1www.intsights.com

Diagnosing the Healthcare Sector’s Cybersecurity Ailments in 2020

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Executive SummaryThe world has never been so dependent on its healthcare systems. While the COVID-19 pandemic has disrupted the global economy by forcing businesses to operate in remote settings, it has thrust healthcare facilities and providers into overdrive as they attempt to manage the influx of new patients impacted by the deadly coronavirus.

Threat actors have certainly taken note of the current turmoil and have seized this opportunity to attack overwhelmed corporate collaboration tools, prey on public fear and execute virus-related scams, and exploit vulnerable legacy healthcare systems. There has been a sharp increase in attacks against hospitals and medical facilities, specifically ransomware and social engineering attacks.

Cybercriminals targeting healthcare is nothing new, but recent attacks – particularly those pertaining to the ongoing COVID-19 pandemic – underscore the inadequate security protocols many healthcare organizations have in place. There are three key reasons why organizations in the healthcare industry are lucrative targets:

1. Healthcare entities protect endless amounts of sensitive data. Healthcare records provide detailed data sets for cybercriminals. They contain PII, such as SSNs, addresses, and phone numbers, which can be used for account takeovers (ATOs) and creating synthetic IDs. Insurance data can be used to create false claims. In addition, medical histories can be used to target VIPs.

2. Healthcare security infrastructure lags behind other industries. Many healthcare systems use dated operating systems, and, as is the case with critical infrastructure, patching and updating are burdensome. Users often access confidential platforms or networks with older browsers. Ransomware attacks have had their fair share of success in this industry as a result of these weaknesses.

3. The potential value of an attack is substantial. Cybercriminals and threat actor groups have different capabilities and interests. Those individuals and groups that steal data and then sell it (rather than using it themselves) Studying the associated exploits that led to the successful ransomware attacks will help security teams discover weaknesses across these systems, including missing security controls used to provide coverage in place of unavailable technical controls (i.e., unpatchable security vulnerabilities or end-of-life systems). Along with the security burden comes increased liability for data custodians and processors. Once attackers secure data via ransomware attacks, there are several data privacy violations that could apply, depending on where the offending organization is located.

This report is the second in a two-part series of research reports that explore the myriad cybersecurity challenges healthcare organizations face in 2020. This edition breaks down the cyber threat landscape in the healthcare sector, while the first edition tackled these threats from a compliance and risk perspective.

2

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

The Cyber Threat Landscape for Healthcare Organizations There are several reasons healthcare organizations and healthcare providers are at increased risk. Historically, healthcare organizations have not been primary targets for attackers seeking a more direct route to profit – i.e., targets with greater financial resources at their disposal. Because of this, security measures in the healthcare sector are not up to par with threat actor sophistication.

Once cybercriminals realized there is money to be made and data to be stolen from the healthcare sector, they began to target these organizations. While threat actors may use various tools and techniques to obtain usernames and passwords, gain access to networks, and/or social engineer healthcare workers, sometimes they have an easier attack vector. Unfortunately, healthcare IT suffers the same issues observed in many IT infrastructures – default passwords, and unpatched and misconfigured systems.

Attackers deploy battle-proven tools and tactics that have been used and upgraded for years – while the defenses have been lacking. Healthcare systems often rely on old operating systems and platforms that are harder to patch and have life-threatening repercussions if attacked. A third of all data breaches in the US happen in hospitals, and the number of breached personal records in the healthcare industry nearly tripled from 2018 to 2019, jumping from 15 million to 40 million.

In many cases, even if end users are aware of the security risks, they cannot upgrade their browsers or operating systems because the systems they use are not built to function on newer platforms. This includes electronic medical record (EMR) systems, picture archiving and communications systems (PACS), radiology information systems (RIS), clinical information systems (CIS), and other vital systems for healthcare practitioners – all of which contain troves of sensitive medical records, protected health information (PHI), and personally identifiable information (PII).

Figure 1: An example of a hospital server that a hacker gained access to by exploiting its vulnerable legacy security systems

3

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Figure 2: An example of a leaked personal medication list. Hackers sell medical records like these for lucrative sums.

