CYBERSECURITY FOR HEALTHCARE

The incidence of cyberattacks on healthcare organizations is consistently on the rise across the world. In some regions, the YoY increase is higher than 50%. It has been found that once attacked, a healthcare organization is at higher risk of being attacked again. The average cost of a cyberattack in the healthcare sector is also rising, and has reached $10.1 million.

ACID Technologies provides a cost-effective solution to help healthcare organizations protect themselves from cyberattacks. Through 24/7/365 dark web monitoring, as well as the continuous monitoring of a multitude of other sources, it detects attacks as early as in their planning stage, and provides the targeted organization with a real-time alert, continuing to add valuable information as it becomes available. The intended victim can thus respond and implement countermeasures to diminish the harmful effects of the attack, or even foil it altogether. It can thus potentially avoid disruption to its operation, heavy regulatory fines, and loss of reputation.

Is the healthcare sector a preferred target for cybercrime?

The healthcare sector is a prime target for cybercriminals and cyberterrorists, due to the huge amount of sensitive PII (personally identifiable information) that it stores, and the critical need for constant availability of updated patient data in order to provide uninterrupted medical care. Unavailable medical records and service disruptions not only directly impact on a healthcare organization’s ability to fulfill its mission, but can also place lives at risk. Moreover, while passwords can be changed, and credit cards can be reset, health data remains valid forever, and can be used for identity theft, insurance and health care fraud, and other malicious activities.

Aware of the vulnerability of this sector on the one hand, and of the potential for financial gain from attacks directed at it on the other hand, cybercriminals regard the healthcare sector as a particularly attractive target. This sector is so lucrative to them due to the potential profit from the sale of stolen sensitive data on the dark web, as well as from ransom more likely to be paid by healthcare organizations than those operating in other sectors, in order to retrieve their records and resume operation, to avoid paying fines due to regulatory violations, and protect their reputation.

In its report covering the period January to September 2024, Check Point Research revealed that the global weekly average number of attacks per organization in the healthcare industry reached 2,018, reflecting an increase of 32% as compared to the same period in 2023.

However, the largest increase, of 56%, was recorded in Europe, although the weekly number of attacks was lower: 1,686.

The APAC region was responsible for an almost equally high rate of increase – 54%, but incurred the highest number of weekly attacks per organization, averaging 4,556.

Check Point’s research for Latin America shows a 34% increase, with a weekly average of 2,703 attacks per organization.

The rate of increase in North America stood at 20%, with 1,607 weekly attacks.

 

Why is the healthcare sector so vulnerable to cyber attacks?

The vulnerability of the healthcare sector to cyber attacks results from a variety of causes:

Digitalization: Increased digitalization of healthcare systems is identified by Check Point Research as a major contributor, driven by expanding access to digital health records and telemedicine. Needless to say, to provide timely and accurate medical treatment, sensitive patient data must be readily accessible to healthcare professionals.

Internet of Medical Things (IoMT), networked devices: The growing reliance on IoMT and the use of interconnected devices in healthcare organizations significantly increases their vulnerability, as the result of any single attack on one device can be broader and more damaging. The security of IoMT systems is often poor; this helps cyber attackers exploit weak points in order to access and steal sensitive data.

Regulatory requirements: In some countries, these requirements are insufficient. Even healthcare organizations fully complying with them leave themselves exposed to cyber attacks.

Insufficient resources: Many organizations in the healthcare sector, particularly smaller hospitals, lack the funds necessary to invest in effective measures in order to reduce their risks of incurring cyber attacks, the average cost of which is now $10.1 million (Check Point Research report, Q2 2024). Most of their budget is dedicated to patient care, and due to their finite resources, investments in cybersecurity often take a back seat. This, despite the risk of being faced with ransom demands in the millions of dollars, which exceed the cost of such measures by far. Furthermore, as cybercriminals continuously upgrade their methods of attack, the solutions must as a minimum keep up with them; this requires the investment of even more resources.

Are ransomware attacks common in the healthcare sector?

Ransomware attacks pose great danger to organizations operating in the healthcare sector, as demonstrated by their disastrous effects on hospitals worldwide. According to the FBI, healthcare and public health organizations were at the receiving end of the largest number of ransomware attacks in 2023. Check Point Research reveals that their number has increased by 264% in the last five years.

