Healthcare Archives

Resources that cover platform features and industry news pertaining to the healthcare industry.

Cybersecurity for Healthcare: 2024 Threat Insights

April 18, 2024/in Blog Post/by Ellen Loughlin

The recent ransomware attack on UnitedHealth’s Change Healthcare subsidiary highlighted the attractiveness of the data-rich U.S. healthcare industry to cybercriminals and the severe impact on patients and doctors. Total expenses from the attack are expected to surpass $1 billion, including a $22 million ransomware payment. With cybercriminals leveraging sophisticated techniques to infiltrate systems, encrypt data, and extract sensitive information, the healthcare sector faces significant challenges in safeguarding patient records and maintaining operational efficiency.

This industry spotlight highlights significant trends and developments in the threats, vulnerabilities, and cyberattacks faced by the healthcare industry in the U.S observed from January to March 2024 by Adlumin’s Threat Research Team. 

Industry Spotlight: The Healthcare Industry

Top Threat: Ransomware

Last year, the FBI’s Internet Crime Complaint Center released its latest report on Internet crimes and identified the healthcare and public health sectors as the most victimized by ransomware^[1]. In fact, the healthcare sector had over 33% more reported victims than the second leading sector, critical manufacturing; 82% more than government facilities, and well more than double the number reported by the financial service sector. While waiting for the latest data reflecting 2023 cases, it’s almost certain that the healthcare sector will continue to see more ransomware attacks.

Ransomware gangs which operate under affiliate models often capture vital data, impose hefty ransoms for data retrieval, and significantly hinder patient care operations. The ransomware affiliate model resembles legitimate affiliate programs – hackers code the malware, while affiliates distribute it through Ransomware-as-a-Service (RaaS), then share the ransom profits. There may also be shared infrastructure for payout and money laundering operations. Combined, this lowers the barrier to entry for attackers and increases attack volume, fueling the overall threat.

Adlumin has observed wide adoption of a tactic known as double extortion in healthcare sector attacks. In double extortion operations, attackers encrypt sensitive and critical data as part of traditional ransomware operations, and exfiltrate or steal sensitive data. Ransomware actors then threaten public release of the data, meant to force payment of hefty ransoms even if defenders can recover encrypted data and systems from backups or other sources.

Adlumin has also observed ransomware operators increasingly threaten to report victims to regulatory authorities such as the SEC, resulting in almost certain fines if applicable under a host of old and new laws and regulations. Additionally, in uncovering Play ransomware. operations, Adlumin uncovered that ransomware attackers threaten to notify organization’s partners and customers as part ransom messages, a tactic meant to coerce payment. These factors can be especially important for those in the healthcare sector as HIPAA (Health Insurance Portability and Accountability Act) can impose fines for data breaches involving protected health information (PHI). The four categories used for the penalty structure are:^[2]

Tier	Description	Fines per Violation*
Tier 1	A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care been taken to abide by HIPAA Rules.	$137 to $68,928
Tier 2	A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care (but falling short of willful neglect of HIPAA Rules).	$1,379 to $68,928
Tier 3	A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation.	$13,785 to $68,928
Tier 4	A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation within 30 days.	$68,928 to $2,067,813

*Yearly cap of $2,067,813

Ransomware operators are also beginning to forgo encryption entirely, favoring data exfiltration and extortion operations. Both types have seen usage of Living-Off-the-Land (LOTL) techniques.

LOTL attacks are a stealthy tactic where attackers exploit legitimate tools already present on a system, like PowerShell, the command prompt, or native binaries like certutil, to carry out malicious activities. These “Living Off the Land Binaries” (LOLBins) blend in with normal system operations, making them more difficult to detect and allows attackers to steal data, move laterally within a network, or gain persistence without relying on easily identifiable malware.

Healthcare Top Threats

AlphV/BlackCat

On December 19, 2023, the FBI announced disruption of RaaS operations carried out by AlphV (also known as “BlackCat”). The FBI seized several websites created by the group and gained visibility into the BlackCat ransomware group’s computer network as part of the investigation^[3]. Additionally, authorities offered victims access to an FBI-developed decryption tool allowing for recovery of encrypted data.

