There was a general rise in cyber crime in 2020 due to pandemic conditions, but one notable trend that stood out was a spike in the number of major healthcare data breaches. A new report from cybersecurity firm Tenable reviews the entirety of 2020’s publicly disclosed breaches (along with the first two months of 2021) and finds that this spike can be overwhelmingly attributed to ransomware attacks.
The healthcare industry has a natural appeal to ransomware groups as patient care facilities are a category that is uniquely poorly positioned to tolerate network downtime. However, this industry was not particularly heavily hit until 2019 as these facilities also do not tend to be able to pay the large ransoms that cyber criminals are showing a strong preference for. While root causes of individual breaches can be difficult to trace, evidence presented in the report indicates that a tendency to not keep up with patching known vulnerabilities (combined with the increasing value of medical records on the black market) might be what has drawn increased criminal interest in the industry.
Ransomware attacks on healthcare industry becoming more frequent and more costly
The Tenable Research 2020 Threat Landscape Retrospective is not good news for those in the business of patient care. 2019 was a record-setting year for healthcare data breaches, but it was topped by 237 incidents in 2020. 2021 is on pace to take the new record with 56 breaches through the first two months. And of all of the 22 billion records of personal information exposed in 2020, the largest share belonged to the healthcare industry.
In part, this is a natural outgrowth of the general growth in cyber crime attributed to the switchover to work-from-home models across all types of organizations; healthcare has seen a significant shift to remote models such as telemedicine, contact tracing and research collaboration. However, one additional factor that has drawn criminal attention to this particular industry is the rising price for medical records on illicit underground dark web markets. Patient records have shot up to as much as $150 per record due to the amount of personal information they contain, providing nearly everything a criminal could want to commit identity theft, insurance fraud and follow-up scams (such as blackmail) perpetrated directly against the target. By contrast, credit card numbers rarely sell for more than a few dollars each even when functioning. Another trend that dovetails into this is the new standard practice of exfiltrating target files before locking systems down with ransomware attacks, something that was not common until fairly recently.
The average data breach cost has also gone up across the board in the past year, but particularly so for the medical industry. Healthcare data breaches cost an average of $7.13 million, nearly double the $3.86 million average cost for all industries. These breaches usually have more costly cleanups due to the amount of highly sensitive personal information that is leaked, combined with more expensive fines due to special regulations for records handling in patient care facilities (such as HIPAA).
Breaking down healthcare data breaches
Ransomware attacks accounted for 54.95% of 2020’s healthcare data breaches, the strong majority. The next largest cause was email compromise / phishing (21.16%), followed by insider threats (7.17%) and unsecured databases (3.75%). Third-party vendor compromise accounted for about 25% of the healthcare data breaches, and about 12 million of the exposed patient records.
Healthcare systems were the most frequently hit (about 30%), mostly regional hospital systems that share some common point of entry to storage of records from multiple locations. 19% of the healthcare data breaches occurred at individual hospitals, 6% at mental health specialty facilities, 5% at clinics and 4% at government agencies.
The perpetrators of ransomware attacks are relatively rarely identified to the public, but of those that were the most common names were the big ransomware groups that tend to operate affiliate programs. Ryuk accounted for 8.6% of ransomware attacks on healthcare facilities, Maze for 6.2% and Conti for 3.7%. Some ransomware gangs pledged to stop attacking hospitals during the Covid-19 pandemic, but the report finds that nearly all of them did not hold to this promise.
The threat actors that can be tracked also show a preference for exploiting known vulnerabilities that have been left unpatched. There is something of a “chicken or the egg” debate here as to whether these groups are scanning for known vulnerabilities and hitting a lot of healthcare facilities with opportunistic ransomware attacks, or are specifically scanning healthcare facilities looking for these openings. Whichever is the case, the groups quickly latch on to unpatched vulnerabilities as an entry point to include using phishing emails when that is a necessary step. While the report finds general improvements in vulnerability management with a 65% increase in patching cadence in 2020, this may be offset by an increase in vulnerable endpoints created by the shift to telehealth.
Recommendations for healthcare organizations
Tenable recommends that healthcare organizations prioritize and remediate the vulnerabilities that are most likely to be targeted by coordinated ransomware attacks, and ensure that a regular program of check-ups and patching is in place. Two examples cited that caused multiple healthcare data breaches are the CVE-2019-19781 vulnerability in the Citrix ADC controller, and the CVE-2019-11510 vulnerability in Pulse Connect Secure. Both of these flaws were patched in early 2020, but organizations that were slow to update continued to be exploited by them throughout the rest of the year.
Demi Ben-Ari, Co-Founder and CTO at Panorays, also offers the following suggestions: “.. All industries are vulnerable to such cyberattacks, which is why it’s so important to have a comprehensive process in place for assessing the security of third parties. This can be accomplished through a combination of external footprint assessments, automated questionnaires, and taking into consideration the business impact of each relationship. Continuous monitoring is also essential so that organizations can be quickly alerted about any cyber issues. It’s also interesting to note that according to this study, third-party data breaches accounted for one-quarter of the threats to healthcare organizations. Yet we know that organizations certainly spend far less than 25% of their budgets on third-party security. Clearly, this is something that organizations should consider when weighing the costs and benefits of preventing third-party data breaches.”