On September 28, 2020, Dataminr alerted customers to a ransomware attack targeting United Health Services hospitals just as those hospitals began losing access to phones, computers, internet, and data centers. The ransomware group responsible, which goes by the name Ryuk, is linked to the Russian cybercrime network Wizard Spider and has hit other large, notable targets such as Pitney Bowes and the U.S. Coast Guard.
This attack, the largest on healthcare infrastructure since WannaCry in 2017, demonstrates that hospitals have become an increasingly attractive target for cyber criminals. Aging legacy systems, a multitude of software packages, and a large number of devices and system endpoints make them particularly vulnerable.
And now, thanks to the emergence of the COVID-19 pandemic, the healthcare industry’s multi-faceted threat landscape is rapidly growing. But what, exactly, does the landscape look like? What does it mean for the security leaders and teams responsible for protecting these organizations—from hospitals and medical supply companies to research labs and insurance providers? Let’s find out.
When COVID-19 hit, it increased healthcare’s dependency on online infrastructure—creating a larger surface area of risk for organizations across the industry and its many sectors. For example, since the pandemic began, Dataminr has surfaced nearly 1,000 vulnerabilities in hospital systems.
And, Interpol warned of cyber criminals exploiting the fears and instability of COVID-19, so much so that they made significant shifts in who they were targeting, including individuals, small businesses, and critical health infrastructure.
This signals an immediate need to implement and/or strengthen preventative security measures. But doing so is often challenging, especially for hospitals and healthcare institutions where it’s difficult to justify downtimes required to update systems.
The international race to create COVID-19 vaccines has also become a significant part of the geopolitical risks that security leaders must manage. For many, it’s the first time they’ve had to do so on such a large scale. This includes protecting against cyber threats spurred by advanced persistent threat (APT) groups—often backed by governments—to steal information from research institutions or interrupt the vaccine supply chain as a way to slow a nation’s progress.
For example, a ransomware attack on India’s Dr. Reddy’s laboratory led to a temporary shutdown in October 2020. The lab was running trials on the Sputnik-V COVID vaccine, which cost it precious time and lost resources.
Phishing remains the most common form of social engineering. The modus operandi is almost always the same. Threat actors send either millions of generic phishing emails or more targeted spearphishing emails to healthcare professionals in an attempt to gain sensitive information—from an individual’s credentials to the inner workings of a healthcare organization.
Today’s phishing methods are far more sophisticated and harder to detect than they used to be. For example, a recent phishing attempt attributed to a Russian-affiliated APT was able to target victims with specific job titles—such as vice president, general manager, and managing director—in 46 different countries. The scheme focused on a supposed company acquisition. It even spoofed real law firms and was based on actual U.K. law practices.
Like all cyber crime, the pandemic increased the number of phishing attempts and attacks. Dataminr surfaced thousands of phishing schemes that specifically mentioned COVID-19. What we now see are new phishing schemes that spoof organizations’ internal, return-to-work communications.
Organizations within the healthcare industry are privy to large amounts of patient data, much of which is personally identifiable information (PII). As innovative medical diagnostics have revolutionized patient care over the past several decades, the databases containing this information have made the industry susceptible to data breaches.
Take for example Digital Imaging and Communications in Medicine (DICOM), such as CAT scans and MRIs, which have unique vulnerabilities. Last year, security researchers warned that more than one billion X-rays, CT scans, and ultrasounds containing patients’ health information were being leaked online.
Dataminr backs this up as we alerted customers, in real time, to dozens of exposed medical imaging servers since the COVID-19 pandemic began. Such real-time information is critical for security teams as they need to detect threats to enterprise systems and patient data as early as possible. Data of such a sensitive nature has appeared for sale on the dark web, can be used to blackmail and extort patients and/or organizations, and has been used to conduct medical insurance fraud.
The marked increase in cyber attacks has created gaps in security capabilities that are more apparent than ever. The way forward is to urgently adopt effective cybersecurity frameworks and best practices, such as multi-factor authentication, cyber awareness, and the use of least privileges to limit employees’ access to only the resources required to do their job.
And, to make real-time information an essential part of security and risk management to ensure organizations can detect the first signals of new cybersecurity vulnerabilities across the surface, deep and dark web. Security leaders and their teams can then quickly assess the potential impact of the threat and address it accordingly, be it a patch, configuration change, or system shutdown. No matter the response, the goal remains the same: ensure the confidentiality, integrity and availability of information—and the very lives of the patients served.
Judith Begeer is a Global Cyber Subject Matter Expert at Dataminr. In this role, she provides expertise on trends across the cybersecurity threat landscape. Judith attended Leiden University, where she received a bachelor's in international studies and a master's in crisis and security management.