The surge in healthcare cyberattacks shows no sign of slowing down anytime soon. Not only are healthcare attacks becoming more common, but they are now moving from IT digital environments into real-world healthcare systems and hardware, dangerously disrupting public care.
In recent months, cyberattacks by BlackCat (ALPHV) have caused significant disruptions in the healthcare sector. In February, their attack on Change Healthcare triggered a nationwide pharmacy outage, hindering countless Americans’ ability to fill essential prescriptions. Additionally, during the critical Thanksgiving holiday period of 2023, an attack on Ardent Health Services impacted 30 hospitals across 6 states, forcing ambulances to be diverted and hindering emergency services.
Moonlock talked with experts to understand what is behind this healthcare cyberattack trend, how IT breaches can affect operational technology (OT) and leave the population vulnerable, and what the risks are.
The state of security in the healthcare industry
The report State of Ransomware in Healthcare 2023 by Sophos reveals that the rate of data encryption following a ransomware attack in healthcare was the highest in the last 3 years.
The report concluded that 7 out of 10 healthcare organizations (73%) reported that their data was encrypted in 2023.
The Infoblox 2024 Healthcare Cyber Trend report adds that in the United States alone, healthcare providers are facing an “unprecedented wave of cybercrime and data breaches.”
The report found that an estimated 118.9 million healthcare patient records were compromised in the US last year.
“This alarming number corresponds to about 35.38% of the projected US population of 335,893,238 estimated by the US Census Bureau in January 2024,” the report reads.
The worldwide surge in healthcare attacks
The trend not only affects the US but is active around the world, with new attacks surging in regions affected by military conflicts, such as Ukraine and Israel.
Irina Tsukerman, a US national security lawyer, and President of Scarab Rising, Inc., a security, media, and geopolitical risk strategic advisory, told Moonlock that the healthcare cyberattacks are now a multi-billion-dollar criminal industry. But Tsukerman said money is not the only criminal motive behind this wave of attacks.
“Ransomware attacks and the sale of private data on the black market have become multi-billion-dollar industries, which is incentive enough for cybercriminals of all backgrounds to engage in these practices,” Tsukerman said. “However, there is much more to the story.”
Tsukerman explained that in the attack on Change Healthcare — which wreaked havoc and caused mass disruptions — UnitedHealthcare ultimately paid 22 million dollars in ransom to release its data. But Tsukerman adds that the attack was linked to Russian-supported hackers “who are pursuing as much state intelligence agenda as their own private illicit enrichment goals.”
“The breach went on for days, which lines up more to the modus operandi of state-linked APTs than to common cybercriminals,” Tsukerman said and added that the attack coincided with the announcement of international arrests of several LockBit hacker group masterminds and affiliates, also linked to Russia.
“Some of the objectives pursued by an adversarial state actor could align with cybercrime: it could be an enrichment scheme to replenish coffers affected by international sanctions,” Tsukerman said.
According to Tsukerman, the attack could have been a targeted operation to reveal national security vulnerabilities in an important sector and to undermine civilian trust in the healthcare system and the US government, including its ability to protect them.
The data that criminals are after: PHI and finance
Ani Chaudhuri, cofounder and CEO at Dasara, an automated data security and governance company, said, “The surge in healthcare cyberattacks in the US is not just a financial threat but a potential disaster waiting to happen.”
“Cybercriminals are not just after financial gains; they aim to disrupt essential services and create chaos,” Chaudhuri said. “Attacking IT systems connected to operational technology (OT) can paralyze entire healthcare facilities, impacting patient care and causing widespread panic.”
Chaudhuri explained that cybercriminals often target a range of data, including patient health information (PHI), financial data, and personally identifiable information (PII).
“PHI is particularly valuable because it can be used for identity theft, insurance fraud, or even blackmail,” Chaudhuri said. “Financial data, on the other hand, offers immediate monetary gain.”
Chaudhuri explained that by combining both PHI and financial data, attackers gain a more comprehensive profile of victims and extract more value for malicious activity.
