Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Healthcare’s Ransomware Epidemic: Why Cyberattacks Hit the Medical Sector With Alarming Frequency

Healthcare has long been a primary target for ransomware attacks. This is not changing and is not likely to change.

SD-WAN to SASE

Healthcare has long been a primary target for ransomware attacks. This is not changing and is not likely to change. Claroty/Team82’s State of CPS Security – Healthcare 2023 discusses the reasons.

Healthcare comprises a critical industry combining a large-scale use of converged IT and OT with a huge quantity of disparate OT devices dependent on IT control delivered over WiFi – and a very low tolerance for disruption. The industry is eminently exploitable and has a strong incentive to settle extortion attacks as quickly and as seamlessly as possible. Lives may depend upon it.

According to the FBI 2023 IC3 report, healthcare suffered 249 reported ransomware attacks during last year – 31 more than the second most attacked CNI sector (critical manufacturing), and more than double the reported attacks against financial services. 

Claroty/Team82’s report analyzes the components of a healthcare IT environment to explain its susceptibility to attack. It notes that the threat to patient privacy (covered by HIPAA) has moved on to a threat to patient life.

The report has some worrying conclusions. 63% of exploited vulnerabilities tracked in CISA’s KEV catalog can be found on healthcare networks. Clearly ‘patching’ is a problem for healthcare, but it is not something that can be easily solved: healthcare has a total of 360 different device manufacturers whose patch certification programs must be observed.

While the IT devices controlling the OT devices are usually Windows and Linux systems that are frequently patched, no such formality applies to the majority of OT devices. “Instead,” says the report, “vulnerability patching is often an add-on to an already expensive support contract.”

Compounding this problem is the length of time it takes to gain FDA device certification. Developing a patch and implementing that patch may require new FDA certification – but the life expectancy of the device may be limited (medical technology is a rapidly advancing field). There is a natural inclination to attempt mitigation through compensating controls rather than formal patching – the old OT adage of ‘if it ain’t broke, don’t fix it lest you break it’ exists on medical steroids.

This problem is compounded by the number of devices that run on unsupported OSes. “Fourteen percent of medical devices in our research run an end-of-life or unsupported OS,” notes the report. These are mostly old versions of Windows, but include Linux, mobile OSes, Sun Solaris, SunOS, and others. Aggravating this, many of the unsupported Windows devices are also unmanaged and not part of an Active Directory domain. Defenders are unable to use domain management to push updates and new policies or enforce ACLs.

Advertisement. Scroll to continue reading.

The result of these patch or update issues is that medical devices provide attackers with a rich source of ‘forever-day vulnerabilities’: vulnerabilities that are known and fixed by the manufacturer, but are never patched by the customer. Since budgetary restraints mean that HDOs are unlikely to rip the old and replace with new, the vulnerabilities sit and wait to be exploited. Overall, a high percentage of medical devices have no endpoint protection.

A graph of devices without endpoint protection

Description automatically generated

Another persistent problem for HDO OT is the huge number of third parties (through delivery rather than supply) that the devices touch. These are patients, who almost by definition have no interest in, or knowledge of, security. Pacemakers are installed in eminently mobile humans (their very purpose is to keep those people mobile). Data is collected from the pacemaker and relayed back to the HDO via wifi or over the internet via the patient’s own domestic router. This is a potential threat to patient privacy. Infusion pumps, while mostly only operational within a hospital, have a long history of vulnerabilities. This is a potential threat to patient life.

Attacks against such devices could harm individual patients, but they are not the primary target of attackers – attackers seek access to the HDOs’ networks. From here they can potentially disrupt all devices as part of an extortion attack. These third party patients can be a weakness.

Firstly, HDOs offer a guest network to provide internet access for their patients. Claroty/Team82’s research suggests that 4% of devices used in surgeries can be accessible via a hospital’s guest network. But secondly, it is not unknown for patients to be given passwords for direct access to the primary corporate network. Nurses’ employment is typically vocational rather than careerist – their motivation is to make the patient as comfortable as possible; and a patient’s struggles with the poor bandwidth of the guest network can be easily solved. But the personal device used, usually a laptop, is unknown to, and unverified by, the network administrators.

The problem that HDO defenders face is one of complexity. Security solutions exist for almost all the issues they face – but the intricacies of patching what can be patched, mitigating what cannot, onboarding new devices and promoting security awareness in staff whose vocational instincts might be diametrically opposed to security, is too complex to guarantee complete and continuous success.

The combination of vulnerable networks and a high incentive to settle extortion attacks speedily explains the reason for the continuing attacks by ransomware criminals. Recorded Future’s Dmitry Smilyanets recently pointed to a post on Ramp Forum (March 3, 2024) purporting to be from the BlackCat/Alphv affiliate that hacked Change Healthcare. The affiliate complained that BlackCat/Alphv had reneged on paying its share of the profits from a paid ransom – $22 million. This claim is supported by evidence of $22 million arriving in a BlackCat/Alphv bitcoin wallet. 

Or it could be an exit scam being perpetrated by BlackCat/Alphv to allow them to get a second bite of the cherry… Nevertheless, the implication, currently unconfirmed by Change Healthcare, is that the HDO quietly paid a $22 million ransom to prevent confidential data leakage and obtain decryption keys.

Claroty/Team82’s argument is that any attempt to secure the individual devices within a healthcare network should be supported by network segmentation. “Segmentation is a paramount strategy,” says the report. “Isolate connected medical devices – patient and surgical – from corporate networks. This would mean that if any specific device is compromised, the attacker could be constrained, and the damage limited.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Breaches

Sony shares information on the impact of two recent unrelated hacker attacks carried out by known ransomware groups. 

Ransomware

Several major organizations are confirming impact from the latest zero-day exploits hitting Fortra's GoAnywhere software.

Data Breaches

KFC and Taco Bell parent company Yum Brands says personal information was compromised in a January 2023 ransomware attack.

Ransomware

Alphv/BlackCat ransomware group files SEC complaint against MeridianLink over its failure to disclose an alleged data breach caused by the hackers.

Ransomware

Johnson Controls has confirmed being hit by a disruptive cyberattack, with a ransomware group claiming to have stolen 27Tb of information from the company.