Financially motivated threat activity continues to pose a high-frequency and high-impact threat to healthcare organisations globally as cybercriminals seek to monetise personally identifiable information, protected health information and give access to biomedical devices.
Luke McNamara, principal analyst at FireEye’s Strategic Analysis team, said that healthcare sector is consistently retargeted industries by threat groups and the bad part is that a large number of healthcare-associated data are for sale online for as little as $300 and up to $2,000.
On February 21, 2019, actor NetFlow has put 4.31GB of data associated with a US-based healthcare institution that contains patient data, including driver’s licenses, health insurance and ZIP Codes for $2,000.
On December 15, 2018, actor Emoto has put 19,000 records associated with a US-based healthcare institution that contain financial data, email addresses, and information on employees for $300.
On February 12, 2019, actor specfvol has put 50,000 records associated with a U.S.-based healthcare institution that contain medical records, personally identifiable information and health insurance information for $500, to name a few.
In comparison to cyber-crime activity, McNamara said that cyber-espionage campaigns pose a lower frequency but still noteworthy impact risk to healthcare organisations, particularly those in some subsets of the industry.
Actors observed targeting the healthcare sector include China-nexus APT10 (Menupass) and APT41; Russia-nexus APT28 (Tsar) and APT29 (Monkey); and Vietnam-nexus APT32 (OceanLotus).
McNamara said that much of what FireEye has observed from such threat actors—particularly those with a nexus to China—appears to be driven by an interest in acquiring medical research and collecting large data sets of information, potentially to foster intelligence operations.
Actors buying and selling data from healthcare institutions and providers in underground marketplaces is very common, he said and added that it will almost certainly remain so due to the data’s utility in a wide variety of malicious activity ranging from identity theft and financial fraud to crafting of bespoke phishing lures.
Moreover, he said that organisations involved in research and development, whether for treatments, medical devices, biotechnology or other subsets of the industry have valuable intellectual property that is a driver for economic espionage.
In addition to directly selling data stolen from healthcare organisations, he said that cybercriminals also often sell illicit access to these organisations in underground markets.
With this access, he said that they [bad guys] can enable other actors to perform post-exploitation activity such as obtaining and exfiltrating sensitive information, infecting other devices in the compromised network, or using connections and information in the compromised network to exploit trust relationships between the targeted organisations and other entities to compromise additional networks.
In early April 2019, suspected Chinese cyber espionage actors targeted a US-based health centre—with a strong focus on cancer research—with ‘EVILNUGGET’ malware.
“We assess that the theft of bulk data appear to remain a tactic employed by Chinese cyber espionage actors in targeting certain groups of individuals, as evidenced by the breach of SingHealth in 2018,” McNamara said.
Ransomware poses challenges
McNamara said that ransomware infections pose a more significant risk to healthcare organisations than entities in many other sectors due to the need for consistent; near real-time access to patient data and the potential for harm to patients should organisations lose access to important files, systems, and devices.
While this increased criticality is likely known by ransomware operators, McNamara said that there is a reticence among some actors to carry out ransomware attacks on hospitals fearing it could lead to increased law enforcement scrutiny; particularly should it lead to an accidental loss of life.
However, with the growth of targeted, post-compromise ransomware campaigns, he said that some criminal actors may be willing to assume more risk in carrying out operations against healthcare providers in the belief that they have the means and willingness to pay.
“Future activity could cause significant to catastrophic effects should actors undertake destructive or high-impact disruptive attacks, as evinced by the WannaCry and EternalPetya attacks,” he said.
He added that use of ransomware or wiper malware to disrupt or destroy healthcare capabilities in a given region or country could be advantageous in periods of conflict or heightened tensions, particularly when combined with false criminal or hacktivist personas claiming credit to give the attack sponsors plausible deniability.
Many healthcare organisations were reportedly affected by the widespread EternalPetya wiper and WannaCry ransomware campaigns in 2017, demonstrating the damage that can be done by these types of campaigns.
Because of the wealth of data they hold, he said that healthcare breaches and compromises can have far-reaching consequences for consumers.
Looking forward, as biomedical devices increase in usage, he said it has the potential to become an attractive target for disruptive or destructive cyberattacks— especially by actors willing to assume greater risk—may present a more contested attack surface than today.