Growing cyber attacks on healthcare organizations
There's an increasing focus of ransomware attacks on healthcare as the industry is moving to digitize processes and adopting applications to communicate with both patients and suppliers. Medical history information and diagnosis information are perhaps the most private and sensitive data an untrusted party can get hold on.
Attackers and ransomware gangs know this and so not only encrypt data but also threaten to release it publicly, with obvious reputational and legal consequences for the organization, but also damage to the public trust.
Some ransomware operators are even specializing in attacking healthcare providers - featuring groups such as Maui, the infamous Conti group and Karakurt gang.
A recent ransomware attack on US based McKinney hospital illustrates the risks: the Karakurt gang (probably russian) stole 360 gigabytes of files from the hospital, and hackers now claim to have invoices, contracts, accounting, prescription scans, patient cards, and financial documents including audits. The double extortion tactic is very popular in healthcare attacks: not only is the attacker encrypting files, but threatens to release sensitive data to the public. The hospital decided not to pay ransom after consulting cyber security experts since there's no guarantee of getting the money, but this means a nightmare for many of the former and current patients being served by the hospital.
Most attacks on healthcare organizations exploit the inherent trust and unrestricted access given to the users and devices that are protected by traditional perimeter-based security. Poorly secured remote access is rampant (for ex. RDP with no strong MFA) and identity management practices obsolete. Once the access perimeter is breached, attackers usually enjoy the implicit trust in many of the organization’s applications, system and network services such as Active Directory.
In order to prevent potential damage, hospitals and healthcare organizations need to improve identity management and remove the implicit trust granted to users, applications and devices once the attacker authenticates (usually via phishing). The framework and the buzzword to follow here is of course ZTNA (zero trust network access) which verifies user identity, device health, and access policy before granting access to network resources. It only connects users to very specific applications or systems, not the entire network, which is currently the default in most organizations.