Healthcare, a perennial target for cyber attackers, is facing an unprecedented level of risk.
From email compromise to malware, the healthcare sector is impacted not only by familiar and persistent challenges but also with newly emerging security threats. Drawing on insights from the recent Kroll report, The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare, this article outlines the key threats affecting organisations such as hospitals, health trusts, GP practices and other healthcare bodies.
Healthcare under attack
Long a popular target for threat actors, healthcare continues to be a prime focus. Kroll’s last two Data Breach Outlook reports clearly demonstrate the vulnerability of the sector. Not only does it hold sensitive data which may be at risk of poor handling but threat actors with malicious intent may also be tempted to target and expose that data to cause disruption. Our State of Cyber Defense report revealed the following as the top cyber security threats in healthcare:
We look at these threat types in more detail below.
1. Email compromise
Email compromise tops Kroll’s list of threats impacting the healthcare sector. Kroll defines an email compromise event as one in which email accounts are accessed maliciously by a third party, a phishing email or spam campaign is identified, or an organisation’s email is used or compromised in a fraud scheme (such as business email compromise). This type of phishing attack is becoming increasingly prevalent.
While it is a well-recognised security concern, email compromise is sometimes overlooked in the media in comparison with more headline-grabbing threats such as ransomware. Despite this, it remains a viable threat to organisations and was associated with more than $2.4 billion in total losses in 2021, according to the Internet Crimes Complaint Center (IC3) annual report.
2. Ransomware
Ransomware and the healthcare industry have a long shared history. Ransomware attacks in healthcare commonly infect systems and files, making them inaccessible until the victim organisation pays a ransom. The impact of this on healthcare organisations is hugely disruptive because it means key systems and processes become slow or inoperable. Ransomware attacks also pose a direct threat to patient health, with studies showing that it has already led to deaths.
Perhaps the most notorious healthcare ransomware incident was the 2017 WannaCry attack, the largest ransomware attack ever, that infected a quarter of a million computers in more than 150 countries, including those within the NHS. The attack ended up costing the NHS £92m.
Despite the impact of WannaCry, stories about a hospital or other healthcare provider disrupted by a security incident are still all too common in the media. As Kroll has observed, even though ransomware is well-recognised as a means of attack in the industry, new strains are constantly being developed, and it remains a scourge on the industry. One particularly concerning shift is the rise of ransomware as a service (RaaS), which makes it much easier for even those with limited technical skills to use ransomware as a form of attack. RaaS gangs like the NoEscape ransomware group are already having an impact on the healthcare sector.
3. Insider threats
Insider threats are threats posed by individuals from within an organisation, such as current or former employees, contractors and partners. These individuals have the potential to misuse access to networks and assets to knowingly or unwittingly disclose, modify and delete sensitive information.
Information at risk of being compromised could include details about an organisation’s security practices, customer and employee data, login credentials and sensitive financial records. The nature of internal threats means that traditional preventative security measures are often ineffective against them. The impact on the healthcare sector, as for other sectors, can be fraud, data theft and system sabotage.
4. Unauthorised network access
Unauthorised network access is another key security issue for the healthcare sector. Unauthorised access involves threat actors gaining access to the data, networks, endpoints, applications or devices of an organisation, without permission. This type of threat is linked with the authentication of user identity with misconfigured or broken authentication a key factor in this type of attack.
Healthcare organisations must take action by ensuring that all authentication procedures are regularly checked and assessed. Other attack vectors for unauthorised network access include weak passwords or employees sharing passwords across services, a key risk in healthcare settings where many staff access different types of systems. This issue is also linked with social engineering attacks, mainly phishing, in which threat actors send emails purporting to be legitimate people or organisations, in order to gain credentials.
Compromised accounts can also be a cause of unauthorized network access with actors searching for vulnerable systems, before compromising it, and leveraging it to access more secure systems.
5. Web compromise
Web application compromises cover a range of attacks on web applications, depending on the nature of the target organisation and its vulnerabilities. Most types of attacks are undertaken to access personal information on payment websites. Types of attacks include the exploitation of zero-day vulnerabilities, cross site scripting (XSS), a vulnerability that enables an attacker to inject client-side scripts into a webpage in order to access important information directly, impersonate the user, or trick the user into revealing important information, and SQL injection (SQL), a method by which an attacker exploits vulnerabilities in the way a database executes search queries. Attackers leverage SQL to gain access to unauthorised information, modify or create new user permissions, or otherwise manipulate or destroy sensitive data.
Other types of web compromise include denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, in which attackers overload a targeted server or its surrounding infrastructure with different types of traffic. Another form of web compromise is memory corruption, when a location in memory is unintentionally modified, creating a vulnerability that threat actors can potentially find and exploit.
How Kroll can help
Kroll has a proven track record of enabling healthcare organisations to protect against, detect and respond to cyberattacks. We provide penetration testing for web applications and cloud environments, cyber risk assessments and vCISO engagements.
We also provide 24×7 managed detection and response to nearly 100 healthcare organisations worldwide, monitoring close to 100,000 endpoints and terabytes of data across SIEM instances, and 300+ incident response engagements affecting healthcare organisations, including ransomware, business email compromise, IP theft, and insider threats, among others. Our expertise includes breach notification, call centre services and identity monitoring for a population of 4M+ impacted by breaches in healthcare.
Learn more about our cyber security solutions for healthcare
