Ransomware and Data Destruction Attacks Dominate Healthcare Threat Landscape

A recent report from Carbon Black has revealed 66% of healthcare organizations have experienced a ransomware attack in the past year and 45% experienced an attack in which data destruction was the main motivation behind the attack.

The figures come from Carbon Black’s latest report: Healthcare Cyber Heists in 2019. Carbon Black sought input from 20 industry leading CISOs and questioned them about the cyberattacks they had experienced in the past year, the tactics used in the attacks, and how the threat landscape is evolving.

Last year was a record-breaking year for healthcare data breaches and attacks are continuing at an unprecedented level. April 2019 was the worst ever month for healthcare data breaches with 46 major breaches (500+ records) reported to the HHS’ Office for Civil Rights.

“The potential, real-world effect cyberattacks can have on healthcare organizations and patients is substantial,” explained Rick McElroy, Carbon Black’s Head of Security Strategy and co-author of the report. “Cyber attackers have the ability to access, steal and sell patient information on the dark web. Beyond that, they have the ability to shut down a hospital’s access to critical systems and patient records, making effective patient care virtually impossible.”

83% of surveyed CISOs believe there has been an increase in cyberattacks over the past 12 months and 66% of CISO’s think attacks have grown in sophistication in the past year.

Two thirds of surveyed organizations have had to deal with an attempted ransomware attack in the past 12 months. A variety of ransomware variants were used although Kryptik/GenKryptik ransomware variants were most common and were used in 74% of attacks.

Almost half of respondents experienced a data destruction attack. These attacks involved the destruction of data in an attempt to paralyze business operations. The attacks are commonly associated with nation-state sponsored hacking groups in Russia, China, and North Korea.

While there were many different methods used to attack healthcare organizations, one of the most common was the use of Excel spreadsheets containing macro-enabled PowerShell to download malware.

One third of CISOs said they had experienced an ‘island hopping’ attack in the past year. This is where hackers have compromised a third party and used it to attack their organization. For example, an attack via partner-provisioned Virtual Desktop Infrastructure access, VPNs, or private network links. One third of CISOs also said counter incident response tactics were used by the hackers to prevent mitigation of a breach and to try to maintain persistent access.

CISOs were also asked about their biggest concerns. Compliance was the most stated area of concern (33%) followed by budget restrictions (22%), loss of patient data (16%), and vulnerable devices (16%).

Compliance as the main concern is worrying. It suggests healthcare organizations believe that becoming compliant with HIPAA equates to robust cybersecurity when that is not the case. Compliance with HIPAA only means an organization has achieved a baseline level of security. Many healthcare organizations that were HIPAA-complaint have still experienced data breaches. It is important for compliance to be viewed as a starting point in an organization’s security program. Once HIPAA compliant, security programs must be developed further.

The report shows organizations have realized the importance of staff security awareness training, not just for compliance but for improving security posture. 84% of organizations provide staff security awareness training at least annually with 45% providing more frequent training sessions.

When asked to rate their security posture, most CISOs believed there was still considerable room for improvement. 74% gave their organization a B or less (25% B, 16% B-, 33% C).

While the majority of organizations that engage in threat hunting say that it has significantly improved their cybersecurity posture, only one third of respondents said they had a threat hunting team. Carbon Black notes that threat hunting is no longer reserved for the security elite. Threat hunting software is available to help businesses of all sizes gain better visibility and find and address threats before they result in a data breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.