Healthcare is an increasingly attractive target for cybercriminals

The rise in eCrime activity has been an ongoing issue for years. Ransomware-as-a-Service (RaaS) models have exacerbated the situation, as cybercriminals no longer necessarily need to have the technical know-how themselves to put their machinations into action, but can simply contract for ransomware services. A whole range of revenue and business models now exist in the RaaS sector. In the so-called ransomware affiliate model, ransomware operators receive a predetermined percentage of the successfully extorted ransom amount from affiliates. It’s a lucrative business model, especially considering that an increase in double extortion ransomware models continues to be on the rise. Here, attackers demand a ransom to decrypt the data, and an additional ransom not to share or sell it. Medical data in particular is an attractive commodity on the dark web. They often form the basis for further criminal machinations by cyber actors, for example in the area of identity theft, medical fraud or tax fraud. That’s because data managed by the healthcare system provides virtually everything an attacker needs to build a digital profile of a patient. The value of a data set, which typically includes date of birth, place of birth, social security number, address as well as e-mail address or, in some cases, credit card information, is estimated at up to $1,000.

Healthcare particularly at risk

To obtain the valuable data sets, the cybercriminals must first gain access to the victim organisation’s network. A common gateway for ransomware-affiliates, for example, is to exploit vulnerabilities or credentials. However, it is also not uncommon for attackers to use the services of access brokers who sell targeted network access to other cybercriminals, who then use RaaS toolkits, for example, to carry out ransomware attacks. According to the latest Global Threat Report, the popularity of access broker services increased in 2022, with more than 2,500 advertisements identified – a 112% increase compared to 2021. Once eCrime actors have gained access to a network, they don’t have much time: on average, it takes them just 1 hour and 24 minutes to move laterally from the point of origin. Attackers recognise that healthcare has limited budgets for IT and security. Add to that limited resources and the fact that each cyberattack impacts the efficiency and effectiveness of the healthcare system in delivering care to patients. When you look at this from an extortion standpoint, the willingness to pay healthcare organisations whose mission is to save lives is significantly higher compared to other sectors. Combine this with the limited budget for investment in personnel and technology, and you get what is known as a soft target. On the other hand, the fact that attackers are becoming more sophisticated and dangerous makes the healthcare sector even more vulnerable.

Healthcare organisations must therefore be able to reduce the number of attack vectors in their IT systems if they are to minimise the severity and frequency of cyberattacks. Healthcare IT systems are vulnerable to cybercrime, but there are measures that can be taken to protect them:

Protect workloads comprehensively

Endpoint and workload security, data and identity protection, and data storage are just a few of the critical aspects that must be considered to keep healthcare organisations safe from cyberattacks. Extended detection and response (XDR) is the next step toward threat-driven security prevention. XDR is a holistic approach that streamlines security data collection, analysis and workflows across an organisation’s security solution to provide better visibility into and unify response to hidden and sophisticated threats. XDR collects and correlates data from endpoints, cloud workloads, networks, and email, analyses and prioritises it, and delivers it to security teams in a normalised format from a centralised console.

Implement zero trust

According to the CrowdStrike Global Threat Report 2023, healthcare is among the top 10 sectors advertised by access brokers. In 2021, nearly 80 percent of cyberattacks use identity-based attacks to compromise legitimate credentials and use techniques such as lateral movement to evade quick detection. Therefore, a zero trust approach should also be implemented in the healthcare industry to prevent identity-based attacks in real time.

Proactive protection: Threat hunting & threat intelligence

Threat data helps healthcare organisations prepare a defence against the most likely attackers and enables threat hunters to spot the signs of an intrusion and remove the intruders from the network. Only then can IT security teams be properly and effectively deployed. In many cases, in addition to threat intelligence, it is recommended to employ an external, fully managed cybersecurity services team that can perform not only threat intelligence, but also incident response, threat hunting, endpoint recovery services and proactive monitoring to close security gaps.

Machine learning and artificial intelligence

Healthcare organisations must never forget that hackers are always evolving their attack techniques. Therefore, they must also continue to develop their protection. Modern attacks can no longer be successfully defended against with technologies that are now outdated. Signature-based antivirus software has long since ceased to be sufficient. Machine learning and classification techniques that can determine whether something is malicious based on behavior or other observable characteristics are now standard for any company’s defense.

Exercising the case of emergency

Tabletop exercises are an efficient way to train the right response in an emergency. After all, even the best security solution in the world is no use if organisations don’t know who to turn to in the event of danger, what needs to be done and who all is involved in the defense process. Regular drills can train all personnel and ensure that the right response is taken in a dangerous situation. In addition, these exercises can help IT, clinical, administrative, and security personnel also continue to identify and address cybersecurity and business continuity vulnerabilities.

The writer is executive healthcare strategist, CrowdStrike.

• Business