How cybercriminals are targeting healthcare organizations [Q&A]
Researchers at digital risk protection company CybelAngel recently tracked bad actors targeting French hospitals by analyzing conversations on the dark web.
It discovered how cybercriminals plan healthcare-related fraud, ransomware and other attacks by obtaining stolen credentials, leaked database files and other materials from specialized sources in the cybercrime underground.
We spoke to Camille Charaudeau, VP of strategy at CybelAngel to find out more about the modus operandi of the hackers and what healthcare organizations can do to protect themselves.
BN: What sort of activity have you seen on the dark web involving the sale of healthcare data?
CC: We observed an increase in searches for, and the sale of healthcare data on the dark web. When mounting an attack, threat actors generally look for healthcare data during the reconnaissance phase to target vulnerable individuals and/or organizations. Criminals were seen to specifically post on the dark web in search of open and unprotected databases, emails, passwords and medical data. This kind of activity is what consequently fuels an ongoing cycle of attacks and the illegal sale of sensitive datasets; something we have seen a rise in with reports that as of November 2020, there had been a 45 percent spike in attacks, demonstrating the growing criminal interest in the sector.
As an example of what's available and current trends in activity, our analysts found sales from bad actors who had published a healthcare database of 50,000 employee email addresses, including passwords and phone numbers for an unknown price in February 2021. In the same week, another actor unveiled a database of '500,000 French hospital records' including many similar fields such as victims’ surname, first name, email address, telephone number and patient health data, including: social security number, blood group and attending physician.
From these posts and general dark web activity, healthcare facilities are being increasingly targeted by cybercriminals and is only something that is going to continue and worsen in the coming years.
BN: What techniques are cybercriminals using to access healthcare networks?
CC: Cyber criminals are like other felonious individuals; in that they often look for the easiest and fastest way to make the most amount of money. In the case of hospital and other medical data, the path of least resistance often falls into the following two categories:
- Hackers aiding hackers: A threat actor will compromise a medical facility, stealing sensitive data, and will then collate this into large lists of open, exposed databases which are then monetized through their sale to other threat actors on dark web forums for further malicious activity.
- Exploiting Vulnerabilities: Security flaws are the weakest link in the chain of protection for medical data, and cybercriminals find some vulnerabilities incredibly easy to exploit. Common flaws include the misconfiguration of cloud networks, open databases, and poor privileged access controls which all invite unprecedented risks.
BN: How much impact can these attacks have on the healthcare organisations?
CC: Healthcare networks are complex yet, delicate ecosystems and attacks on these organizations can be devastating for all parties involved. Medical data is valuable for a host of reasons, including personally identifiable information (PII) used for future phishing attempts, fraud and blackmail opportunities using medical diagnoses at the expense of the victims compromised.
However, the most serious attacks are those involving ransomware. The theft of sensitive details can be used by hackers for phishing attempts to access hospital accounts and systems, installing ransomware and at times, crippling critical infrastructure as a direct result. Operational down times for hospitals are quite literally life and death incidences. Compromised IT networks are so dangerous because they can affect booking systems, appointments, access to medical records and other lifesaving operations and functions that are vital to healthcare facilities running efficiently.
As with all things, ransomware has evolved and now looks to steal data before encrypting it, giving attackers more leverage over their victims. If organizations first refuse to pay a ransom request to decrypt their data, attackers then threaten to leak the stolen information, increasing the pressure on victims to fulfill the ransom. This trend highlights the need for reliable backups and effective restoration procedures in order for healthcare organizations to put themselves in a strong position to recover from a ransomware attack without having to pay as a last resort.
BN: What can be done to mitigate the risk?
CC: Employees must be the first line of defense. Ongoing training and assessments prevent your organization from falling foul to specially crafted phishing emails and malicious attachments. This can reduce the risk of ransomware threats which can encrypt and paralyze healthcare facilities.
Do the basics right. Patching, maintaining, and updating your software and antivirus applications has been shown repeatedly to stop even the most sophisticated of advanced persistent threats (APT's). Changing default passwords and enabling out-of-the-box security protocols is one the easiest steps for healthcare facilities to protect their digital assets.
While a healthcare organization can implement disciplined processes and procedures to ensure their software is updated and patched, it's impossible to patch what they cannot see. Deploying an asset discovery and monitoring solution is paramount as it gives enterprises visibility into their expanding attack surface that includes third-party cloud applications: connected storage devices, open databases, OT/IoT devices and perhaps worst of all, shadow assets.
Once these assets are identified, their vulnerabilities can be assessed and continuously monitored to prevent ransomware payloads from penetrating network defenses. In addition, sealing off a few specific types of exposed data could have a meaningful effect by disrupting the supply chains that adversaries rely on to execute such attacks.