VMWare Carbon Black Explores the State of Healthcare Cybersecurity in 2020
Throughout 2020, the healthcare industry was on the frontline of the pandemic providing medical care to patients suffering from COVID-19 but also had to deal with increasing numbers of cyberattacks, as cybercriminals stepped up their attacks on hospitals and health systems.
Recently, VMware Carbon Black conducted a retrospective review of the state of healthcare cybersecurity in 2020 that revealed the extent to which the healthcare industry was targeted by cybercriminals, how those attacks succeeded, and what healthcare organizations need to do to prevent cyberattacks in 2021.
VMware Carbon Black analyzed data from attacks on its healthcare customers in 2020 and found 239.4 million cyberattacks were attempted in 2020, which equates to an average of 816 attempted attacks per endpoint. That represents a 9,851% increase from 2019.
As it became clear that the outbreak in Wuhan was turning into a pandemic, cyberattacks on healthcare providers started to increase. Between January and February 2020, cyberattacks on healthcare customers increased by 51% and continued to increase throughout the year, peaking between September and October when there was an 87% month-over-month increase in attacks. The large spike in attacks in the fall was due to increased ransomware activity, with the Ryuk ransomware gang in particular stepping up attacks on the healthcare industry.
Attacks were conducted to gain access to healthcare data for identity theft and fraud, with the stolen data bought and sold on darknet marketplaces but the biggest threat came from ransomware. “In 2020, we saw ransomware go mainstream. The wide-reaching impact of ransomware has been assisted largely by way of affiliate programs,” explained VMWare Carbon Black. “With many ransomware groups offering ransomware-as-a-service (RaaS), making the deployment of ransomware easily accessible to millions of cybercriminals who previously didn’t have the tools to carry out these attacks.” The high potential rewards for conducting attacks have drawn many individuals into ransomware distribution who would otherwise have not been able to conduct these types of attacks. Cybercriminals are also recruiting insiders that can provide them with access to networks in exchange for large sums of money or a cut of any ransoms that are paid.
Double extortion tactics have also been extensively adopted by ransomware gangs to increase the likelihood of victims paying, if only to prevent the exposure of stolen data rather than for the keys to recover encrypted files. Much of the stolen data is being offered for sale on dark web sites, especially stolen protected health information and COVID-19 test result data.
2020 saw many threat actors join forces and share resources and exchange tactics, with access to systems being provided to other threat groups to conduct their own attacks. Collaboration between threat groups is increasing and threat actors are discovering new ways of gaining access to networks to deploy their malicious payloads.
The researchers have seen attacks increase throughout 2020 and there are no signs that the attacks will slow as 2021 progresses. In fact, it is possible that attacks will continue to increase.
VMWare Carbon Black makes three recommendations for CISOs to ensure that they stay one step ahead of attackers. Most AV solutions only focus on the delivery stage. For much better protection healthcare organizations should deploy next-generation antivirus solutions that protect against every stages of ransomware attacks, from delivery to propagation to encryption. Endpoint protection solutions should be chosen that can be rapidly scaled and deployed to protect new users, while maintaining data privacy, compliance, and security practices.
Lastly, healthcare CISOs need to be proactive and address vulnerabilities before they are exploited. That means IT tracking tools should be deployed that provide full visibility into devices that connect to the network. This will allow CISOs to track configuration drift and quickly remediate issues and ensure all devices are patched and protected.