What Are Cybercriminals Looking for in the Healthcare Sector?

Less than a month ago we reported that cyberattacks on the healthcare sector increased by almost 5% in 2022. And the memory of the incident that paralysed the Hospital Clínic in Barcelona for days is still fresh in our minds.

It seems clear that healthcare has become a highly desirable sector for cybercriminals, who find it attractive for a number of reasons. “The healthcare sector is a coveted victim for cyberattackers for two main reasons. Firstly, because it stores large amounts of sensitive user and patient information in its systems, which can be exploited in many different ways,” explains Joaquín Gómez, Cybersecurity lead for Southern Europe at Infoblox.

Likewise, Pedro Viana, sales manager at Kaspersky Iberia, points out that “it offers a major attraction for cybercrime because the type of data handled is particularly sensitive and requires special protection from companies operating in this sector”.

Although he clarifies that “medical data are not only valuable by themselves, but a leak could have very serious consequences both for the protection of patients’ privacy and for the healthcare institution affected”.

In line with this, Gómez stresses that cybercriminals also target this sector “because these are critical public services, sensitive to an attack that could compromise their business continuity”, which is why they are the target of many ransomware attacks.

In this sense, Viana emphasises that “it is especially important to keep the facilities running, since we are talking about human lives, so a ransomware attack literally puts in check a system that needs to work to schedule operations, patient appointments or treatments”.

In addition, Eutimio Fernández, country manager for the Iberian Peninsula at Vectra AI, points out that cybercriminals are focusing on this sector because of the strength of their position in a ransomware negotiation, due to the high cost that it can have for organisations to face “regulatory fines, lawsuits and costs of repair and data recovery”.

On the other hand, he points out that we are talking about “an environment where there are usually old and obsolete systems and a large number of devices connected to the network”, which facilitates the exploitation of vulnerabilities and increases the attack surface. “In particular, since the outbreak of the pandemic, the possibilities for attackers to access this information have increased the surface of exposure, due to the increase in remote devices connected by the rise of telemedicine,” adds Roberto Lara, SOC director of BeDisruptive.

Economic interest

The motive behind this type of attack, in practically all cases, is economic interest. “The technique involves stealing data in order to sell it later on the dark web, or to extort health centres by demanding a ransom in exchange for not publishing this confidential information. Because of the confidentiality of this data and the potential threat to people’s lives, cybercriminals hope that healthcare institutions will eventually agree to their demands to recover the information,” says Lara.

However, they do not always give in to blackmail, which often leads to problems. “In the recent case of Hospital Clínic, the hospital’s management did not give in to the ransom, and the RansomHouse group finally made the stolen data public, generating serious additional problems for the hospital and Catalan society,” says the BeDisruptive expert.

In addition, the Infoblox manager recalls that cybercriminals can not only get hold of clinical information in their attacks on healthcare centres, but can also obtain various personal data to carry out other types of scams. He also points out that in countries where healthcare is mainly private, they can also capture users’ financial data.

On the other hand, the SOC director of BeDisruptive points out that sometimes there are attacks driven by hacktivism, “with the aim of destabilising a country by attacking its critical infrastructures”.

Attacks on hospitals and the entire healthcare network

“Typically, their targets are large healthcare organisations, hospitals or public or private health services, where the attackers are guaranteed to find assets that they can then monetise,” explains the Infoblox manager.

But cybercriminals are a threat to the entire healthcare network. “Any healthcare institution or organisation that contains huge amounts of private data, which, in the event of theft, would have a significant impact, is potentially a target for cyber criminals,” says Lara. For example, health care institutions, pharmacies, health care suppliers, etc. are also threatened.

In addition, Viana points out that this year is expected to see an increase in advanced persistent threat (APT) attacks against organisations and smart devices (OT/IoT) in sectors such as pharmaceuticals and medical equipment manufacturers.

As for the origin of the attacks, it is not easy to determine. “There is no clear origin,” says the head of BeDisruptive. Thus, the Vectra AI country manager points out that “these attacks come from different groups of cybercriminals from various countries”. Although he points out that “some groups specialising in attacks on healthcare systems have been detected”.

On the other hand, it seems that the war in Ukraine has not had a particular impact on the increase in this type of attack. “During 2022 we have seen a lot of cyber threat activity related to the war in Ukraine, but these were opportunistic threats, such as phishing attempts or scams. And the targets were mostly individuals. In fact, it seems that threats that use the war as a lure have started to decline, while those related to the healthcare sector are on the rise,” says Gómez.

Ransomware, the main threat

As we have seen, ransomware is the tool of choice for cybercriminals to attack the healthcare sector, but it is not the only one. “We have found that attempts to gain unauthorised access to networks and IT systems through hacking, with the aim of exfiltrating data, are the most common and worrying. In the US alone, hacking/data exfiltration attacks have affected more than 43 million patient records in 2022,” details the Infoblox spokesperson.

“As defence systems become more sophisticated, so do the strategies of cybercriminals, so we are already seeing cases of extortion through ransomware operations that affect not only the organisation in question, but also the individuals whose data has been stolen, taking advantage of a growing range of malware, phishing and social engineering techniques available to cybercriminals,” he adds.

In addition, Lara highlights the proliferation of Ransomware-as-a-Service, “which is a model in which ransomware developers create software and affiliates launch such attacks, despite having no technical skills of their own, as they rely on the know-how of the operators, thus initiating a ransomware campaign against the victim”. He specifies that “after each attack, the developers keep part of the profit as a form of payment for having created the ransomware”.

