As the world races towards a coronavirus vaccine, the healthcare industry has remained a focal point for cybercriminals. And while threat actors have consistently targeted the industry, and references to healthcare have increased on the underground due to the pandemic. According to data taken from Sixgill’s portal, references from January through September 2020 have increased by 52% compared to all of 2019. This year, a spike in references on the underground occurred in March 2020, coinciding with closures related to the pandemic. Approximately 30% of the references occurred in March and April.
Figure 1: References to the healthcare industry on the underground in 2020 taken from Sixgill’s Investigative Portal, with a spike in March 2020
Moreover, this year also marked another escalation - a September ransomware incident impacting the Düsseldorf University Hospital in Germany could mark the first reported death indirectly caused by a ransomware attack. Meanwhile, in late September, the health system Universal Health Services, which operates over 400 facilities across the US and UK, was also hit by a ransomware attack, reportedly impacting networks in 250 of its US facilities. This could potentially mark one of the largest healthcare related cyber-attacks in US history.
In this context, the deep and dark web offers fertile grounds for threat actors to share and discuss exploit codes for vulnerabilities which can impact critical infrastructure, leading to dangerous and even deadly consequences. In general, malicious discourse on the underground as it relates to the healthcare industry generally falls in the following categories: selling/sharing compromised PII and medical records, offering access to healthcare systems that can be used in future attacks (such as ransomware), and exploits targeting medical devices.
Why is healthcare data so valuable on the dark web? Stolen medical records can provide the whole spectrum of PII, which in addition to Date of Birth (DOB) and Social Security Number (SSN), can also include credit card information, driver’s license, health insurance, medical/family history, and other Personal Health Information (PHI), among others.
The extensive variety of information allows a threat actor a level of versatility when it comes to exploiting the data for attacks. The information can be used for wide ranging and targeted phishing attacks, identify fraud, account takeover, fake identification, credit card theft, and more.
Take for example the following threat actor, who displays the available fields in a database they are selling for patient information, to include a spouse’s drug allergies, employer’s address, x-ray date, and specific injury-related information. Provided with this information, it would not be hard for a fraudster to impersonate a hospital employee.
Figure 2: A threat actor posting the available patient data available in a leaked database
Oftentimes, the targeting of a healthcare institution on the underground can start with simple requests for information about hospital employees. With these leads, a threat actor can conduct a spearphishing campaign – potentially resulting in the acquisition of data or network access. In an underground forum, a threat actor posted a database of “Hospital Decision Makers” for $100. This could also be used for a CEO scam, impersonating hospital leadership to trick employees. Utilizing leaked data, even with limited information such as email lists, can be used for broader attacks.
Figure 3: A threat actor selling a hospital decisionmakers database for $100
One of the more debilitating attacks on a healthcare system is ransomware, where threat actors gain access to network servers. This can be done in a number of ways, to include exploiting software vulnerabilities, phishing emails, and the targeting of Remote Desktop Protocol (RDP) connections.
The attack surface for threat actors during COVID-19 has increased, as many medical professionals may be working from home with the rise in telehealth and virtual care. RDP connections allow health professionals to work from home and access their organization’s internal network. During the first nine months of 2020, mentions of RDP on the underground increased by 44% compared to all of 2019.
In this context, threat actors have been targeting RDP connections and offering to sell that access. In a prominent dark web forum, the following threat actor is auctioning RDP access to an American hospital starting at $500, highlighting that the access includes patient records.
Figure 6: A threat actor auctioning RDP access for a hospital starting at $500
By providing that initial access, the threat actor is essentially handing over the entry point to a ransomware operator. This intermediary business can be lucrative for actors trying to monetize on potential ransomware attacks without being dependent on a ransom payment. A ransomware group may be drawn to target a large network with many machines and servers, which could place higher pressure on the organization for a ransom payment.
While no vertical appears immune from ransomware attacks, the healthcare industry is under unique pressure to resolve the issue immediately, which could require payment for ransom fees. Needing access to medical records and hospital systems while a patient may be in a life-threatening emergency creates a sense of urgency that may not be present in other industries. This time sensitive factor produces a heightened motivation for threat actors, which can lead to successful results. In June, the University of California, San Francisco (UCSF) medical school paid $1.14 million to ransomware operators after their systems were encrypted. UCSF is a leading medical research institution working on a cure for coronavirus. Healthcare organizations are under increased pressure not only from dealing with COVID-19, but also needing to contend with HIPAA and GDPR violations for leaked data as a result of ransomware attacks.
Hospitals provide a unique attack surface for threat actors, as medical devices can provide many entry points in targeting an organization. Medical IoT devices offer healthcare professionals the ability to remotely manage, monitor, and deliver healthcare that can ultimately improve the quality of patient care. The more connected devices, the larger the potential attack surface, as one vulnerable device can lead to compromising others.
Medical devices are set up for patient safety - and to be continuously running due to operational requirements – which puts added pressure on what are oftentimes understaffed IT teams. Such devices were not developed with security in mind, which could include weak password/authentication controls, for example. The use of a device is expected to have a long life cycle, which can result in some operating systems becoming outdated. Legacy systems are prime targets that make the healthcare industry vulnerable.
With this in mind, threat actors have also provided guides about how to decide what to target, and where the most vulnerabilities can be found. In one underground forum, a threat actor suggests that vulnerabilities that are good for exploitation include those from manufacturers that stopped supporting a device and is not releasing patches.
Figure 11: A threat actor provides differing strategies in searching for and hacking vulnerable IoT devices.
Moreover, identifying a vulnerability and then employing a botnet could have widespread implications, including DDoS attacks, obtaining confidential information, mining for cryptocurrency, and reducing the efficiency of a device. Botnets specifically targeting unsecure IoT devices, are popular on the underground and frequently shared.
The healthcare industry faces unique cyber security challenges. Patient data is very sensitive and requires protections, which have legal and financial implications if there are breaches and violations under HIPAA or GDPR.
Nevertheless, medical records oftentimes need to go through the hands of many different parties, and can be shared among hospitals, outpatient clinics, and insurance companies – increasing the potential opportunities for data to be compromised. Given the versatility of what can be done with a leaked medical record, they will continue to be a valuable commodity on the underground.
Given the myriad of security challenges, coupled with low IT budgets, ultimately organizations must weigh the risks of the costs associated with breaches. In addition to the general costs that can be incurred by ransomware, which include legal fees and potential settlements, remediation, and investigations, healthcare has an added cost with HIPAA penalties. Anthem, Inc. paid out $16 million in HIPAA violations after the 2015 exposure that left 79 million patient’s PHI exposed. When it comes to mitigating costs associated with breaches, companies employing automated security solutions reduced those costs by an average of $3.58 million. In the long run, investing in a solution that encompasses threat intelligence pays off.
Download the full threat report, Not What the Doctor Ordered: Healthcare on the Underground, to learn more about dark web threats to the healthcare industry and how healthcare institutions can keep their critical assets and, more importantly, their patients, safe and secure.