Ransomware Poses High Risk as Hackers

Target Healthcare

By: Jameson Miller, CPA, CISA

If you’re not having difficulty in filling open staff positions, your long-term care facility is among the very few that aren’t. Nationwide, these healthcare organizations are struggling with a protracted labor shortage that leaves many providers wondering how to meet critical care needs with too few workers.

Does it seem like you are always hearing about another healthcare data breach or cybersecurity disaster? If so, you are probably not imagining it. The Federal Bureau of Investigation reports that healthcare providers and public health agencies were a favorite target of hackers in 2022. 

These organizations experienced more ransomware attacks than any other sector last year. That is not surprising given the rich trove of personal and financial data healthcare organizations typically hold. In addition, medical devices often present unique vulnerabilities that make it easy for cybercriminals to worm their way into private databases and computer systems. 

Unpatched medical devices elevate risk

Smart medical and healthcare devices require regular updates and patches just like other internet-enabled technologies. Potentially vulnerable devices include pacemakers, pain medication pumps, insulin pumps, intracardiac defibrillators and other equipment routinely used in patient care. 

Leaving these devices unpatched opens the door for hackers, but it is a commonplace oversight. More than half the connected devices that hospitals rely on had critical vulnerabilities in 2022, according to the FBI. If hackers do get in, they can interfere in care by creating false readings, administering inappropriate doses of medicine and create life-threatening risks for patients.

Beyond patient care and the devices themselves, internet-connected medical equipment can give hackers access to a healthcare organization’s data and systems. That creates privacy risks for patients and HIPAA compliance concerns for providers—and heightens the threat of ransomware. 

FBI scores major win in the fight against hackers

In its notification to the healthcare industry, the FBI described the significant threat posed by unpatched devices and offered advice to help providers and healthcare-related organizations reduce their exposure to this type of cybercrime. 

The agency is fighting back in other ways, too. The FBI successfully took down a large ransomware group known as Hive after months of careful infiltration, monitoring and observation. 

Before they made their big move, agents were able to provide the hacker collective’s victims with decryption keys that allowed them to retrieve their stolen data without giving in to the hackers’ demands—and without revealing the ongoing investigation. 

The agency continued its work undetected, studying how the group functioned and discovering the identities of group members and sponsors. Agents were also able to scrutinize the techniques Hive members used to implement its Ransomware as a Service approach, which is the same model that roughly two-thirds of all ransomware attacks employ. 

Successfully infiltrating and dismantling Hive represents a major win for law enforcement. The number of ransomware attacks has dropped noticeably since the FBI bested the group, and the bureau’s sustained inside view of a well-organized RaaS operation further arms agents to fight back against future attempts at this kind of crime.

An ongoing battle for cybersecurity in healthcare 

Additional factors contribute to the recent dip in ransomware attempts. Russia’s war against Ukraine is diverting the attention of Russian hackers, the source of most ransomware attacks. While Russia certainly isn’t the only place these criminals reside, specific types of cybercrimes do align with geography, broadly speaking. North Korean hackers tend to be most interested in going after cryptocurrencies, for example, while their Chinese counterparts typically focus on corporate and government espionage. 

The insurance industry is also requiring organizations to adopt a more rigid defensive posture in order to qualify for cyber insurance. The new requirements, along with the sustained trend toward more digital crime of all varieties, are driving greater awareness and improvements in data management practices across healthcare and other sectors. 

Many organizations now have a stronger focus on maintaining frequently updated, fully usable backups that allow them to reject hackers’ demands. Like the Hive targets who recovered their data with the FBI’s help, victims of ransomware are increasingly refusing to pay up. 

That solves one problem, but does nothing to address the risk of stolen health and financial data being sold on the black market or released. Iran is a relatively new player in the ransomware game quickly gaining notoriety for "lock and leak" attacks, which couple ransomware with a threat to leak the data publicly if the ransom is not paid. As organizations have become less compliant with ransom demands, lock and leak has grown in popularity among cybercriminals. 

Strategies to effectively limit risk

Healthcare providers must actively position themselves to protect private data related to patient care, billing and staff employment. Implementing strong precautionary measures can significantly reduce cybercrime-associated risks to patients as well as the organization’s reputation and finances.

A rigorous assessment based on the National Institute of Standards and Technology (NIST) cybersecurity framework is an ideal starting point for most healthcare providers and related organizations. Using the NIST framework helps assessors identify deficiencies and gaps anywhere in the organization, including governance, risk management and compliance.

Penetration testing is another valuable tool that allows healthcare organizations to identify and remedy potential vulnerabilities. This approach uses “ethical hacking” and other procedures to find security weaknesses in the organization’s network or procedural security protocols and gauge the organization’s resilience against malicious actors. 

For organizations subject to HIPAA, GDPR and other strict security and privacy regulations, a HITRUST Common Security Framework Assessment offers the most rigorous approach. HITRUST assessments allow organizations to meet multiple regulatory compliance obligations through a single assessment. Due to the stringent nature of these assessments, organizations should plan to include a certified HITRUST professional on their internal staff to facilitate the process. 

Whether your organization is large, small or somewhere in between, it is crucial that leaders treat cybersecurity as a top priority. Outsourced providers can augment internal IT staff or provide comprehensive services for smaller organizations. 

If you are not sure where to start, reach out to the experienced cybersecurity professionals at Mauldin & Jenkins. Our experts offer cybersecurity consulting along with penetration testing and security evaluation services, including NIST framework and HITRUST assessments. Choose any approach that meets your needs, but don’t ignore the risk of cybercrime. For healthcare organizations of every size, the risk of cybercrime is too great to ignore.