Industry Insights with Adam Mansour

Fraud Management & Cybercrime , Ransomware , Standards, Regulations & Compliance

Evolving Ransomware Threats on Healthcare

The Risks of Operating Legacy Technology with Limited Security Resources
Evolving Ransomware Threats on Healthcare

With a constant need to do more with less, digital transformation is crucial to healthcare organizations' ability to deal with issues like staffing shortfalls and the increased need for services while providing better patient outcomes.

See Also: IDC Whitepaper I Business Value of Dell VxRail HCI

Put simply: modern medicine needs technology. It’s become an essential tool in nearly every doctor’s bag. (And, quite frankly, vital to hospitals, clinics, insurers and the entire industry.)

Unfortunately, that dependence on IT, and the value of stolen healthcare data, makes healthcare organizations a prime target for cyberattacks, particularly ransomware. From 2020 to 2021, during the height of the COVID-19 pandemic, ransomware attacks on healthcare providers nearly doubled with a majority of healthcare providers having been hit.

More recently, analysis and reports from the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HC3) have shown that the ransomware threat is not abating — and worse, is evolving.

“Ransomware remains a major threat to the health sector worldwide, with many healthcare organizations operating legacy technology with limited security resources,” the HC3 said in late 2021.

While healthcare as an industry is being most targeted by ransomware, health or medical clinics are by far the hardest hit. Not surprising, given these are the organizations that are most likely to lack the in-house security resources or to have made a significant investment in their security posture.

Paying Ransomware Only Makes Matters Worse

Healthcare organizations can’t afford to have their systems disrupted, falling back to 20th-century pen and paper (and not just because of the doctor’s handwriting). This is just what top ransomware groups — gangs — like Conti, REvil, and Hive are counting on.

That’s what may make some healthcare organizations quick to pay ransomware demands, not guaranteeing that the information locked up or threatened with release won’t still be made public or sold on the dark web.

Ransomware Threats Targeting Healthcare Continue to Evolve

In 2022, threat actors evolved the tactics, techniques, and procedures (TTPs) used in their healthcare ransomware attacks.

One prolific gang targeting healthcare, FIN12, typically takes less than two days to execute its file-encrypting payload. It does this by skipping the data exfiltration stage most ransomware gangs use to increase their chances of getting paid. FIN12 goes straight for the jugular to avoid the chance of detection that comes with a lengthier dwell time.

Earlier this year, one healthcare financial services company breach associated with Quantum Locker Ransomware affected 657 providers and compromised more than 1.9 million patient records. For more info and help regarding this attack, see our blog, how to disrupt Quantum Locker Ransomware TTPs.

Fighting Fire with Fire: AI + Human Experts

Organizations need to act fast and rely on a combination of automated defenses, AI, and human defenders. Automated detection tools alone struggle with the emerging human-at-keyboard threat.

A protection-first managed detection and response (MDR) service uses agents at the endpoint to detect and block attacks, and forward logs to threat hunters, but that alone is not enough. Machine learning is used as the first line of defense, continuously monitoring for anomalous behavior and providing the analysis and data that, then, human threat hunters need to act on.

In the case of ActZero’s MDR, we have highly trained threat hunters investigate each detection — because, in a human-at-keyboard attack, bad actors will change their tactics once blocked. Our threat hunters are there to react and continue thwarting them when they pivot. Then it becomes human versus humans; hacker versus a well-equipped team of defenders.

The Need for Greater Security Investment in Healthcare

Security frequently gets deprioritized for solutions that are seen to affect patient care more directly. Investment in security comes piecemeal and reactively.

That’s just bad medicine. Investing proactively in the health of your organization’s cybersecurity is akin to the proactive steps one must take to avoid illness. Isn’t it far better for a patient with high blood pressure to take their meds proactively than to eventually need bypass surgery? Cybersecurity is no different; prevention is better than cure.

And just like when fighting living parasites, one needs the guidance and actions of experts to achieve a healthy defense against the growing ransomware epidemic.

Find out more about how ActZero can help you develop a more healthy, proactive cybersecurity posture with a complimentary Healthcare Ransomware Readiness Assessment, or for a deeper dive into the cybersecurity issues facing healthcare organizations, check out our Modern Cybersecurity for Healthcare eBook.

About the Author

Adam Mansour

Adam Mansour

Chief Security Officer, ActZero

Mansour has over 15 years of experience in the cybersecurity sector. As chief security officer of ActZero, he drives the company's virtual chief information security officer and technology integration programs. His experience spans endpoint, network and cloud systems security; audits and architecture; building and managing SOCs; software development and resellership; healthcare, education, defense and financial organizations; and global enterprises of all sizes. Most recently, he served as VCISO at ActZero. Prior to that, Mansour was the founder and CTO of IntelliGO Networks (acquired by ActZero) and developed its proprietary MDR software. He also had key roles in managed security services for SIEM, NGFW and penetration testing performed by the company.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.