Artificial Intelligence & Machine Learning

Attacks on Healthcare Institutions Decline, But Impact High

A report on the status of cybersecurity in the healthcare industry indicates that cyberattacks are declining or remaining flat. Cyber attackers were still targeting medical services, hospitals and clinics, medical device manufacturers and pharmaceutical firms in Q2 2023.

See Also: Ransomware Demystified: Lessons to Secure your Organization

The report, produced by CYFIRMA Research and covering a 90-day period between May to July 2023, suggests that law enforcement's focus on actively pursuing breach cases involving protected health information is keeping some cybercriminals away from healthcare - except for Russia-based threat actors who are essentially untouchable.

The report tracked 13 campaigns in the healthcare industry, which is a relatively small number compared to other industries such as finance, manufacturing and high tech.

CYFIRMA researchers told ISMG that, based on their observations, APT actors (with one exception) are avoiding healthcare institutions and may be looking at more covert operations that could keep them out of the spotlight.

Suspected Threat Actors

The most active threat actors known to target the healthcare sector are MISSION2025, Russian bears and TA505.

According to a Blackberry blog post TA505, a financially motivated APT known to attack healthcare firms, has been active since 2014. TA505 is one of the largest, if not the largest, phishing and malspam distributors worldwide, estimated to have compromised more than 3,000 U.S.-based and 8,000 global organizations.

TA505 uses toolsets such as Clop ransomware, the FlawedAmmyy RAT, and banking Trojans such as Dridex.

Geographical Distribution

Nearly half of the targeted victims are from the European Union and the United Kingdom, followed by the U.S., Canada, Australia and New Zealand - countries that are collectively leading the world healthcare industry. Surprisingly, Africa and Central Asia had no observed victims during this period.

The report does not break down the data for individual countries in Southeast Asia and Europe because of the overlapping nature of monitoring telemetry, the CYFIRMA researchers said.

Top Attacked Technologies

Web application attacks: For the most part, APTs targeted vulnerabilities within web applications, focusing on remote access technology and weaknesses in operation systems.

CYFIRMA researchers pointed out that web applications are most vulnerable, second only to humans victims of social engineering attacks.

Phishing: Phishing attacks explicitly targeting or impersonating the healthcare industry are "very rare" compared to other sectors.

CYFIRMA’s said only 135 out of total 105,930 phishing attacks involved healthcare organizations.

Contrary to CYFIRMA's report, cyber intelligence firm Black Kite said phishing attacks were the most common type of cyberattacks in healthcare in 2022, making up 50.7% of the attacks. This was followed by malware (17.9%) and ransomware (14.3%).

Mass spam and phishing is almost exclusively financially motivated. PHI commands a premium on the dark web.

Explaining the low figure for phishing attacks, CYFIRMA said, "We are seeing the trend of fake courier and delivery emails asking for fees to complete the delivery or emails urging unsuspecting users to renew non-existent subscriptions. Healthcare is just not a good choice for global spray and pray to phish as it is highly localized."

According to CYFIRMA, the only healthcare impersonated organization observed is French Health Insurance , followed by a scattered generic phishing, including Italian Bank and Outlook application themed phishing against healthcare organizations from various origin countries.

In March 2022, French Health Insurance said unknown attackers infiltrated its patient services, accessing information of 510,000 policyholders.

Ransomware: CYFIRMA observed 144 verified ransomware victims from various healthcare sectors, out of the overall total of 1,382 incidents (all sectors), accounting for 10.4% of all ransomware victims during the same period.

The distribution of ransomware incidents was observed across multiple sub-sectors within healthcare. The sectors that experienced the highest impact were medical services (43%), pharmaceuticals (10%), medical devices (9%), manufacturing (8%) and healthcare IT systems (6%).

Broad targeting beyond the hardest hit sectors, such as medical education, IT systems and medical billing, implies an opportunistic approach within the healthcare sector.

With 106 known incidents, U.S. is by far the most affected by ransomware attacks in the healthcare industry. This affirms that the U.S. remains a prime target across industries, due to its economic significance and digital infrastructure.

Earlier this year, the Department of Health and Human Services, HHS, issued an alert to the healthcare sector, warning that the Clop ransomware group is targeting healthcare facilities. The threat actors send ransomware-infected medical files, posing as doctors or patients, to access critical documents. Medical industry sources say these attacks have a higher chance of success due to the COVID-19-related expansion of telehealth and virtual appointments.

"As these primarily Russian-speaking foreign ransomware gangs compete for victims to exploit in their own highly competitive criminal subculture, they are forced to evolve their attack techniques," said John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk.

Riggi said the Clop ransomware gang operates by infiltrating themselves into the normal clinical workflow between physicians and developing highly convincing phishing emails based on the public profiles of clinicians.

In the CYFIRMA report, the remaining known incidents with known victim countries are Canada (4 victims), India (4 victims) and France (3 victims). This correlates with a broad threat landscape across industries. India, renowned for its robust drug manufacturing industry and COVID-19 vaccine research, could potentially be victim to higher number of ransomware attacks on healthcare institutions.

According to Check Point Research, healthcare saw the highest number of attacks among all sectors in India, with an organization in India being attacked 1,866 times per week on average in 2022.

While CYFIRMA cites a decline in healthcare attacks, the 2023 Cost of a Data Breach Report says the cost of breaches remains high and healthcare continues to remain a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year.

Referring to a report by Critical Insight analyzing health data breach patterns so far in 2023, John Delano, a vice president at healthcare entity Christus Health said there is a "slight decline" in the number of breaches but the impact is higher.

"We continue to see the number of records that were breached go up. So, while we have less breaches, they are much bigger and major. To me that is a bigger problem," Delano told ISMG in a podcast.

CYFIRMA agreed the number could be much higher, and said it is only declaring reported incidents.

"There could certainly be more, but neither the victim companies nor the attacking gangs reported these breaches. Many victims choose not to report and we cannot verify, and therefore do not count them," the CYFIRMA researchers said.