing, with 83% of healthcare CISOs surveyed in a recent Carbon Black study reporting an increase in cyberattacks over the past year and the average healthcare endpoint seeing 8.2 attempted attacks per month.
It has never been more imperative to understand the threats these organizations are facing, their origins on the dark web, and the potential steps they can take to protect themselves, and most importantly, their patients.
Hackers Upping Their Game
Understanding the current state of cybersecurity means acknowledging that hackers have been steadily getting better at what they do. In fact, 66% of respondents to Carbon Black’s recent survey acknowledged that they saw increasingly sophisticated cyberattacks over the past year, with 33% reporting instances of both island-hopping and counter incident response. This is a concerning trend, as cybercriminals have become adept at leveraging vulnerabilities in third party networks, allowing them to get to their primary target while covering their tracks and actively resisting security teams along the way. Beyond this, hackers have also become more prone to breaching organizations with the specific intent of destroying data, with 45% of surveyed organizations reporting such attacks.
Dark Web Origins
Besides understanding the types of cyberattacks the healthcare industry is facing, analyzing the monetary incentives that motivate hackers is also important. Currently, healthcare provider data is some of the most highly valued information on the dark web, alongside Personal Health Information (PHI), forged prescriptions, and health insurance login information. Cybercriminals seek this data for its unique profitability, as obtaining these materials opens the door for several different forms of cybercrime.
Being aware of which types of data hackers’ value is a good starting place, but in order to truly understand what they’re after, let’s look at why they value it:
- Provider Data: Most often this data comes in the form of administrative paperwork that would aid a hacker in forging a legitimate doctor’s identity. Once this information is obtained, a hacker can then sell it on the dark web to buyers who then pose as the doctor and submit fraudulent Medicare or insurance claims, or even claims for expensive, high-end surgeries; pocketing the cash and leaving the victims to deal with the costs. This type of data regularly sells at $500 per listing.
- Health Insurance Login Information: A hacker will first compromise a web server or credential database and then sell the target information to a buyer at a relatively low price. Before the data becomes obsolete or outdated, the buyer will then quickly login and gain access to medical insurance information, possibly combining it with forged medical information to obtain services at the cost of the victim. Due to the high volume and turnover rate of this data, it often sells for as little as $3.25 on the dark web.
- Forged Prescription Labels: In these cases, the sellers are sent the necessary information for forging a prescription which they then share with their buyer. These forged documents can then be used to smuggle illicit drugs, as a trafficker can flash the prescription to justify their possession if questioned by authorities.
- Personal Health Information: PHI is some of the most highly valued information because it is permanent and personal. As such, it is often worth three times as much as Personal Identifiable Information (PII). In the worst cases, this information is collected by malicious nation-state actors who then use it to blackmail or extort individuals.
A Healthier Cybersecurity Posture
Knowing the types of attacks healthcare CISOs are seeing, as well as the motivations behind them, the road ahead may seem daunting for leaders looking to secure their networks. But by following a set of key best practices, the healthcare industry can significantly up-level its security posture and make things harder for cybercriminals.
- Increase endpoint visibility: As hackers become more sophisticated and adept in their methods, CISOs need to start viewing the attack surface as including anything and everything that is connected within their organization. Medical-record systems, networked medical devices, and payment processing systems, are all fair (or rather, unfair) game, so be sure that if something is online, it’s on your radar as a security risk.
- Establish protection from emerging attacks: Again, owing to the increased attack surface, organizations need to use every tool at their disposal to detect and shutdown attacks once they inevitably occur. From security tools, to streaming analytics, to training: leave no stone unturned.
- Run automated compliance and vulnerability assessments: With island hopping attacks as a constant risk, organizations need to regularly audit their network security and establish robust, quick-response procedures for remediation when gaps in the security infrastructure are identified.
- Work with healthcare-focused Managed Detection & Response providers (MDRs): One of the quickest and most efficient ways to improve organizational security posture is to turn to experts in the field. There are a few service providers that specialize in healthcare security, and their wisdom and insights can help bring an organization’s cybersecurity into the 21st century.
- Backup your data: With cyberattacks infiltrating networks for the main purpose of destroying data, one of the best ways an organization can protect itself is to make sure that data is stored off network for quick recovery in the event of a successful attack.
The Road to Recovery
Citing concerns around lack of budget, legacy systems, and an increasingly connected attack surface, the leaders of healthcare organizations have increasingly become more aware of the dangers they face. In fact, 84% of surveyed healthcare organizations train their employees on cybersecurity best practices at least once per year, and nearly half (45%) conduct training multiple times per year. However, with the majority of CISOs self-grading their security posture as a C, significant work remains to be done. By improving understanding of the threats these organizations face, and where these threats come from, as well as incorporating the key best practices outlined above, we are confident that leaders in the healthcare industry will be able to secure their networks and help build a safer world for everyone.
Rick McElroy, Head of Security Strategy for Carbon Black, has 20 years of information security experience educating and advising organizations on reducing their risk posture and tackling tough security challenges. He has held security positions with the U.S. Department of Defense, and in several industries including retail, insurance, entertainment, cloud computing, and higher education.
McElroy’s experience ranges from performing penetration testing to building and leading security programs. He is a Certified Information Systems Security Professional (CISSP), a Certified Information Security Manager (CSIM), and Certified in Risk and Information Systems Control (CRISC). As a United States Marine, McElroy’s work included physical security and counterterrorism services. His current role takes him all over the world working organizations to improve their security strategies and speaking on security and privacy.