Cybercriminals tend to follow the money, which is why they so often hit large corporations and major businesses with ransomware and malware. But healthcare organizations can also be lucrative targets as criminals are aware of the value of patient information and medical data on the dark web.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

As the coronavirus has spread since the start of 2020, cyberattacks against hospitals and medical facilities have shot up. A report published Thursday by global threat intelligence firm IntSights explains why healthcare organizations are vulnerable to attack and how they can better defend themselves.

Since February, attacks against hospitals and medical facilities have risen dramatically, IntSights said. Criminals have exploited the coronavirus pandemic to target collaboration tools, deploy virus-related scams, and exploit old and vulnerable legacy healthcare systems. Attacks have centered around ransomware, social engineering tricks, the theft of intellectual property, and the theft of databases of healthcare employees.

Cybercriminal advertising access to corporate, government, and healthcare networks for partners to attack through ransomware.
Image: IntSights

A third of all data breaches in the United States now occur in hospitals, while the number of breached personal records in the healthcare industry jumped from 15 million to 40 million just from 2018 to 2019. Healthcare organizations are especially vulnerable to cyberattack for three key reasons, according to IntSights.

  • Hospitals and medical facilities are home to a vast amount of sensitive data. Healthcare records contain such personally identifiable information (PII) as social security numbers, addresses, and phone numbers–all of which can be used for account takeovers. PII can also be used for healthcare insurance fraud, surgical claims, and other non-healthcare related attacks like tax fraud and identity theft.
  • The security environments of healthcare organizations often are outdated. Many healthcare systems use older, outdated operating systems. Patching and updating software can be burdensome. Employees sometimes use older browsers to access confidential information. In some cases, users can’t even upgrade their browsers or operating systems because the medical systems don’t support newer software. Such legacy systems include electronic medical record systems, picture archiving and communications systems, radiology information systems, and clinical information systems.
  • The potential value of an attack is substantial. Cybercriminals put great value on patient records, which are stolen and sold on the dark web. Credit card data is cheap, typically selling for $1 to $5 per card, but patient data can trade for as high as $50 per record. Unlike a stolen credit card number, people can’t change their blood types, allergies, medical conditions, or other health-related items.
A seller offers “FULLZ” from a US hospital database. FULLZ are data sets that include all the information needed to perform account takeovers or new account fraud.
Image: IntSights

In one attack noted by IntSights, the Maze ransomware group targeted Hammersmith Medicines Research, a firm that performs clinical tests for drugs and vaccines. Following the attack on March 14, the group leaked the medical records of more 2,300 patients and employees on March 21.

In another attack designed to exploit the fear over COVID-19, executives in organizations were targeted by a criminal who impersonated another executive to send them emails with links to malware. These types of attacks are typically created by nation-state actors looking to steal pharmaceutical research on the coronavirus.

In a third attack seen in mid-February, a Russian state-sponsored hacking group known as “Hades” targeted people in the Ukraine with malware and disinformation around COVID-19. The group’s initial phishing email spoofed the Center for Public Health of the Ministry of Health of Ukraine and included a file attachment with fake information about the virus.

In light of these attacks against medical organizations, IntSights offers the following recommendations to security teams in the healthcare sector:

  1. Follow basic security hygiene practices. Make sure systems are patched and up to date, implement a good password policy, and educate end users on how to avoid phishing scams and other hacker tricks.
  2. Apply a cogent and comprehensive strategy. Simply applying a patch or a firewall is not enough to defend against cutting-edge and ever-evolving cyberattacks that find and exploit weaknesses. Security teams must have an understanding of the threat landscape facing their organization, possess visibility into their gaps and vulnerabilities, and form a strategy to address those needs. Each organization’s attack surface is different, and no two security strategies should be identical.
  3. Think like the attackers. To understand your enemy, you must be able to put yourself in their shoes. Have a red team levy a simulated attack against your organization’s network and systems to learn how an attacker might penetrate the infrastructure. While security practitioners tend to focus on the technology, hackers focus on people–and how they can be exploited.
  4. Invest in the security stack. Security solutions are not cheap, but they are vastly less expensive than the cost–financial and otherwise–of a data breach or successful malware attack. Security is no longer an IT issue; it is a business issue that must be embraced by executives and multiple stakeholders across the organization.