Tsukerman agreed that the combination of PHI and financial data allows cybercriminals to better identify desirable targets, can be a valuable tool for intelligence agencies profiling would-be agents targeted for recruitment based on financial problems, and gives bad actors access to classified information.
“Cybercriminals can make money from any type of information of value to other cybercriminals or to state intelligence agencies, or even terrorists,” Tsukerman said.
Vulnerabilities in the healthcare digital attack landscape
As the digital landscape of healthcare organizations expands, the sector’s modernization comes at a price. Poor digital security practices, compliance, legacy systems, new IoT health devices, lack of skills, and other factors are being leveraged by cybercriminals to launch one attack after attack against the industry.
IT/OT, phishing, and legacy systems
The 2023 HIMSS Healthcare Cybersecurity Survey Report revealed that more than half of healthcare cybersecurity professionals surveyed (58.52%) reported general email phishing as the initial point of compromise in their most significant security incidents. This was followed by spear-phishing (31.44%) and SMS phishing (28.82%) as the top points of compromise.
In 2022, the HIMSS also found that 73% of surveyed healthcare providers are still using legacy operating systems (OS) despite the security risks they pose.
Additionally, as digital transformation continues to gain momentum in the healthcare industry, the digital operational environment (IT) is increasingly connected to the operation technology (OT) that hardware organizations use. This includes modern IoT devices, which are vital for healthcare today, such as X-ray and vital signs machines, implants, industrial pharmaceutical development and supply chain hardware, and more.
A recent scientific paper concludes that the integration of IoT in healthcare has introduced vulnerabilities in medical devices and software, posing risks to patient safety and system integrity.
Future technology and threats such as GenAI or quantum computing attacks are also of concern to the healthcare sector, ranking high in “highest-ransomware costs” lists.
Compliance and health supply chain
Shawn Waldman, CEO and founder of Secure Cyber Defense, told Moonlock that the reason why healthcare facilities face heightened vulnerability to cyberattacks is partly due to insufficient regulatory oversight in cybersecurity from the Department of Health and Human Services (HHS).
“While HIPAA and HITRUST guidelines exist, it appears that, from a regulatory perspective, hospitals and doctors do not feel compelled to invest the necessary funds to enhance system security,” Waldman said.
Robert Vitelli, director of cybersecurity advisory services at AArete, a global management and technology consulting firm that has served more than 100 health plans and provider organizations, spoke to Moonlock about the sector’s vulnerability.
“The main reason why cyberattacks disproportionately affect healthcare organizations is simple,” Vitelli said. “The healthcare value chain is a large, complex network of interconnected entities that host exactly the kind of high-value, confidential data that thieves want.”
“The healthcare industry is particularly vulnerable to attacks because cybercriminals are more likely to invest time in targeting organizations that warehouse high-value data,” Vitelli added.
Vitelli explained that the interconnected nature of the healthcare value chain is far-reaching, and providers are only as secure as every other partner entity in their network.
Tsukerman said the situation represents a potential national security threat that impacts millions of people.
“Chaos in the medical system is a huge distraction for the government, which may be forced to intervene to restore order, a great way to observe the exposure of the most sensitive aspects of the medical system, and a great way to sow chaos for the sake of chaos and spread panic, distrust, and confusion while simultaneously overwhelming agencies with new problems.”
Infrastructure and skills deficits
Chaudhuri of Dasera said that healthcare IT/OT infrastructure is plagued by a number of vulnerabilities linked to business-critical operations — the reason why healthcare providers often rapidly pay ransoms to recover their assets.
“Outdated technology systems that are not regularly updated or patched; the complex regulatory environment can slow the adoption of new technologies; and the healthcare sector’s high turnover and staffing shortages can lead to gaps in training and awareness, increasing susceptibility to phishing and other forms of social engineering attacks,” Chaudhuri said.
What can be done?
Ransomware, DDoS, and triple extortion tactics in the healthcare sector are not going to slow down at any point in the near future. The challenges and gaps that healthcare providers face are so significant and complex that they require time and investment, change in policies, and a shift in mentality to create a strong security culture.
While hospitals, providers, health plans, and the pharma sector have a long road ahead to build up and strengthen their security postures, the average person or patient is left exposed.