In response BlackCat called for open season against the healthcare sector stating, “Because of their actions, we are introducing new rules, or rather, we are removing ALL rules except one, you cannot touch the CIS. You can now block hospitals, nuclear power plants, anything, anywhere.”^[4]

On February 27, 2024, CISA, the FBI, and the Department of Health and Human Services (HHS), released a joint advisory which addressed BlackCat’s operations and attacks against the healthcare sector. They noted that, “Since mid-December 2023, of the nearly 70 leaked victims, the healthcare sector has been the most victimized. This is likely in response to the AlphV / Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.”^[5]

In late February 2024, as part of attacks against the healthcare sector, insurance provider UnitedHealth found itself in the crosshairs of BlackCat operations, it was reported the attack “had a knock-on effect on players across the U.S. healthcare system, as disruptions triggered by the attack have impacted electronic pharmacy refills and insurance transactions.”^[6] In a quickly deleted post to its darknet hosted website, BlackCat stated that it stole millions of sensitive records.

BlackSuit Ransomware

In November 2023, the Health Sector Cybersecurity Coordination Center (HC3) at the U.S. Department of Health and Human Services (HHS), released a detailed analysis on BlackSuit, a new ransomware strain that poses a credible threat to the healthcare and public health (HPH) sector.

BlackSuit emerged in May 2023 and exhibits significant parallels to the Royal ransomware family, which succeeded the infamous Conti group linked to Russia. BlackSuit’s ties to these active threat actors suggest ongoing, aggressive targeting of the healthcare industry. HC3 outlined BlackSuit’s operations, including its use of double extortion tactics, specific technical details, and potential impact on healthcare services, alongside recommended defenses, and mitigation strategies.

As outlined in the HC3 report, BlackSuit’s impact could be significant, particularly if the group’s ties to the Royal and Conti ransomware families are confirmed. With its use of double extortion tactics, BlackSuit not only encrypts sensitive data on compromised healthcare networks but also threatens to leak stolen data unless a ransom is paid. This approach poses a dual threat: the immediate disruption of healthcare services due to inaccessible patient records and systems, and the long-term damage from the potential exposure of confidential patient data.

BlackSuit operates by encrypting sensitive data on compromised networks, employing a double extortion scheme that has so far targeted a limited number of victims across various sectors, including healthcare, in countries such as the U.S., Canada, Brazil, and the U.K. The analysis reveals BlackSuit’s operational techniques, encrypted file extensions, ransom demand methods, and its distribution via infected email attachments, torrent websites, malicious ads, and trojans.

Despite its limited use, the connections to Royal and Conti hint at a potentially significant threat landscape for the healthcare sector. Technical similarities with the Royal ransomware family, based on binary comparison tools, suggest BlackSuit could be a variant or affiliate of these larger, well-organized ransomware operations.

HHS emphasizes the importance of heightened security measures and preparedness within the healthcare industry to mitigate risks associated with ransomware attacks.

Recommendations to Eliminate Risks

To protect against evolving cyber threats in the healthcare sector, Adlumin recommends practicing good cyber hygiene by staying informed of the threat landscape, updating software regularly, implementing a Security Awareness Program, and deploying endpoint protection solutions.

Adlumin’s threat research team advises healthcare organizations to regularly update software, segment their networks, and plan for incident response. They also recommend implementing security monitoring, and anomaly detection tools. In addition, secure backups, encryption of sensitive data, and HIPAA compliance are crucial elements of a strong cybersecurity strategy.

With a deep understanding of the healthcare sector’s unique challenges and vulnerabilities, Adlumin stands as a reliable partner in strengthening cybersecurity posture and ensuring regulatory compliance. Partnering with Adlumin equips healthcare organizations with the necessary tools and expertise to combat ransomware and protect critical infrastructure effectively.

Stay tuned, Adlumin’s Threat Research team is releasing in-depth mitigation strategies for the healthcare sector.