On the other hand, the head of BeDisruptive indicates that “attacks on the supply chain, which seek to access the networks of healthcare systems through their suppliers, are also among the most frequently seen, as this sector is highly dependent on external suppliers to provide them with all kinds of services,” says Fernández.

How does it affect the citizens?

Attacks on the healthcare system affect all of us, not just the organisations that suffer directly. “Although most of them are aimed at damaging companies, both in terms of the interruption of their services and their reputation, the truth is that users are not unaware of the consequences of this type of attack,” acknowledges the head of Kaspersky.

“It is clear that if cybercriminals manage to block the appointment request system, users will be affected because they will not be able to schedule doctor’s appointments, for example. But beyond interruptions in the communication processes with their health centre, it is clear that, if a hospital has to stop its activity, citizens may suffer much more serious situations related to operations that cannot be performed or treatments for illnesses that have to be interrupted. When we are talking about human lives, we are obviously in a very sensitive scenario. Beyond the occasional discomfort of users, we are facing potentially very critical situations,” he warns.

For example, Lara notes that the ransomware attack suffered by Hospital Clínic “led to the cancellation or transfer to other entities of more than 4,000 outpatient analyses, more than 300 interventions and more than 11,000 outpatient visits”.

In addition, Gómez emphasises the consequences of double or triple extortion ransomware attacks. “In cases of data exfiltration, the most harmed is the user whose sensitive data has been exposed. As a result, they can fall victim to all kinds of scams, from the usual ones, using the financial information in the records, to ransom demands to prevent them from being resold on the black market. In the end, the goal is always the same: valuable confidential information is sought for identity theft, financial fraud and extortion. Medical records can fetch a high price on the dark web if they include sensitive information such as date of birth, credit card details, social security number, etc.,” he says.

Plenty of room for improvement

The SOC director of BeDisruptive assures that “the level of cybersecurity awareness has increased considerably in recent years”. However, he believes that “there is still a lot of work to be done, especially in public centres, where there are old legacy systems that have not been sufficiently updated in terms of cybersecurity”. He also believes that “there is still a lack of awareness of the seriousness of cyber attacks and of the good cybersecurity practices that should be carried out by all members of staff”.

Fernández also highlights “the lack of staff specialised in cybersecurity or specific investment in cyberprotection”, as well as “the type of devices they have connected to their network, which in many cases are obsolete devices or systems such as surveillance cameras, medical systems, etc., which make them difficult to secure”.

In this regard, he notes that “an INCIBE report in 2020 pointed out that the Spanish healthcare sector is one of the most vulnerable to cyber attacks; and that 30% of cyber attacks in Spain are directed at the healthcare sector”. It also notes that the study pointed out that “many healthcare organisations have outdated security systems and do not have business continuity plans in the event of an attack”.

In any case, the Cybersecurity lead for Southern Europe at Infoblox affirms that the Spanish healthcare sector is in line with neighbouring countries in terms of its preparedness for possible attacks. “In the market reports we have carried out, there are parameters in which companies and public organisations – we must not forget that many healthcare organisations in Spain depend on public administrations – including healthcare organisations, are slightly ahead of other countries, and in others, slightly behind. In general, they are at a similar level of protection to an American hospital. This does not mean that they are immune to attack, as we have unfortunately seen recently,” he says.

How can security be improved?

The head of Vectra AI points out that “it is important for healthcare organisations to invest more in cyber security and take appropriate measures to protect themselves against potential cyber attacks”. “This can include implementing network security solutions, educating staff about risks and logical security, as well as conducting attack simulations and penetration tests to identify vulnerabilities and strengthen their security systems,” he says.

Viana points out that “in the case of the healthcare sector, it is especially critical to have a security infrastructure that includes all types of devices that work in the hospital centre and that allows us to anticipate situations and have a global vision of security”. In this way, he stresses that “we must reduce the attack surface, protect all entry points and have a solution focused on prevention and early detection”.

Gómez insists on the need to sophisticate the security strategy. “This means, above all, strengthening the organisation’s security stack by orchestrating all security systems and solutions so that they talk to each other, improving visibility over the entire infrastructure and automating responses. Often, the security strategy will be not so much to prevent the attack, which is not always possible, but to minimise its duration, to minimise the damage,” he specifies.

He further states that “security through DNS-based threat intelligence can add vital, predictive defences to help protect healthcare organisations against threat actor activity”. “This protection can include malware prevention and mitigation, identification of similar high-risk domains, detection of suspicious domains, phishing and data exfiltration attacks,” he says.

As for Lara, he states that “it is necessary for the healthcare sector to commit to the implementation of Zero Trust policies, to promote awareness and training among all employees, regardless of their department, and to commit to proactive threat detection measures that help to reduce risks to track and predict any attack that could put the systems of a hospital or any other indispensable agent in this industry at risk”.

In line with this, he stresses that “a good SOC service, with 24×7 monitoring and response to prevent, detect and respond to any risk that threatens the systems, is going to be fundamental”.

In addition, he stresses that “investments in monitoring endpoints and multiple layers of security for suspicious behaviour, as well as logging their activities and events, should be prioritised in order to detect threats and execute”. Finally, he believes that “regular intrusion testing and technical audits of networks, applications and devices, as well as infrastructure analysis to ensure greater security, should be a priority”.