Wed, Dec 21, 2022
A review of recent Kroll incident response cases consistently proves that the healthcare industry is one of the most frequently targeted sectors. This observation mirrors what is experienced by national cybersecurity agencies as multiple warnings have been launched during 2022, highlighting how ransomware gangs and nation state actors are now aggressively targeting healthcare institutions.
As a sector, healthcare may be particularly attractive to threat actors for a number of reasons, such as the volume of confidential data, particularly protected health information that they hold, and the critical risks posed by the disruption of business services.
In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted in comparison with Q1 2022. Ransomware helped to fuel this uptick against healthcare as a focus for attacks, at a time when services were undoubtedly under pressure, recovering from the duress caused by COVID-19. Though always disruptive, ransomware in the context of healthcare, with its disruption to business continuity, can end up putting lives at risk.
Kroll has observed email compromise (36%) as the most common threat incident type impacting the healthcare sector, followed by ransomware (31%) and unauthorized access (28%).
Email compromise attacks, such as business email compromise schemes, are typically aimed at tricking an unsuspecting user into approving a fraudulent transaction and are common in occurrence. Ransomware attacks pose a more severe risk in that a successful ransomware attack could impact the ability to access patient charts or other data required for essential patient care. Likewise, the majority of ransomware attacks in 2022 implemented a double extortion tactic in which actors exfiltrate data prior to network encryption and then threaten to leak the stolen data as leverage during negotiations.
In terms of the methods threat actors are using to gain footholds into systems, phishing is the most common approach for initial access, followed by account takeover using legitimate credentials (21%) and External Remote Services (21%).
The following case study begins with a phishing email and ends with the publication of sensitive data, highlighting the critical impact of such attacks.
In this instance, an employee at a healthcare organization received a spoofed email from an outside contact purporting to contain a data file that a team member had previously requested. Unknown to the user, the attached document introduced Qakbot malware into their system. Once inside the network, the threat actors used remote access to the network to deploy a tool called Cobalt Strike, which helped them move throughout the environment, collecting data such as credentials and network folders along the way. During a period of approximately 15 days, actors stole nearly 20GB data before encrypting the network with ransomware.
Derek Rieck, Associate Managing Director in the Cyber Risk practice at Kroll, comments, “More than ever, healthcare is a highly attractive target to ransomware groups, as the disruption of critical networks impacting life-saving services may encourage organizations to pay ransom demands. This is intensified by the double extortion tactic, where threatening to publish confidential information, such as protected health information (PHI), can further intimidate victims.”
Healthcare organizations can take six fundamental security steps to immediately add layers of protection from ransomware:
In the event of a ransomware attack, healthcare organizations should already have a response plan in place that includes the following six steps:
As these findings highlight, every healthcare organization can be a target for ransomware. With Kroll’s help, they can build smarter defenses, close gaps, strengthen vulnerabilities, better safeguard sensitive data and more quickly respond and recover from an attack. Kroll has developed a Ransomware Preparedness Assessment to help your organization better understand your unique vulnerabilities and know ways to avoid or mitigate ransomware harm. Call us today to learn more.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.
Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.
Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.