References:
[1] https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf
[2] https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
[3] https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant
[4] https://krebsonsecurity.com/2023/12/blackcat-ransomware-raises-ante-after-fbi-disruption/
[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a
[6] https://www.reuters.com/technology/unitedhealth-confirms-blackcat-group-behind-recent-cyber-security-attack-2024-02-29/

Adlumin Helps a Healthcare Provider Defend Against 250,000 Daily Attacks

September 14, 2023/in Success Stories/by Shannon Flaherty

This paper highlights the cybersecurity challenges faced by Sky Lakes, a custodian of sensitive patient data vulnerable to cyberattacks due to limited resources. They lacked effective security tools to investigate external endpoints and needed to prevent another technology infrastructure loss after a ransomware attack. Sky Lakes sought a solution to meet regulatory requirements like HIPAA. The results reveal that Adlumin’s Security Operations Platform successfully defends against daily attacks, saving time and resources through tool consolidation into a user-friendly dashboard. Adlumin’s one-touch compliance and reporting also facilitated quick cybersecurity enhancements, ensuring comprehensive protection and valuable insights.

Your Command Center for Security Operations - Healthcare

August 1, 2022/in Datasheets/by Adlumin Staff

Adlumin provides essential cybersecurity solutions for healthcare organizations and Health Delivery Organizations (HDOs) to protect operations and patients from cyber threats.

With Adlumin, healthcare organizations can safeguard patient care, reduce healthcare costs, and ensure compliance with HIPAA and HITRUST standards. They can also defend against sophisticated criminals targeting clinical information systems and medical operations.

Stay ahead of evolving threats in the healthcare sector and maintain the integrity of patient records and medical devices.

Download this solution brief to learn more.

Modernizing Healthcare: Your Proactive Cyber Defense

July 19, 2022/in Blog Post Brittany Demendi/by Adlumin Staff

Modernizing Healthcare: Your Proactive Defense is a part of Adlumin’s Cyber Blog and industry-specific content series. For more information about how your organization can protect itself from cybercriminals, browse more from our knowledge-rich series here.

This past year cyberattacks have continuously stolen headlines as cybercriminals target large corporations. Specifically, the healthcare sector leads by industry with the most breaches. HIPPA Journal reported on IBM Security’s Data Breach Report stating that healthcare data breaches are the most expensive compared to any other sector averaging $9.42 million per incident. Healthcare providers are forced to cancel surgeries, outpatient procedures, and other critical patient care because of forced operation disruptions—emphasizing the severity of damage that these breaches cause. In fact, a study by Vanderbilt (2019) found an increase in negative patient outcomes (typically in time-sensitive treatments) following ransomware service outages.

When health records are exposed, patient privacy is at risk. Healthcare records are the most valuable data set on the dark web and, as such, are lucrative targets for criminals. Moreover, medical data breaches can lead to monumental penalties under HIPPA’s Privacy and Security Rules. The best proactive defense is to equip your frontline workers with the skills to recognize and report suspicious activity. A comprehensive and actionable cybersecurity framework requires a robust and tailored cybersecurity training program for all employees.

The Value of Healthcare Data

Healthcare data has a high black market value because it typically contains multiple pieces of sensitive (financial, insurance claims, etc.) information for one individual instead of one piece of information found in other industry breaches (like an email address). Due to the desirability of individuals’ profiles, there is a substantial monetary gain for cybercriminals. One report values stolen healthcare records at $250 compared to $5 for a stolen credit card.

What Makes the Healthcare Industry Vulnerable?

While lucrative records attract criminal activity, the data-sharing, transient nature of healthcare providers creates an additional opportunity for exploitation. Traditionally patient records reside in several clinical information systems, including electronic medical records (EMR) or healthcare records (EHR), and PACS, DICOM, or RIS systems in medical imagery, often operated on legacy systems.

HIoT/IoMT internet-connected devices such as patient telemetry, dosage metering, and other patient wearable devices have grown in adoption year over year. And the next phase of digital disruption is ushering in machine learning-assisted detection and even predictive roles in the evaluation of tumors, robot-assisted surgery is on the rise in remote communities, drug management and dispensaries are connected to CIS systems, and even non-medical systems like automated facilities management pose a threat.

