Wed, Dec 21, 2022
Cyber Threat Intelligence Series: A Lens on the Healthcare Sector
A review of recent Kroll incident response cases consistently proves that the healthcare industry is one of the most frequently targeted sectors. This observation mirrors what is experienced by national cybersecurity agencies as multiple warnings have been launched during 2022, highlighting how ransomware gangs and nation state actors are now aggressively targeting healthcare institutions.
As a sector, healthcare may be particularly attractive to threat actors for a number of reasons, such as the volume of confidential data, particularly protected health information that they hold, and the critical risks posed by the disruption of business services.
Healthcare Under Attack: An Overview
In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted in comparison with Q1 2022. Ransomware helped to fuel this uptick against healthcare as a focus for attacks, at a time when services were undoubtedly under pressure, recovering from the duress caused by COVID-19. Though always disruptive, ransomware in the context of healthcare, with its disruption to business continuity, can end up putting lives at risk.
Types of Cyber Threats Affecting the Healthcare Sector
Kroll has observed email compromise (36%) as the most common threat incident type impacting the healthcare sector, followed by ransomware (31%) and unauthorized access (28%).
Email compromise attacks, such as business email compromise schemes, are typically aimed at tricking an unsuspecting user into approving a fraudulent transaction and are common in occurrence. Ransomware attacks pose a more severe risk in that a successful ransomware attack could impact the ability to access patient charts or other data required for essential patient care. Likewise, the majority of ransomware attacks in 2022 implemented a double extortion tactic in which actors exfiltrate data prior to network encryption and then threaten to leak the stolen data as leverage during negotiations.
In terms of the methods threat actors are using to gain footholds into systems, phishing is the most common approach for initial access, followed by account takeover using legitimate credentials (21%) and External Remote Services (21%).
Kroll Case Study: From Phishing to Ransomware
The following case study begins with a phishing email and ends with the publication of sensitive data, highlighting the critical impact of such attacks.
In this instance, an employee at a healthcare organization received a spoofed email from an outside contact purporting to contain a data file that a team member had previously requested. Unknown to the user, the attached document introduced Qakbot malware into their system. Once inside the network, the threat actors used remote access to the network to deploy a tool called Cobalt Strike, which helped them move throughout the environment, collecting data such as credentials and network folders along the way. During a period of approximately 15 days, actors stole nearly 20GB data before encrypting the network with ransomware.
Derek Rieck, Associate Managing Director in the Cyber Risk practice at Kroll, comments, “More than ever, healthcare is a highly attractive target to ransomware groups, as the disruption of critical networks impacting life-saving services may encourage organizations to pay ransom demands. This is intensified by the double extortion tactic, where threatening to publish confidential information, such as protected health information (PHI), can further intimidate victims.”
How Healthcare Organizations Can Defend Against Ransomware
Healthcare organizations can take six fundamental security steps to immediately add layers of protection from ransomware:
- Institute least privilege policies for data/system access
- Delete unused email addresses
- Implement and enforce strong password policies
- Use multifactor authentication
- Create, update, segregate and protect viable backups
- Allowlist safe applications
In the event of a ransomware attack, healthcare organizations should already have a response plan in place that includes the following six steps:
- Isolate impacted systems from other computers and servers on the network and disconnect from both wired and wireless networks
- Identify the type of infection. This is sometimes stated in an attacker’s ransom communications but can also be determined from numerous open-source sites. Kroll can also help pinpoint the type of ransomware as well as any other malware and persistence mechanisms still present in the system.
- Report the incident to the appropriate local law enforcement agency
- Think before you pay, following the decision-making processes that should already be outlined in the company’s incident response plan. Victims should also contact their cyber insurance carrier to inquire about ransomware coverage.
- Retain log data. Timely action is often necessary to retain any potentially relevant event data for a subsequent investigation.
- Restore systems and ensure there are effective backup policies and protocols in place
As these findings highlight, every healthcare organization can be a target for ransomware. With Kroll’s help, they can build smarter defenses, close gaps, strengthen vulnerabilities, better safeguard sensitive data and more quickly respond and recover from an attack. Kroll has developed a Ransomware Preparedness Assessment to help your organization better understand your unique vulnerabilities and know ways to avoid or mitigate ransomware harm. Call us today to learn more.
Cyber Risk
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Cyber Governance and Risk
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.