Figures 3a and 3b: Patient records leaked from a hospital located in Florida and offered for download on several cybercrime forums

4

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Last September, IntSights researchers found that cybercriminals were able to expose – and sell for an immense profit, of course – healthcare admin credentials, offering buyers a “master key” with unfettered access to all portals and databases relevant to the organization. Administrator access to backend systems is the holy grail for attackers. It provides access to different assets, databases, and information – allowing the attacker to easily steal, alter, or corrupt the data. The ramifications are potentially devastating for those afflicted, from both an organization and individual perspective.

The potential impacts of gaining access to these kinds of records are widespread. PII can be used for healthcare insurance fraud, surgical claims, and other non-healthcare related attacks like tax fraud, account takeover attacks, new account fraud, and identity fraud. Cybercriminals have sold data that could allow someone to forge medical marijuana cards, data from hospitals that could be used to fake an employee badge, and immutable data – blood type, allergies, social security numbers – that can never be changed, unlike a stolen credit card.

Figure 4: A seller offers “FULLZ” from a US hospital database. FULLZ are data sets that include all the information needed to perform account takeovers or new account fraud.

Figure 5: A threat actor selling access to the Louisiana State Internal Health Network, including access to 19,000 computers and the domain admin rights

Figure 6: Medical FULLZ of a VIP for sale on a black market

5

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Beyond simply hacking into and selling databases of confidential information, cybercriminals attack healthcare organizations with ransomware, holding them hostage with malware installed via spear phishing schemes, leaked admin credentials, or other backdoors. Many healthcare organizations are forced to pay these ransoms at the risk of further compromising the incredibly sensitive records they safeguard within their networks.

Figure 7: A seller offers hospital ID cards, also noting they have scans and templates to create fakes.

Figure 8: Cybercriminal advertising that boasts access to corporate, government, and healthcare networks for partners to attack. It also indicates they want to partner with a ransomware group.

6

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Figure 9: Threat actor selling MAKOP cryptolocker ransomware on a dark web forum

Figure 10: Ransomware-as-a-service offered on Russian dark web forum (translated)

COVID-19 Attacks Targeting the Healthcare SectorAs if healthcare organizations didn’t have it hard enough, the coronavirus pandemic of 2020 has imposed substantial burdens on the entire global sector. People are working from home in record numbers, and some in the healthcare industry may be required to transfer intellectual property (IP), personally identifiable information (PII), and PHI data that then gets stored on local drives and processed on private computers with fewer security protocols in place.

Cyberattacks have increased significantly, and while some well-known cybercrime groups promised they would not target vulnerable healthcare organizations during this time, they have, predictably, not been entirely true to their word.

Since February, IntSights researchers have seen a stark increase in attacks against hospitals and medical facilities, specifically the use of ransomware and social engineering attacks. Methods have included encryption of data for ransom, theft of intellectual property (IP), theft of databases of healthcare employees, phishing, malware, and social engineering attacks.

One example of a COVID-19-inspired attack we observed came from the Maze ransomware group, which has previously targeted everything from small US law firms to the German government. Maze hackers targeted Hammersmith Medicines Research (HMR), a company that performs clinical tests for drugs and vaccines. HMR recently assumed an active role in developing tests and vaccines for COVID-19. The company was attacked on March 14, with medical records of over 2,300 patients and employees leaked on March 21.

7

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Cybercriminals have leveraged the public’s heightened state of fear, successfully launching sites that mimic reputable public health sources providing COVID-19 information. One group created a tracking map that closely resembled the Johns Hopkins University COVID-19 outbreak map but was actually a malicious domain that installed malware onto users’ computers.

Looking to exploit public panic, other threat actors have turned to simple scams and hoaxes, offering fake diagnostic devices, vaccines, and even blood with COVID-19 antibodies for sale on black markets. They will often create a false sense of urgency by using language like “protect your family” to scare potential buyers into making a purchase. None of these offerings are legitimate, of course.

Figure 11: Leaked data of HMR employees

Figure 12: AZORult malware – coronavirus tracking map mimics JHU covid outbreak map

8

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Looking to exploit public panic, other threat actors have turned to simple scams and hoaxes, offering fake diagnostic devices, vaccines, and even blood with COVID-19 antibodies for sale on black markets. They will often create a false sense of urgency by using language like “protect your family” to scare potential buyers into making a purchase. None of these offerings are legitimate, of course.