When cybercriminals encrypt the data in hospital systems and prevent medical teams from accessing it, they also prevent them from fulfilling their mission to provide the needed medical care, even to the extent of placing patients’ lives at risk. Without access to patient data, medical professionals have been forced to treat patients without basing it on updated data, such as recent test and imaging results, and to revert to handwritten records. This not only slows down their work, but also reduces the quality of care they provide.

Ransomware as a service (RaaS), with cybercriminal groups specializing in ransomware attacks providing tools to others who lack the necessary skills to act on their own, increases the challenge of dealing with these increasingly more sophisticated attacks.

The above-mentioned Check Point Research report addresses a particular ransomware group, RansomHub, which promised in an advertisement on the dark net that only 10% of the ransom received would go to the group providing the sophisticated tools, while the partners would keep 90%. This marketing approach highlights the fact that cybercrime operates like any other tech business. The report provides an example of a hacker advertising on an underground forum in the Russian language, who with his group asked for a commission of 20% on successful ransomware attacks. It adds: “This is an illustration of how RaaS cybercriminals recruit their partners and what the standard revenue distribution is. The interesting thing is that some forums have an arbitration and dispute resolution mechanism in cases where both parties disagree on payment or services delivered. This is essential as all communicating parties are criminals who communicate in an anonymous environment.”

The Check Point Research report also points to another aspect: “The problem is even bigger because many cybercriminals are working together. Some offer access to organizations they have previously breached, and others offer to rent their infrastructure for a fee. The dark net is full of advertisements offering ransomware-as-a-service (RaaS) so that even amateur cyber criminals who would otherwise not have the technical knowledge and experience for similarly serious attacks can threaten hospitals and other healthcare institutions.” Furthermore, the reports states: “we’re seeing that if one attack occurs, another can follow relatively soon. Cybercriminals are counting on the fact that perhaps there will be a failure to recover properly, that there is still some chaos, or that there will be an underestimation because hospitals won’t expect to be targeted repeatedly.”

The heavy fines that the authorities can impose on hospitals found in breach of privacy regulations also play a role in their decision on whether to pay the ransom.

What are some examples of recent significant ransomware attacks?

Recent ransomware attacks in various countries around the world include:

• An attack in February 2024 targeting Change Healthcare cost the company an initial sum of $872 million. For a period of several weeks, healthcare staff in hospitals, pharmacies and other healthcare facilities throughout the USA were unable to receive payment for patients. CBS News referred to this attack as “the biggest ever cybersecurity attack on the American healthcare system.” The CEO of UnitedHealth Group admitted that perhaps a third of all Americans were impacted in this attack. The Russian cybercriminal group using the names Blackcat and Alphv took responsibility for the cyberattack, and later, a different group, RansomHub, posted the data that it claimed had been stolen, which Change Healthcare said may have included “diagnoses, medicines, test results, images, care and treatment.” The company’s President and Chief Financial Officer John Rex said: “Of the $870 million, about $595 million were direct costs due to the clearinghouse platform restoration and other response efforts, including medical expenses directly relating to the temporary suspension of some care management activities.” The company later admitted to paying an additional $22 million ransom, adding that it expected the total cost of the cyber this attack to amount to $2.3 billion or more.
• The May 2024 ransomware attack on Ascension, an American nonprofit network that includes 140 hospitals in 19 states, has affected a large number of its hospitals. It has forced it to take critical IT systems offline and record patient information on paper, divert ambulances and close pharmacies. It took Ascension approximately six weeks to restore access to its electronic medical record system and resume routine operation.
• In Australia, the personal details of almost 13 million people – approximately half of the country’s population – was stolen in ransomware attack in April 2024 targeting MediSecure, a prescription provider.
• In September 2024, in a ransomware attack affecting London hospitals, the data of nearly one million NHS patients were leaked online in an extortion attempt. The sensitive data included personal information as well as information of a sensitive nature, including, for example, on sexually transmitted infections and cancer.
• The critical software systems of OneBlood, a blood center serving hundreds of hospitals in the USA, were targeted in a ransomware attack in August 2024, which was attributed to Russian cybercriminals. One week after the attack was launched, the systems were still in the process of being restored.