Chaudhuri said that for individuals, the trend in healthcare cyberattacks means an increased risk of personal information theft, financial loss, and potentially life-threatening disruptions to medical care.
“Individual patients play a crucial role in safeguarding their information,” Chaudhuri said. “By being vigilant about sharing personal information, primarily online or over the phone, and monitoring their financial and medical records regularly for any signs of unauthorized access or fraud, they can significantly reduce their risk.”
Chaudhuri also called for patients to use solid and unique passwords for online accounts, especially for healthcare-related services, and ensuring that personal devices used to access healthcare services are secure and up to date with the latest security patches are also critical steps in this process.
Healthcare organizations should do more to protect patients
All of the experts that Moonlock interviewed agreed that healthcare organizations should be doing more.
“Healthcare organizations must do everything they can to protect unauthorized access to user accounts,” Vitelli said. “Strategies can include multi-factor authentication, role-based access controls, and passwordless authentication methods such as biometrics, tokens/certificates or FIDO2 (Fast IDentity Online 2).”
Vitelli also mentioned email filtering and phishing detection technology, regular training in phishing simulations, incident response planning, and device and endpoint security as tools and concepts that healthcare providers should be deploying.
Waldman from Secure Cyber Defense said that the healthcare industry needs to seriously consider the implementation of external monitoring for critical cyber systems.
“This proactive approach could enable early detection of attacks or, at the very least, contain the damage to specific network segments rather than affecting an entire facility,” Waldman said, highlighting the importance of mandated comprehensive external audits, Security Information and Event Management (SIEM) systems, the adoption of automation within these networks, and the current significant gap in skilled and qualified cybersecurity personnel as crucial for the industry’s future.
Patients’ legal rights in the US
Speaking about the legal tools that patients in the US have, Tsukerman painted a grim picture despite the protection of laws such as the Health Insurance Portability and Accountability Act (HIPPA).
“The average person is out of luck when it comes to the impact of cyber breaches and other security incidents in healthcare,” Tsukerman said. “Unlike telecommunications companies regulated by the FCC, the healthcare sector is not even required to inform patients of data breaches, which means that there is no financial relief or even opportunity to secure private data once there is an attack.”
Tsukerman explained that patients can lobby for stricter cyber protocols in the industry with the assistance of “patient rights” advocates, work with doctors, pharmacists, and healthcare providers to get a better sense of this information, and take whatever limited preemptive action to secure one’s accounts. Other than that, the average person has no real recourse or protection.
Tsukerman advised that healthcare facilities and individuals alike be proactive in guarding their sensitive data. Restrict password and account information from others, including other employees. Compartmentalize information, change passwords regularly, and be vigilant about phishing efforts and other suspicious signs of a potential breach or attack on the account.
Cybersecurity awareness for users and best practices
“Patients can minimize the risk of their data being breached by only providing their personal information to trusted healthcare organizations,” Vitelli from AArete said. “Patients should also be wary of email phishing and phone scams where cybercriminals might pose as your hospital or health plan to trick you into giving them your data.”
Vitelli said that patients should also consider best practices when creating login credentials for healthcare websites, such as complex password creation, password rotation, and using unique passwords for every site and service you use.
“If you don’t want to remember dozens of different passwords, consider using a password manager platform that requires you to remember only one master password,” Vitelli added.
Final thoughts
The tidal wave of healthcare cyberattacks is a growing threat to public health. These attacks are not only becoming more frequent but also more sophisticated, disrupting critical care and jeopardizing patient safety. From stolen patient health information (PHI) fueling identity theft and fraud to financial data exploited for blackmail and national security issues, the stakes are high.
Outdated systems, a lack of cybersecurity awareness, and the interconnected nature of healthcare networks create vulnerabilities that attackers readily exploit. To combat this evolving threat, healthcare organizations need to prioritize robust security measures. Multi-factor authentication, regular staff training on phishing scams, and comprehensive security audits are all crucial steps.
While the situation is complex, there are steps that everyone can take. Above all, patients can be vigilant about sharing personal information, monitor their records for suspicious activity, and use strong, unique passwords for healthcare accounts.