Cyber Threat Intelligence Series: A Lens on the Healthcare Sector

A review of recent Kroll incident response cases consistently proves that the healthcare industry is one of the most frequently targeted sectors. This observation mirrors what is experienced by national cybersecurity agencies as multiple warnings have been launched during 2022, highlighting how ransomware gangs and nation state actors are now aggressively targeting healthcare institutions.

As a sector, healthcare may be particularly attractive to threat actors for a number of reasons, such as the volume of confidential data, particularly protected health information that they hold, and the critical risks posed by the disruption of business services.

Healthcare Under Attack: An Overview

In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted in comparison with Q1 2022. Ransomware helped to fuel this uptick against healthcare as a focus for attacks, at a time when services were undoubtedly under pressure, recovering from the duress caused by COVID-19. Though always disruptive, ransomware in the context of healthcare, with its disruption to business continuity, can end up putting lives at risk.

Types of Cyber Threats Affecting the Healthcare Sector

Kroll has observed email compromise (36%) as the most common threat incident type impacting the healthcare sector, followed by ransomware (31%) and unauthorized access (28%). 

Email compromise attacks, such as business email compromise schemes, are typically aimed at tricking an unsuspecting user into approving a fraudulent transaction and are common in occurrence. Ransomware attacks pose a more severe risk in that a successful ransomware attack could impact the ability to access patient charts or other data required for essential patient care. Likewise, the majority of ransomware attacks in 2022 implemented a double extortion tactic in which actors exfiltrate data prior to network encryption and then threaten to leak the stolen data as leverage during negotiations. 

In terms of the methods threat actors are using to gain footholds into systems, phishing is the most common approach for initial access, followed by account takeover using legitimate credentials (21%) and External Remote Services (21%).

How Healthcare Organizations Can Defend Against Ransomware

Healthcare organizations can take six fundamental security steps to immediately add layers of protection from ransomware:

• Institute least privilege policies for data/system access
• Delete unused email addresses
• Implement and enforce strong password policies
• Use multifactor authentication
• Create, update, segregate and protect viable backups
• Allowlist safe applications

In the event of a ransomware attack, healthcare organizations should already have a response plan in place that includes the following six steps:

• Isolate impacted systems from other computers and servers on the network and disconnect from both wired and wireless networks
• Identify the type of infection. This is sometimes stated in an attacker’s ransom communications but can also be determined from numerous open-source sites. Kroll can also help pinpoint the type of ransomware as well as any other malware and persistence mechanisms still present in the system.
• Report the incident to the appropriate local law enforcement agency
• Think before you pay, following the decision-making processes that should already be outlined in the company’s incident response plan. Victims should also contact their cyber insurance carrier to inquire about ransomware coverage.
• Retain log data. Timely action is often necessary to retain any potentially relevant event data for a subsequent investigation.
• Restore systems and ensure there are effective backup policies and protocols in place

As these findings highlight, every healthcare organization can be a target for ransomware. With Kroll’s help, they can build smarter defenses, close gaps, strengthen vulnerabilities, better safeguard sensitive data and more quickly respond and recover from an attack. Kroll has developed a Ransomware Preparedness Assessment to help your organization better understand your unique vulnerabilities and know ways to avoid or mitigate ransomware harm. Call us today to learn more.