What other types of cyber attacks are common in the healthcare industry?

Two other types of cyber attacks are often chosen by cybercriminals:

• Distributed Denial of Service (DDoS): DDoS attacks, in which the perpetrators overwhelm systems with traffic that is beyond their handling capacity, are used more and more, at times combined with ransomware or theft of data.
• Phishing: Using stolen credentials or malware to gain entry into organizations’ systems is also a common type of attack in the healthcare industry. Due to the large number of users involved, cybercriminals find that it is relatively easy to trick some of them into sharing their credentials. This type of attack is also less costly to the criminals than attempting to penetrate the organizations’ cybersecurity measures.

What challenges do the healthcare organizations face when trying to enhance the level of their cybersecurity?

In their efforts to enhance the level of their cybersecurity, healthcare organizations face multiple challenges:

1. Outdated legacy systems: Many healthcare organizations rely on legacy systems that have become outdated and increase their vulnerability to cyber attacks, as well as to legal risks and crashes. In terms of cybersecurity risks, they often contain unpatched vulnerabilities, which cybercriminals can easily exploit to carry out attacks. These organizations would be well advised to consider that the potential cost of breaches exceeds the cost of updating the systems and proceed to do so – the sooner the better.
2. Multiple point products: Check Point, citing a survey conducted with Vanson Bourne, mentions poor visibility and gaps between the protections delivered by each product. As multiple vendors are involved, organizations must also deal with the complexity and the higher cost of managing relationships with them. While 87% of the respondents in this survey recognized the importance of consolidation, 54% reported that their organizations use more than 10 point-products. Consequently, it is more difficult for these organizations to detect potential attacks and implement measures to thwart them before being faced with the outcome of having their sensitive data stolen or rendered inaccessible in a ransomware attack.
3. The impact of disconnected security architecture on cost: As the security architecture of many healthcare organizations is disconnected and inefficient, they often find themselves paying for overlapping, redundant security solutions, instead of investing the same amount of money in more advanced and effective ones.

What are some additional examples of significant healthcare data breaches?

• In February 2024, Cencora, a pharmaceutical solutions company which is #10 on the Fortune 500 list, suffered a cyber attack that exposed patients’ personally identifiable information (PII) and protected health information. Due to interconnectedness in the pharmaceutical industry, this single attack impacted almost a dozen partnering pharma firms, including, among others, Bayer, Novartis, Regeneron, AbbVie, GlaxoSmithKline, Incyte, Genentech, Sumitomo Pharma America, Acadia, Endo, and Dendreon.
• In August 2024, the IT systems of McLaren Health Care, a $6.6 billion system in Michigan, USA, which includes 13 hospitals, HMOs, surgery and imaging centers, were breached in a cyber attack. As a result, 2.2 million patients’ sensitive personal and health information was compromised, including names, dates of birth, social security numbers and extensive medical information, such as billing, claims, diagnoses, prescription details, and Medicare and Medicaid information. The breach was detected only a month later. The Alphv ransomware group claimed responsibility. As a result of the attack, McLaren Health Care faces at least three class-action lawsuits.
• In June 2024, major London hospitals declared a “critical incident” following a ransomware attack on Synnovis, a private company which provides them with blood test analyses services. The operation of seven NHS hospitals was severely disrupted, forcing them to cancel more than 800 operations and reschedule 700 outpatient appointments. Because of the attack, the hospitals also issued an urgent call for blood transfusions.
• In May 2023, PharmMerica, a pharmacy services provider with thousands of facilities, discovered a data breach involving nearly six million patients due to suspicious activity on its network and unauthorized third-party access. The patient details that were leaked included names and birth dates and social security numbers, and also medication, health information and insurance details. The ransomware attack group Money Message posted the stolen data on the dark web, claiming to have obtained 4.7 terabytes of data from PharMerica and its parent company.
• In April 2024, in a cyber attack targeting Kaiser Permanente, the personal information of as many as 13.4 million Americans may have sent to various external bodies, among them X, Google and Bing. This may have occurred when members and patients accessed their mobile applications or websites.