Share this article on:
The healthcare industry is under attack. More data breaches are being reported than ever before, but what is the motivation behind these attacks? Why are hackers targeting the healthcare industry? A new report from FireEye provides some answers.
For the report, FireEye researchers studied recent healthcare cyberattacks and identified the tactics being used, the actions of the hackers post-compromise, and what the ultimate goals of the attacks were.
The researchers were able to classify attacks into two groups: Those concerned with theft of data and disruptive/destructive threats.
Many attacks are focused on obtaining patient data although research data can also be extremely valuable. Cyberattacks concerned with obtaining research information have a low, but noteworthy impact risk to healthcare organizations. These attacks are most commonly associated with nation-state threat actors.
Cybercriminal gangs and nation-state sponsored hacking groups are investing time and resources into targeting specific healthcare organizations that store treasure troves of data. That could be a business associate serving many healthcare organizations or a large healthcare system.
Healthcare providers are susceptible to cyberattacks as many continue to use outdated and unsupported software and operating systems. Many cyberattacks are opportunistic and occur because healthcare providers have failed to address easily exploitable holes in their security defenses. However, it is now increasingly common for healthcare organizations to be targeted based on the amount of data they store.
Disruptive and destructive threats continue to be a major problem in the healthcare industry. Cybercriminals and nation-state threat actors are conducting attacks that aim to disrupt the continuity of operations. These threats include ransomware and wiper malware.
Cyber crime activity is financially motivated and poses a high-frequency, high-impact threat to healthcare organizations. Personally identifiable information (PII) and protected health information (PHI) are commonly sought and the information can be used for many different malicious purposes, including financial fraud, medical identity theft, identify theft, and for crafting convincing phishing messages. The information is commonly bought and sold on darknet marketplaces and that activity is unlikely to stop.
Attacks are also being conducted to gain access to healthcare networks. Access is then sold to cybercriminal groups, nation state groups, and other threat actors. “In Feb. 6, 2019, on a popular Russian-language forum, “Jendely” advertised access to a U.S.-based medical institution. According to the advertisement, the actor obtained the domain administrator’s access to the network consisting of 3,000 hosts. The access is being auctioned for$9,000–$20,000 USD,” wrote the researchers.
FireEye researchers also observed attacks involving malware distribution, cryptomining, and other extortion attempts.
Nation state threats and cyber espionage is moderately frequent in healthcare but can have a major impact. Several APT groups have been observed conducting attacks on healthcare providers, including those linked to China, Russia, Vietnam. Hacktivism is rare in healthcare and may only have a negligible effect.
FireEye warns that there has been a concerted effort by Chinese APT groups to gain access to medical research data. China is moving toward universal health coverage in 2020 and is concerned about increasing cancer and mortality rates and the cost of providing national healthcare. Medical research can be used to advance drug research in China, lower costs, and could even result in drugs being developed and released in China ahead of companies in the United States that conducted the research.
The report (PDF) can be downloaded here.