Healthcare facilities prime target for ransomware attacks

[German]Healthcare facilities are likely to be the main target of ransomware attacks in 2020, as Unit 42 of security firm Palo Alto Networks found out and published in a Thread report. It is believed that cyber criminals targeted the facilities more because healthcare facilities were under tremendous pressure due to the influx of COVID-19 patients. Palo Alto Networks has therefore compiled ten approaches for better protection in this area.

Palo Alto Networks with its Unit 42, has created and published the 2021 Ransomware Thread Report, which sheds some more light on the issue. According to the report, healthcare was the industry most affected by ransomware in 2020. The report noted that ransomware operators likely targeted this sector because they knew healthcare facilities were under tremendous pressure due to the influx of COVID-19 patients. The calculus behind it: They couldn't afford to be locked out of their systems, so they would likely be willing to pay ransom. In May 2021, the FBI issued a warning that the Conti ransomware group, which recently crippled the Irish healthcare system, had also attacked at least 16 healthcare and first-responder networks in the U.S. the year before. Research firm Comparitech tracked more than 92 separate ransomware attacks in U.S. healthcare in 2020 – a 60 percent increase from the previous year. More than 600 clinics, hospitals and facilities were affected, including more than 18 million patient records. The estimated cost of these attacks was nearly $21 billion.

Conclusions from Palo Alto Networks

Palo Alto Networks has concluded that cybercriminals are targeting healthcare facilities based on several factors:

• The value of the data controlled and maintained by the facilities – Because many attackers are motivated primarily by monetary gain, they target those with valuable financial and/or data assets that can be converted into cash. Healthcare facilities collect a variety of information about their patients, including complete contact information, Social Security numbers, payment card data, sensitive health data, and health insurance information. Many healthcare providers also conduct research, adding to this vast pool of extremely valuable data. Overall, this provides criminals with opportunities for data theft, fraudulent insider activity, and criminal schemes such as insurance fraud.
• The perceived security posture of the facility – Healthcare facilities include small and large companies, from equipment manufacturers to technology suppliers to HDOs, and each has a unique commitment to security. Therefore, it is important not to make generalizations. However, criminals may very well do just that. Healthcare is often seen as a sector that lacks highly skilled IT professionals and security experts. The less secure a sector appears to be, the more attacks are likely to be perpetrated against it.
• The actual security posture of the facility – Attackers will naturally be more successful if defenses have vulnerabilities. Given the increasing complexity of the IT landscape, many facilities struggle to close every gap. Today's hackers are adept at looking for every open port, unprotected cloud misconfiguration and other vulnerability. The incidents where Unit 42 is called in to help correlate to one or more open vulnerabilities.
• Critical ongoing operations – Certain tactics rely on the facility needing to keep its systems up and running to maintain core operations. Clinics cannot afford interruptions in patient care. Outages (system-wide, partial, or local) are unacceptable and can result in systems, such as a network switch, going for years without patching/rebooting or proper maintenance. If the hospital does not have an incident response plan in place to restore operations using backups, it may find itself more likely to pay attackers. Even if the organization has an IR plan and backups, some still pay the ransom because the backup systems may also be affected or the amount of data and systems to be restored may exceed the capacity of the backup systems. Attackers could succeed in locking down a single critical system that has not been backed up at all or properly recently. Companies could then find themselves in the position of having to pay for the decryption key, regardless of the overall quality of the backup solution.

Why are some tactics more commonly used against healthcare?

Looking at the above threats to healthcare and what this says about the defenses of these facilities and the attackers targeting them, Palo Alto Networks concludes the following: First, ransomware relies on keeping a facility's core systems up and running. Applications such as EMR and PACS are especially important because they are used around the clock to access patient records that contain vital information about diseases, medications, etc. A lack of access to these applications compromises patient care. The healthcare sector is not the only area where continuous operations are essential.

Ransomware is also widely used in other sectors that require continuous operations. Attackers are motivated by the prospect of financial fraud. They typically exploit the billing process, take over email accounts and pose as legitimate executives or employees to authorize payments and then divert funds to their own accounts. Healthcare facilities frequently send and receive invoices for expensive medical services, solutions and technologies.

Cybercriminals see this as an opportunity to steal potentially significant amounts of money from facilities and patients alike. Finally, the inadvertent disclosure of sensitive data stored in a cloud database or internet application exposed to the internet can (and does) affect any industry. Healthcare facilities are increasingly turning to cloud computing and third-party solutions to keep pace with business needs and medical innovations. Although these solutions and vendors appear to be outsourced, they require careful application of security controls and monitoring on the enterprise side. Cortex Xpanse typically finds that customers have at least 30 percent more assets than they realize. As complexity increases, so does the attack surface. Because healthcare is a coveted target, these opportunities are likely to be discovered and exploited if not identified and addressed.

What can healthcare facilities do to protect themselves?

There are many best practices to protect against these threats. These include using advanced, high-performance products such as next-generation firewalls (NGFW) with machine learning and extended detection and response (XDR) platforms. In addition to establishing proper backups and IR processes, ten recommendations for protecting against a range of threats are listed below:

1. Deploy zero-trust architecture to protect the organization's data, assets and employees.
2. Implement multi-factor authentication (MFA) for all devices and accounts with Internet access.
3. Inventory devices and software.
4. Secure configurations for hardware devices and software.
5. Perform continuous vulnerability management.
6. Restrict the use of administrator accounts.
7. Encrypting laptops and mobile devices.
8. Maintaining and monitoring audit trails.
9. Educate users on the dangers of phishing and social engineering.
10. Maintaining backups separately and/or offline.  

Conclusion

Some industries are more vulnerable to targeted attacks than others, and the more often attackers are successful, the more frequent the attacks will be. Part of the attack strategy of cybercriminals is to use tactics that are most likely to be financially rewarding and successful. For this reason, healthcare bears the brunt of ransomware and business email compromise (BEC) attacks, as well as attacks related to unwanted data disclosure. Ransomware, in particular, is the biggest threat to healthcare facilities. Ransomware operators are now using a double extortion tactic, combining data exfiltration with data encryption. In doing so, they aim to force payment from facilities that may have adequate backup and IR processes in place for rapid recovery. It is therefore important that clinics pay attention to their end-to-end security requirements. In times of healthcare crises such as the COVID-19 pandemic, this is proving to be increasingly urgent.