Figure 13: Ransom note from the AZORult malware

Figure 14: Fake coronavirus antidotes and vaccines offered for sale on a forum

9

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Our research has also identified spear phishing attacks in which executives in organizations were targeted by a threat actor impersonating another executive, sending them an email with a link. These attacks were perpetrated by skilled nation-state actors to steal data regarding COVID-19 pharmaceutical research. Other nation-state actors have used coronavirus fear to sow seeds of desperation in rival nations.

In mid-February, a Russian state-sponsored hacking group known as “Hades” was observed targeting Ukraine with a multifaceted campaign, including malware and disinformation, designed to create panic and confusion around the novel coronavirus. The campaign started with a specially crafted phishing email (Figure 14, below) appearing to be from the Center for Public Health of the Ministry of Health of Ukraine and containing a bait document with fake information about COVID-19.

A malicious macro in the document drops a hidden C# backdoor trojan that grants the attackers remote control of the victim’s device. The second stage of the attack was a disinformation campaign, launched via social media in Ukraine, claiming that many people in Ukraine were infected with coronavirus. This fake news coincided with the arrival of a flight of evacuees from China. The combination of the events incited riots and looting across the country.

For more on the COVID-19 threat landscape, download IntSights’ March 2020 report, The Cyber Threat Impact of COVID-19 to Global Business. The report touches on some of the cyber threats targeting the healthcare sector and exposes numerous scams selling fake virus tests and vaccines.

Figure 15: Maldoc opened through phishing campaign targeting Ukraine

10

Diagnosing the Healthcare Sector’s Cybersecurity Ailments

Recommendations for Effective Cyber Defense Healthcare organizations are facing a serious threat to their security infrastructures. If increased cyberattacks targeting the sector in recent years were not enough to prove the need for comprehensive investment in cybersecurity protocols, the COVID-19 pandemic has certainly driven the point home. These organizations face unique challenges in that they don’t just need to secure their IT environments; they also must manage specialized systems, industry-specific challenges, and specific regulations. A well-defined, risk-based strategy that takes lessons learned from other industries and attacks can help organizations achieve a better cybersecurity posture.

The following are some recommendations for security teams in the healthcare space to defend their organizations against looming threats:

• Follow basic security hygiene practices. Make sure systems are patched and up to date, implement a good password policy, and educate end users on how to avoid phishing scams and other hacker tricks.

• Apply a cogent and comprehensive strategy. Simply applying a patch or a firewall is not enough to defend against cutting-edge and ever-evolving cyberattacks that find and exploit weaknesses. Security teams must have an understanding of the threat landscape facing their organization, have visibility into their gaps and vulnerabilities, and formulate a strategy to acutely address those needs. Each organization’s attack surface is different, and no two security strategies should be identical.

• Think like the attackers. To understand your enemies, you must be able to put yourself in their shoes. Have a red team levy a simulated attack against the organization’s network and systems to learn how an attacker might penetrate the infrastructure. While security practitioners tend to focus on the technology, hackers focus on people – and how they can be exploited.

• Invest in the security stack. Security solutions are often not cheap, but they are vastly less expensive than the cost – financial and otherwise – of a data breach exposing PHI or a successful malware attack. Security is no longer an IT issue; it is a business issue that must be embraced by executives and multiple stakeholders across the organization.

Securing a network is not an easy task, especially for healthcare organizations, and especially at a time like this. Striking a balance between usability and security is a challenge in any industry, but the stakes are considerably higher when people’s lives are on the line.

The best way to fight back is to defend proactively against the threats targeting the organization using external threat intelligence. Threat intelligence allows users to identify, validate, and take down threats as they emerge in cybercriminal watering holes. The sooner you know about an attack, the quicker you can negate it, and the safer your data and systems will be.

About IntSightsIntSights is revolutionizing cybersecurity operations with the industry’s only all-in-one external threat protection platform designed to neutralize cyberattacks outside the wire. Our unique cyber reconnaissance capabilities enable continuous monitoring of an enterprise’s external digital profile across the clear, deep, and dark web to identify emerging threats and orchestrate proactive response. Tailored threat intelligence that seamlessly integrates with security infrastructure for dynamic defense has made IntSights one of the fastest-growing cybersecurity companies in the world. IntSights has offices in Amsterdam, Boston, Dallas, New York, Singapore, Tel Aviv, and Tokyo. To learn more, visit: intsights.com or connect with us on LinkedIn, Twitter, and Facebook.

Visit: Intsights.com Call: +1 (800) 532-4671 Email: info@intsights.com 11