Share this article on:
The HHS’ Health Sector Cybersecurity Coordination Center has released a new report – Health Sector Cybersecurity: 2021 – Retrospective and 2022 Look Ahead – that provides a retrospective look at healthcare cybersecurity over the past 3 decades, detailing some of the major cyberattacks to hit the healthcare industry starting with the first-ever ransomware attack in 1989.
That incident saw Biologist Joseph Popp distribute 20,000 floppy disks at the World Health Organization AIDS conference in Stockholm. When used, the disks installed malicious code which tracked reboots. After 90 reboots, a ransom note was displayed that claimed the software lease had expired and a payment of $189 was required to regain access to the system.
The report shows how adversaries stepped up their attacks on the healthcare industry from 2014 through 2017. In 2014, Boston Children’s Hospital suffered a major distributed Denial of Service (DDoS) attack, there was a massive cyberattack on Anthem Inc. in 2015 that resulted in the unauthorized accessing of the records of 80 million health plan subscribers, Hollywood Presbyterian Medical Center paid an unheard-of ransom of $17,000 in 2016 following a ransomware attack, and the WannaCry exploits affected more than 200,000 systems in 2017.
In 2019, ransomware started to be extensively used in attacks on healthcare organizations with the Ryuk ransomware gang one of the most prolific ransomware operators. One of the gang’s attacks was conducted on a managed service provider and affected around 400 dental offices. Attacks continued, and more actors started using ransomware to extort businesses, with the attacks reaching epidemic proportions in 2020. In 2020, cybercriminals took advantage of the COVID-19 pandemic and used COVID-19 lures in their phishing attacks which continued throughout 2021. McAfee observed an average of 375 COVID-themed threats every minute in 2020.
2020 saw massive cyberattacks reported by SolarWinds, Accellion, CaptureRX, Scripps Health, and Universal Healthcare Services, with Emsisoft reporting $18.6 billion had been paid globally in ransoms to ransomware gangs, although it was estimated that the actual total was most likely closer to $75 billion.
The prolific Maze ransomware gang shut down its operation in 2020, but threats came from many other cyber actors including REvil, Avaddon, and BlackMatter. 2021 saw a massive ransomware attack on the Health Service Executive in Ireland by the Conti ransomware gang. The attack impacted 54 public hospitals and others that depended on HSE infrastructure and it took 4 months to bring all systems back online.
The report makes it clear that cyberattacks targeting healthcare organizations are nothing new. The industry has been targeted for many years and the industry will continue to be targeted for years to come. HC3 recommends healthcare organizations should continue to take steps to improve their defenses against the most common threats such as ransomware, malware, and phishing. Security teams should provide ongoing security awareness training for employees, run phishing simulation exercises to test the effectiveness of training, implement gateway/mail server filtering, blacklisting and whitelisting, and operationalize indicators of compromise.
It is also important to lock down remote access technologies, which are frequently abused to gain access to systems. Virtual Private Networks and technologies leveraging the Remote Desktop Protocol should be operationally minimized, services should be turned off if they are not used, and logs of activity should be maintained and regularly reviewed.
Vulnerability management is essential and needs to be systematic, comprehensive, and repeatable, and there must be mechanisms of enforcement. It is important to maintain situational awareness of applicable vendor updates and alerts and to develop repeatable testing, patching, and update deployment procedures.
It is important for healthcare organizations to understand the value of what the organization has to offer an adversary. That includes protected health information, which carries a high price on the black market, and intellectual property, which is often sought by foreign countries. Once assets have been identified, steps must be taken to ensure that those assets are protected.
In addition to implementing safeguards to protect against attacks, it is important to understand that there will still be a high probability of compromise and to prepare for an attack and plan and test the response in advance to ensure that the business can continue to operate.
It is also recommended that healthcare organizations consider relatively new-ish ways of thinking about defense, and to consider that adversaries are now thinking in terms of maximizing the number of victims and are targeting managed service providers and the supply chain. Healthcare organizations need to think about how they can prevent and mitigate attacks on third parties.
HC3 says situational awareness will continue to be more and more important in 2022 and beyond. There will be new threats, the tactics, techniques, and procedures of threat actors will evolve, and there will be new vulnerabilities. It is important to keep up-to-date with new threats and vulnerabilities and how they can be corrected and mitigated.
It is vital to maintain trusted defense measures and to defend against distributed attacks and other avenues of compromise. HC3 has provided several resources in the report that healthcare organizations can use to develop their defenses and block current and new attack methods.