The healthcare industry remains a prime target for cybercrime, with many prominent organizations falling victim to serious attacks.
In February 2024, Change Healthcare was infiltrated by cybercriminals who obtained the sensitive health data of potentially hundreds of millions of people. A few months later, an intruder hacked into the electronic health record system of Ascension, stealing the personally identifiable information (PII) of an undisclosed number of patients.
These two incidents were very expensive and caused disruptions in various essential services. Change Healthcare, for example, has stated the incident will cost them more than $2.3bn so far in 2024.
Both attacks also featured some of the most common cybercrime tactics, including phishing and ransomware. To protect themselves from a similar fate, healthcare organizations would be wise to know what kinds of attacks to look out for and why they continue to be effective.
Read now: Synnovis Attackers Publish NHS Patient Data Online
Primary Attacks Targeting Healthcare
Phishing
Phishing is the practice of sending seemingly harmless emails containing malicious links. To incentivize the recipient into clicking, the attacker may pretend to be a reputable company in the healthcare industry or reference a widely known medical issue or event.
When the recipient clicks on the link, they are usually directed to a decoy web page designed to look like a familiar login screen. Once the recipient enters their credentials, the attacker can use this information to gain access to healthcare.
Phishing was the most commonly reported cybercrime of 2023, partially because attackers are now sending messages via text or SMS, which is known as “smishing.” Sometimes, clicking on a link in a phishing message can result in the installation of malicious software, which brings us to our second cyber threat.
Ransomware
Ransomware is a form of malicious software, or malware, that encrypts data, rendering it inaccessible until the attacked party pays a ransom. Once the recipient clicks on a link or enters their credentials into a decoy login screen, the attacker can potentially gain access to the organization’s systems, including their electronic health record system.
Healthcare organizations are easy targets for ransomware due to the critical need to continue providing their services. Even large and well-protected organizations like Change Healthcare and Ascension might have no choice but to pay hefty ransoms.
Proofpoint found that 69% of organizations experienced a successful ransomware attack in 2023, and are considered a major threat to healthcare organizations.
Some hackers have even created their own variations of ransomware called ransomware-as-a-service (RaaS), which allows computer neophytes to “license” the criminal toolkit and launch their own attacks. As RaaS becomes increasingly available, healthcare organizations will see an increase in attacks.
Human Error
One of the threats that cuts across all these techniques is human error. In the corporate environment, human error often stems from insufficient employee awareness.
Employees may inadvertently expose their credentials or sensitive data amid the chaos and rapid pace of healthcare settings. For instance, an employee could unwittingly send an email to the wrong recipient or misplace a device containing medical records.
The real culprit here is the lack of adequate cybersecurity training for staff members. Without comprehensive training programs, employees are ill-equipped to recognize cybercrime and handle sensitive data.
DDoS
Another common attack vector is the distributed denial of service (DDoS). In a DDoS attack, the attacker sends a flood of fake connection requests to a targeted server, overwhelming it and forcing it offline. The goal is often to keep the server offline until the organization pays a ransom.
While a DDoS attack doesn’t involve any data theft, the organization’s website becomes unavailable, and it can have major operational impacts, much like a ransomware attack. DDoS is also particularly effective if it’s used against a critical web-based tool for a hospital, in which just an hour of interrupted service could seriously compromise treatment for patients.
IoT Vulnerabilities
The proliferation of the Internet of Things (IoT) and connected medical devices in healthcare has created additional opportunities for attackers. Smart medical devices like wearable heart monitors collect, exchange, and analyze sensitive health data.
These devices are often designed by technology vendors outside of the healthcare industry, which may not carry the same security protocols as devices made by clinical vendors.
Moreover, many smart medical devices are designed to feed information via the internet into larger health systems. These interconnections make the device a potential access point to an entire healthcare network. As smart wearables become more popular, health care organizations inadvertently create more accessible pathways to sensitive data.
How to Prevent Attacks on Healthcare
Implementing Basic Protocols
The healthcare industry can significantly reduce its vulnerability to cyber-attacks by implementing basic cybersecurity practices, like regular software updates, using multi-factor authentication (MFA) and backing up systems reliably.
Patching vulnerable systems is a must – and doing so on a timely basis is paramount. Organizations tend to work with multiple software suppliers for different functions, such as billing or telehealth.
Since each piece of software can be a potential entry point for hackers, organizations should make sure to download and activate any updates or patches for their software as soon as they become available. To help prioritize where to patch first, I’d suggest using CISA’s “Known Exploited Vulnerabilities Catalog” which lists all the vulnerabilities that are actively being exploited by malicious actors.
Organizations can also prevent attackers from gaining access to login information by implementing MFA, in which users can only gain access to a resource after clearing two identification hurdles. While a seasoned hacker may be able to gain access to a password, the second form of authentication is often a code that the user receives on their mobile phone, something hackers would have a much harder time gaining access to.
Lastly, creating backups of sensitive data allows organizations to quickly restore critical systems in the event that they are held hostage by an attacker. Instead of having to pay a ransom to retrieve the data, the organization could immediately access the backup system and minimize delays in services.
Sharing Threat Intelligence
The need for healthcare organizations to share information about cyber-attacks with each other has never been more critical. In an industry in which attackers continually target sensitive data, collaboration can greatly enhance the cybersecurity defenses of the industry as a whole.
By sharing cyber incident information with the community, the victim can not only help protect the global healthcare sector, but the victim can also learn from others who had similar experiences – and get a better understanding of how to recover from the attack and benefit from the lessons learned from others.
Yes, it’s embarrassing for companies to reveal they’ve suffered a cyber-attack, but this is exactly the kind of timid response cybercriminals are counting on. Publicizing the tactics of cybercriminals, on the other hand, makes it harder for these bad actors to succeed with the same methods.
Building a Collaborative Culture
Creating a more collaborative culture is essential to combating cyber threats across the healthcare sector. Rather than operating under the mentality of “everyone for themselves,” organizations should implement robust cybersecurity measures alongside one another.
Under this more open culture, organizations can share their cybercrime experiences and empower their peers. By working together, healthcare organizations can build stronger defenses to effectively safeguard sensitive data.