- Cyberattackers are exploiting inherent weaknesses in healthcare data security, making the sector the most targeted industry in the first quarter of 2018, according to Rapid7’s quarterly threat report released May 15.
The Rapid7 research found that the leading attack vectors in healthcare were remote access, such as suspicious logins, access attempts from disabled accounts, and account leaks, as well as phishing and ransomware.
There are several factors that attract attackers to the healthcare sector, according to researchers.
First, healthcare organizations often have a complex, distributed IT infrastructure with legacy systems and proprietary medical devices, making them difficult to secure quickly.
Second, hospitals and other healthcare providers rely on system availability to keep operations running when lives are at stake, and adversaries have frequently targeted that availability using tactics such as ransomware or denial of service attacks (DoS).
Third, healthcare organizations have a great deal of sensitive data, both financial data and protected health information (PHI), that attackers are interested in stealing.
The attractiveness of healthcare organizations was demonstrated by the recent rise of the Orangeworm attack group identified by security firm Symantec. Around 40 percent of Orangeworm’s victims are in the healthcare industry, and the largest percentage (17 percent) of infections are in the United States, according to Symantec.
Orangeworm is currently targeting healthcare providers, pharmaceutical firms, IT solution providers for healthcare, and healthcare equipment manufacturers using malware known as Trojan.Kwampirs to gain remote access to compromised computers.
Symantec found the Kwampirs malware on machines that had software installed for the use and control of medical imaging machines, such as x-rays and MRIs, and machines used to assist patients in completing procedure consent forms.
To counter the rise in account and credential leaks, Rapid7 advised healthcare organizations to use two-factor authentication whenever possible and to identify and remediate instances where an employee’s credentials may have been compromised.
In the most recent quarter, the top four significant cyber incident types across industries were suspicious logins, phishing, malware on system, and cryptocurrency mining.
The significant number of suspicious logins correlates to the large number of remote entry alerts identified throughout the quarter and ties in to the second-highest threat identified, phishing.
Much of phishing in the first quarter involved sending users to sites appearing to be authentication sites that are designed to steal a user’s credential, enabling attackers to log in to the network.
Verizon’s 2018 Data Breach Investigations Report also found that phishing, along with financial pretexting, is a popular attack vector.
Financial pretexting—obtaining financial information under false pretenses—and phishing represent 93 percent of all breaches investigated by Verizon, with email being the main entry point (96 percent of cases). Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education, DBIR noted.
Pretexting incidents have increased over five times since the 2017 DBIR, with 170 incidents analyzed this year (compared to just 61 incidents in the 2017 DBIR). Eighty-eight of these incidents specifically targeted HR staff to obtain personal data for the filing of fraudulent tax returns.
DBIR found that the healthcare industry had 750 cyber incidents last year, with 536 involving data disclosure. Miscellaneous errors, crimeware, and privilege misuse presented 63 percent of cyber incidents in the sector.
DBIR found ransomware in more than one-third of malware-related cases examined this year, moving up from fourth place in the 2017 DBIR. Ransomware has started to impact business critical systems rather than just desktops, with bigger ransom demands.
Ransomware has been particularly devastating in the healthcare industry. In fact, it accounts for 85 percent of the malware in healthcare.
“Ransomware remains a significant threat for companies of all sizes,” said Verizon Executive Director of Security Professional Services Bryan Sartin. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.”
“What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom—the cybercriminal is the only winner here,” he noted.