Vulnerability 1: Outdated Legacy Systems

The leading causes of data breaches within the healthcare industry are outdated legacy systems and cybersecurity unawareness, which go hand in hand. While replacing legacy systems is the safest option and improves practitioner and patient experiences, it’s often impractical or out of budget. These legacy systems (often no longer supported by the vendor) leave organizations vulnerable to cyberattacks through easily accessed “back-door entry” into systems holding patient information and medical data. These legacy systems often lack third-party support. Finding the essential support to fix or address issues can be challenging when technology is outdated or cannot be updated without causing a domino effect disruption to other services.

Solution:

Healthcare organizations must prioritize and align with a Managed Detection and Response (MDR) platform. These platforms detect, anticipate, and prevent malicious threats across a healthcare organization’s network. Not only do they anticipate threats, but features such as a User Entity and Behavior Analytics (UEBA) within an MDR platform take data from individual users and entities such as servers, workstations, and endpoints and ingest it into the platform for baselining expected behavior. This allows for total network visibility when tracking behavioral patterns.

In addition, MDR platforms can offer Continuous Vulnerability Management (CVM) to close the gaps between security assessments and significantly reduce risk. This cloud-based service gives organizations immediate visibility globally into where their IT systems are vulnerable to the latest threats and how to protect against them.

Vulnerability 2: Cybersecurity Unawareness

Employees who use devices without adequate training on cybersecurity protocols immediately put your organization at risk for a data breach. Human error is deemed one of the top reasons for breaches as employees face increasing threats in their email inboxes, web browsers, and networks. Everyone who handles patient data needs to understand their responsibility and role in recognizing a cyberattack.

Solution:

Implementing a proactive defense program, typically with third-party providers, empowers employees with the proper skills to identify and report suspicious activity. A proactive defense program is fully managed security awareness testing and training designed to reduce the risk posed by cybercriminals. Training is vital within the healthcare sector to comply with set policies and industry regulations by the Health Insurance Portability and Accountability Act (HIPPA) of 1996. Conducting simulated phishing campaigns to employees can dramatically improve your cybersecurity posture.

Prioritizing Proactive Defense

Healthcare data breaches are destructive and impact patient outcomes. Implementing proper cybersecurity standards across your organization goes a long way to shutting down dangerous opportunities without sacrificing services. Ramping up your cybersecurity proactive defense program doesn’t have to be daunting and is usually outsourced to a third party for cost-effectiveness.

Modernizing healthcare systems improves communications between doctors and patients through protected and monitored smartphone apps, telehealth software, and texting. Additionally, it improves operations, resulting in better healthcare delivery, lower costs, and a more efficient workforce. By actively addressing your healthcare organization’s vulnerabilities, you can enhance the quality of care and advance in the industry. To succeed in this effort, you must create a cybersecurity culture to ensure that employees and staff members are an asset instead of a vulnerability.

How to Strengthen Healthcare Cybersecurity

July 15, 2022/in Blog Post/by Adlumin Staff

Cybersecurity and patient privacy go hand in hand within every healthcare organization. There is growing federal scrutiny, which is changing things for the healthcare industry. HealthTech takes a deep dive into how to strengthen your cybersecurity, the costs associated with cybersecurity, and tips to support your cybersecurity strategy.

“Recovering from a ransomware attack will cost a healthcare organization $1.85 million, on average, and take about a week to resolve, according to Sophos’ most recent report.
Healthcare organizations are also more likely than organizations in other sectors to pay the ransom, but when they do, they may not get back all their data. And just 78 percent of healthcare organizations have cyber insurance coverage, according to Sophos’ “The State of Ransomware in Healthcare 2022.”
As healthcare systems face the daunting proliferation of cyberthreats and vulnerabilities, the federal government has continued to keep a close watch on the sector. The landscape has drastically evolved since HIPAA was signed into law in 1996.
This spring, the U.S. Senate introduced the PATCH Act, a bipartisan bill targeting medical device security. In a statement of support for the legislation, the American Hospital Association wrote, “Cyber vulnerabilities in medical devices, often containing outdated legacy technology, have posed a significant cyber risk to hospitals.”
With increased government scrutiny and a volatile threat landscape, healthcare organizations may also experience insurers demanding to see stronger cybersecurity controls in place in response to major losses from cyber coverage during the pandemic. Purchasing cyber insurance without understanding the requirements or the extent of coverage needed could end up being more of a hindrance than a help.”

Read the full article here.