The healthcare and pharmaceutical industry has a complex and challenging cyber threat landscape. The current burden of the pandemic is further causing a priority shift away from security and towards usability and along with that comes multifarious danger. From sale of healthcare data in underground forums to ransomware, the industry needs to urgently improve their risk profile and security posture.
In August 2021, ransomware operators targeted the health department of the Italian region of Lazio and disabled its COVID-19 vaccination booking system, disrupting the scheduling of new vaccination appointments for days.
Since it contains the city of Rome and is one of Italy’s most densely populated areas, Lazio was an attractive target because of the strong desire among its people to get vaccinated and gain its Green Pass vaccine passport. Hackers likely believed that this would pressure the authorities to pay up the ransom to unlock the systems they had disabled through a cyberattack.
Such hacks won’t be the last ones mounted on a healthcare or pharmaceutical organisation during one of the worst crises to affect the world.
In June 2021 alone, an underground criminal forum monitored by IntSights, a Rapid7 company, put up a database of COVID-19 vaccination records of nearly 7.4 million Italians for sale. A forum user also claimed to have maintained access to the data source.
Any hopes that hackers would pause their attacks during the almost two years since the pandemic arrived were quickly squashed by a number of high-profile attacks that not only caused severe disruption but probably cost lives.
In 2020, more large healthcare data breaches were reported than in any other year. In addition, 2021 saw five consecutive months (March through July) when industry data breaches were reported at a rate of two or more per day.
As the Lazio attack showed, hackers have looked to exploit confusion and fear during the pandemic, estimating that healthcare organisations would be more willing to pay a ransom.
But while incidents of ransomware have sharply increased in the sector over time, it won’t be the only type of cyber threat to come their way.
The personal details in protected health information (PHI) are handy for criminal groups that wish to commit identity and insurance fraud.
Unfortunately, once data such as social security numbers and medical diagnoses are out in the open, they are “gifts that keep giving” – the data can be exploited repeatedly by criminals.
Criminals are not the only ones targeting healthcare and pharmaceutical organisations, to be sure. Hackers backed by nation states are out to steal personal data that could enhance their cyber espionage and intelligence activities as well.
In other words, healthcare and pharma face multiple cyber threats due to their unique threat profile.
A fair question one might ask is why sectors with high regulations in terms of security and data protection can have such a high risk profile.
One issue is that many of these regulatory requirements are not enough to protect against the latest threats, which are increasingly sophisticated and hard to guard against if one were to just follow the basic requirements.
It may be good to check all the boxes in terms of compliance, but often that may not be enough to defend against threats and scenarios that are constantly evolving beyond what the compliance standards first envisioned.
Healthcare organisations should view these standards as the bare minimum and seek to go above and beyond what they require.
Indeed, attackers would usually look at what’s beyond these requirements because that would be the minimum in terms of obstacles in their way.
Ironically, their highly regulated nature also sometimes plays into the hands of cyber attackers.
Since healthcare organisations often have to pay severe penalties to government regulators or to victims of a data breach, hackers look to this as a form of leverage when it comes to demanding a hefty ransom to unlock a system or avoid dumping the data they have stolen in public.
The modus operandi for ransomware gangs today is to threaten to disclose compromised data, in addition to encrypting it for ransom. They often follow through on these threats by posting files from victims on dark web pages where they are accessible to other criminals for their own malicious purposes.
Regulations, perhaps indirectly, also sometimes hamper the updating of medical devices, which makes them vulnerable and at risk of compromise.
For example, in the United States, the Food and Drug Administration (FDA) only requires medical device manufacturers to submit for approval significant modification to previously approved devices. This, the regulator has indicated, does not include security updates.
Unfortunately, some manufacturers may be discouraged from issuing security updates, perhaps as part of “overcompliance.” This opens up vulnerabilities, especially with older or legacy devices that are no longer supported.
Many of these medical devices have long lifespans of a decade or more, allowing them to remain vulnerable for longer periods of time than conventional IT devices.
For cyber attackers, vulnerable medical devices can serve many roles, including being an always-open door into the networks of hospitals and other healthcare providers.
Finally, let’s not forget another unique challenge: the COVID-19 pandemic. With all hands on deck and lives to save, many healthcare organisations have lowered their tolerance for interruptions, downtime, or inconveniences to respond to urgent or timesensitive clinical needs.
By emphasising expediency, however, there is a cost in terms of cybersecurity. Healthcare organisations may create more vulnerable attack surfaces.
Combined with the high value of certain types of healthcare data, these vulnerabilities make these organisations more attractive targets to threat actors.
There are a number of threats that healthcare organisations should be alert to, but the largest ones concern the ongoing pandemic.
