As we have repeatedly seen, the healthcare industry is far from immune to cyber-attacks. From ransomware attacks that disrupt patient care and extort hospitals for payment, to phishing campaigns, the risks to patient data and the overall operation of healthcare organizations are significant. The sensitive nature of the data stored and processed by hospitals and other healthcare organizations, including patient medical records and personal information makes these organizations a particularly attractive target for attackers. In addition to the financial impact of these attacks, they can disrupt medical care and put patient safety at risk. It is essential for healthcare organizations to prioritize cybersecurity and take steps to protect against these types of threats.
CYBERATTACKS ON HEALTHCARE ORGANIzATIONS ARE STILL SURGING
Still, it is concerning that cyberattacks on healthcare organizations are still surging, despite many efforts to improve their cybersecurity measures.
In 2022 there were 25 incidents against healthcare providers that operated for 290 hospitals.
Nearly every month, we hear about another major hospital or healthcare system falling victim to a ransomware attack or data breach. Attack groups like HIVE, Daixin, and Lockbit have all been known to focus on hospitals and healthcare organizations. One recent example is the ransomware attack on The Lake Charles Memorial Health System (LCMHS) data breach, which affected almost 270,000 patients. On October 21, 2022, the LCMHS in Louisiana detected unusual activity on its computer network. An extensive investigation revealed that Hive group hackers had gained unauthorized access and stole sensitive files containing patient information such as names, addresses, dates of birth, medical records, patient identification numbers, health insurance information, payment information, and limited clinical information.
THE DAIXIN CHRONICLES
In July 2022, the Daixin group targeted the Fitzgibbon Hospital in Missouri with a ransomware attack. The attackers demanded a ransom of $1.5 million, which the hospital initially negotiated down to $50,000 before ultimately refusing to pay. As a result, the attackers released 40 gigabytes of data online, including patient names, diagnostic and treatment information, health insurance information, and billing data. In September 2022, the same group launched a ransomware attack on OakBend Medical Center in Texas that knocked out its phone and email systems for weeks. In October, the hospital admitted that hackers had also downloaded data from the medical records of up to 500,000 individuals. The attack forced OakBend to limit communication with the outside world by taking its email and phone systems offline for several weeks.
Notable cyber attacks on health organizations in 2022
McKenzie Health System
Hospital Yuma Regional Medical Center
Kaiser Permanente
Baptist Medical Center
Fitzgibbon Hospital
Baton Rouge General Medical Center
NHS
The Centre Hospitalier Sud Francilien
Virginia Mason Franciscan Health (Part of CommonSpirit Health Incident)
CHI Health (Part of CommonSpirit Health Incident)
MercyOne Des Moines Medical Center (Part of CommonSpirit Health Incident)
OakBend Medical Center (Part of CommonSpirit Health Incident)
The Lake Charles Memorial Health System
THE AGE OF LOcKBiT RANSOMWARE
Last but certainly not least is the LockBit group. The ransomware attack on the Centre Hospitalier Sud Francilien in Corbeil-Essonnes, France, happened on August 30, 2022. This attack resulted in the temporary shutdown of many hospital systems and rescheduling of patient appointments. The attackers demanded a ransom of $1 million, which the hospital ultimately refused to pay. This refusal led to the publication of nearly 12 gigabytes of patient and staff data, causing serious patients’ privacy concerns .
The attacks on healthcare organizations and hospitals show that cybercriminals can easily exploit existing vulnerabilities to carry out ransomware attacks or exfiltrate sensitive data. These vulnerabilities can include outdated software or systems and lack of proper security measures. Even simple mistakes employees make, such as clicking on a malicious link in a phishing email.
review of exploited VULNERABILITIES by attack groups
CVE-2021-31207
Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-34473
Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-34523
Microsoft Exchange Server Privilege Escalation Vulnerability
CVE-2022-3723
A zero-day vulnerability affecting Google Chrome which could allow adversaries to read sensitive information of other applications, access memory regions to crash other applications, or perform remote code execution.
CVE-2020-3153
A vulnerability affecting the installer component of Cisco AnyConnect Secure Mobility Client for Windows, which could allow an authenticated local adversary to copy malicious files to arbitrary locations with system-level privileges.
CVE-2021-39144
A remote code execution vulnerability (in XStream, an open-source library used for converting objects into byte streams in a process known as serialisation.
CVE-2017-11882
A Microsoft vulnerability allowing an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka “Microsoft Office Memory Corruption Vulnerability
A Microsoft vulnerability allowing remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted website, aka “Scripting Engine Memory Corruption Vulnerability
A Microsoft vulnerability allowing a remote code execution vulnerability due to the way objects are handled in memory, aka “Microsoft Office Memory Corruption Vulnerability
CVE-2016-0189
(ibid)
REDUCE YOUR RISK EXPOSURE NOW. ASK ME HOW
There are no magic tricks when it comes to protecting your organization from cyberattacks. The first thing to acknowledge is that, in most cases, the security solutions and technologies required to achieve effective defensibility are right under your nose. They are already part of the security infrastructure. Let’s look at some examples:
1. Validate your IPS (Endpoint & Network based) configuration
Ensure it is set to protect against the specific types of threats your organization is most likely to encounter or has encountered in the past. This includes common types of attacks such as SQL injection and cross-site scripting (XSS). In addition, consider setting your IPS to block all threats your organization hasn’t encountered for a while. This includes also protections with the high-performance tag. The performance impact of these actions is relatively (and surprisingly) low, as previously explained.
It’s also essential to validate that your IPS is updated with the latest security signatures or threat intelligence feeds. Additionally, per the above logic, proactive monitoring and automatic analysis of IPS configuration can help identify any misconfigurations or gaps in the security posture itself in scale.
2. Monitor and block risky protocols
Monitor and block risky protocols such as RDP and SSH from accessing from outside the network: RDP (Remote Desktop Protocol) and SSH (Secure Shell) are commonly used for remote access to systems. However, attackers can also use them to gain unauthorized access to systems. Monitoring and blocking these protocols from being accessed from outside can help reduce the chance of a successful attack. This can be achieved by limiting the opportunities for an attacker to gain access to the network.
3. Block automatically indicators related to attacks you have already encountered
Indicators of compromise (IOCs) are signs of an attack or a compromised system. Examples include IP addresses, domain names, and file hashes associated with a specific attack. By automatically blocking indicators related to attacks you have encountered, you can prevent future similar attacks from being successful.
4. Protect against zero-day attacks
Protect against zero-day attacks by deploying a sandbox technology as part of your network security strategy and on your email cloud provider. Configure it to block malicious files when discovered. Configuring the sandbox for block mode will block malicious files from running within the network or devices. Email cloud providers are another entry point for malware or phishing campaigns. It’s essential to enforce a sandbox solution on the email cloud provider to catch malicious files that enter through email.
All these recommendations together can help you maximize your ability to protect against cyberattacks, address known vulnerabilities and potential threats, and make sure that you can detect malicious files before they can harm the organization.
Summary
The healthcare industry is not alone in facing these kinds of threats. Cyber-attacks are a concern for organizations in various industries, and the methods and tactics used by attackers are constantly evolving. It is up to each organization to stay vigilant and take steps to protect against these types of threats. This includes continuous monitoring and proactively identifying and mitigating vulnerabilities to improve the overall security posture and reduce the risk of a successful attack.
By recognizing that “nothing is new under the sun,” healthcare organizations can be better prepared to defend against cyber-attacks and protect the sensitive data of patients and hospitals. Only by taking a proactive approach to cybersecurity can we mitigate the risks of these attacks.
