Doctor checking some data on tablet showing cyber attacks on healthcare during pandemic

Inside the Cyber Attack “Machine”: What Hospitals Need to Know about the Dark Web and Post-Pandemic Threats

The pandemic has created formidable challenges for industries across the board – but none more so than healthcare. In addition to needing to accommodate often staggering influxes of seriously ill patients, hospitals and other medical providers face the foreboding prospect of an extended spike in cyber threats: Since the beginning of November, attacks targeting healthcare organizations have increased by 45 percent, more than doubling the overall increase for all sectors worldwide.

In a perfect world, cybercriminals would spare such institutions and allow doctors and nurses to provide essential care without the risk of life-saving devices and systems going down due to an incident. But this is far from a perfect world, and the criminals instead perceive COVID-19 as an opportunity to seek out victims in larger numbers, with more lucrative outcomes. The usual culprits – ransomware, botnets, remote code execution and distributed denials-of-service (DDoS) – are very much in play here. Ransomware has emerged as a particularly effective MO, given that hospital leaders are inclined to pay up quickly to avoid even temporarily shutting down operations which support pandemic patients.

In what could be an even more chilling development, we’re seeing these criminals flocking to increasingly active and profitable “supply chains” in the online underworld to strengthen their ability to attack.

Specifically, they’re heading to the Dark Web and posting inquiries to purchase leaked medical databases, email lists, credentials and passwords. The whole, as they say, is greater than the sum of its parts. By combining resources and intelligence, hackers are better positioned than ever to “strike big” via methodically executed intrusions which jeopardize patient safety. Indeed, these supply chains are collectively creating a cyber attack machine – one that promises to unleash more devastating and lasting damage than we’ve seen to date.

To better understand these threats, we tracked suspicious parties targeting hospitals in France. Here is what we found:

– On Jan. 31, 2021, a user posted this on an English-speaking underground forum: “I’m looking for FRANCE databases with 2020 leads, Health related are the ones i prefer.” He promptly received a response offering databases in exchange for cryptocurrency payments. This reflects the emergence of exposed databases – which are readily accessed at on-premise servers, connected specialty equipment and the cloud where misconfigurations and/or poor controls leave data and network inroads visible – as products to steal and sell.

– On Feb. 4, 2021, another user published an ad for the sale of a “database of a company that works with many (if not all) hospitals” which contained 50,000 employee email addresses along with passwords and phone numbers. This reminds us of how criminals leverage third-party software and partners to bypass their intended victims’ security controls. Once they compromise a third party that the healthcare sector relies on for software, tech support, billing, data reporting, etc., they can launch credential-stuffing exploits of the third party’s downstream customers.

– On Feb. 12, a third user unveiled a database of nearly 500,000 hospital records with names, email addresses, phone numbers, Social Security numbers and patient information. This is often made possible due to vulnerabilities within cheap, network-attached storage products. Once the storage is compromised, adversaries use the database information to conduct fraud/social-engineering schemes.

So what should healthcare organizations do in response? We recommend the following best practices:

Raise employee awareness. Every employee performs a key role in making sure that no one inadvertently bypasses security controls and compliance policies, no matter how fast-paced and urgent the demand for care. IT and security teams must constantly remind staffers via training about the policies – and what is at stake if they are circumvented – along with updates about the latest phishing emails and malicious attachments. Ongoing assessments of the overall state of cyber hygiene will further help fortify the network.

Maximize patching and encryption efforts. Unpatched software is susceptible to years-old exploits. Then, misconfigurations and/or a lack of clear ownership will lead to a failure to activate built-in encryption features on software, collaboration and device platforms. The upshot: Software maintenance should begin the moment a new product or application is installed, with patching, encryption and preventative steps such as the changing of default passwords and enforcement of out-of-the-box security protocols. What’s more, it’s essential to deploy aggressive asset discovery and monitoring so organizations gain complete visibility of their expanding attack surface, which includes third-party cloud applications, connected storage devices, open databases and operational technology (OT)/internet of things (IoT) systems.

Monitor necessary but risky remote connections. These connections play a critical role in patient care. When remote desktop protocol (RDP) and virtual private network (VPN) access are required, teams need to enable all enhanced security settings so only trusted parties are authorized. In addition, they must monitor internet traffic to look for trouble signs, such as an anomalous large-scale data exfiltration.

It is unsettling to know that hackers are not only eager to take advantage of the pandemic crisis, but that they’re feeding off of a highly profitable supply chain of stolen digital assets to do so. While hospitals are the target, the patient is ultimately the true victim of this cyber attack machine.

That’s why it is imperative for healthcare leaders and their IT/security teams to raise employee awareness of the latest methods, patch/encrypt all software, enforce additional protocols and establish total visibility of their entire cyber ecosystem. It is only after implementing these practices that administrators, doctors and nurses can stop worrying about the next attack and focus on the task at hand – saving lives and making sick people better.