For a start, the surge of COVID-19 patients at hospitals has strained their resources impeding their ability to handle security threats.
For example, doctors and nurses at an overwhelmed COVID-19 ward may be more likely to open malicious attachments or links if they simply do not have time to scrutinise suspicious email messages.
The larger numbers of patients also mean steeper clinical requirements, which may, in some cases, have left the attack surfaces of many hospitals more vulnerable.
In the rush to set up ventilators and intensive care units (ICU), some may have added devices to their networks in ways that were even less secure than usual.
Since medical devices can increase the attack surface, an increase in ventilators on a hospital’s network to deal with an influx of COVID-19 patients can also give attackers more opportunities to compromise that network.
The COVID-19 pandemic has also altered the attack surface of the healthcare industry by creating new patient data sets for attackers to target, including COVID-19 vaccination records and test results.
The healthcare industry was already a desirable target because of the greater value and detail of its patient data.
If a COVID-19 vaccination or testing record only contains a name and a date of birth, it is still useful to fraudsters, as dates of birth are a key ingredient in identity theft.
The advent of “vaccine passports” and other ways of verifying COVID-19 vaccination or testing status also brings new opportunities to cyber attackers.
In addition, pressure to show proof of vaccination is creating a black market for compromised or fraudulent digital vaccination or testing records that can e
used fraudulently to access public places and services where such proof is required.
IntSights threat intelligence shows there is a market in both the United States and in Europe for the production of fraudulent digital COVID-19 testing and vaccination documents.
In many cases, these documents are being produced with the help of insiders so that they appear legitimate upon verification. The malicious insiders have legitimate access to systems at COVID-19 testing and vaccination providers that generate genuine test results or record vaccination status.
Since the documents are genuine, they pass digital checks. These insiders may even manually enter unvaccinated people into the vaccination registry so that they appear legitimate and can receive otherwise genuine vaccination records.
Healthcare organisations need to be aware that access to compromised healthcare networks is up for sale on underground forums.
This black market for compromised network access has been here before the pandemic but has grown dramatically with the opportunities now presented by the pandemic and remote work.
Though this affects all industries, healthcare organisations are among the most common victims of these sales. Through IntSights’ investigations, a data sample of these sales indicated that 19.5 per cent of all observed victims were from the healthcare industry, tied for second place with financial services and energy and industrials.
Interestingly, the price for this unauthorised access is usually lower than across industries. The cross-industry average price is US$ 9,640 while the median is US$ 3,000, compared to US$ 4,860 and US$ 700 for access to a healthcare network.
Why the lower price to access more useful personal data? This could have to do with the perception that it is easier to steal data from a healthcare organisation or simply that there is an oversupply of such information.
Incidentally, the lowest price in a data sample that IntSights obtained was just US$240, which was to access the network of a healthcare organisation in Colombia. This should concern the healthcare and pharmaceutical sector.
There are many implications for healthcare organisations should their data be stolen, locked up or exposed.
Legal and regulatory compliance issues immediately come to mind. That’s not to mention a new tactic that hackers have adopted – extortion – which multiplies the damage done.
Instead of simply encrypting and locking up the data of victims, the cyber criminals will also leak the data in part, from confidential financial data to sensitive patient data like photos, diagnoses and more.
The goal here is to increase pressure on victims to pay ransoms and to undermine the value of backups as a defence against ransomware attacks.
In May 2021, when the Conti ransomware was used in an attack on Ireland’s Health Service Executive, the attackers demanded US $20 million in exchange for not disclosing compromised data, including patient records.
Such data disclosures are harmful to organisations in any industry, but the exposure of healthcare provider patient data means the victims face compliance violations, legal issues, breach notification costs, and the long-term risk and enduring effects of identity theft for exposed patients.
Today, healthcare organisations have to understand that ransomware has taken hold in the industry and will be a scourge for the long term. It will be part of a growing number of online threats in future.
What organisations in the sector need is a clear strategy that improves their risk profiles and security postures. Here are four steps:
Ultimately, there is no failsafe way to overcome the many challenges facing the sector today. Indeed, it is under unprecedented pressure today with the pandemic already making it difficult to operate normally, much less under the threat of cyberattacks.
That said, health organisations that do manage to find the right priorities, develop an effective defence strategy, and deploy the right tools, will emerge from the situation stronger and more ready for success in the years ahead.
Paul Prudhomme is Head of Threat Intelligence Advisory at IntSights, a Rapid 7 company. He was a leader of the cyber threat intelligence subscription service at Deloitte and individual contributor to that of iDefense. He was a contractor in the U.S. Intelligence Community. Paul specializes in state-sponsored cyber threats, particularly those from Iran. He has a Master’s degree in History from Georgetown University.
