Why are hackers targeting healthcare providers?

The “fluid and always-evolving nature of a patient's medical care and because of the number of clinicians, facilities and transactions required to connect patient care across multiple settings” makes the healthcare industry uniquely vulnerable to these attacks, as explained by Ross Koppel and Craig Kuziemsky in their article Healthcare Data Are Remarkably Vulnerable to Hacking: Connected Healthcare Delivery Increases the Risks.

There is also a more pressing risk beyond data breaches. Unlike other cyber threats, these attacks can have a tangible impact on human life. For example, a ransomware attack could hit a hospital and affect a laptop controlling a heart bypass machine, putting the patient's life in immediate danger. The urgency of this potential deadly impact makes the healthcare industry a more appealing target as the pressure to mitigate an attack makes providers more likely to race to meet ransom demands.

Cloud security risks for healthcare companies

Although the cloud offers benefits like streamlining collaboration across departments and enhancing efficiency, which are vital in the healthcare sphere, the adoption of convenient cloud based data management puts said data at risk. 

According to research from Blanco, only 57% of organizations have a schedule to review different data types in order to determine end-of-life (EOL). This study also found that 28% use the “blunt” approach of automatic expiration date setting. Though this ensures that all of the data is assessed, this approach doesn’t take into account the needs of different classes of data.

Additionally, inadequate data management or protection means that sensitive data is left vulnerable to hackers. With 61% of healthcare providers reporting cyber attacks against their cloud infrastructure in 2022, protecting this data and ensuring a robust protection for data stored in the cloud is crucial.

A lack of proactive management and lack of healthcare provider understanding of risks relating to end-of-life (EOL) may be responsible for increased vulnerability within the healthcare sector. Improved awareness among healthcare providers regarding EOL risks, through targeted training on risk reduction and compliance, could help prevent such security issues.

Ransomware attacks against healthcare providers

Speaking of the importance of protecting data, recent ransomware attacks have targeted large and small healthcare companies alike in order to steal sensitive patient information and extort the companies for its return. 

In a notable incident in November 2023, US healthcare giant McLaren confirmed that more than 2 millions patients' sensitive data was stolen in the latest attack. The compromised data included full names, birth dates, social security numbers, medical information, billing claims, diagnosis data, prescription and medication details. The data breach also extended to Medicare and Medicaid information, and, according to TechCrunch, hackers were able to access McLaren’s password manager, internal financial statements, employee information, and more. 

The notorious BlackCat ransomware gang, also known as ALPHV,  claimed responsibility for these attacks and suggested they were in negotiation for the information’s release with McLaren.  However, the group provided no evidence to support their claims, and McLaren opted not to disclose further details beyond its initial public statement.

BlackCat also claimed responsibility for another ransomware attack in November 2023 against Fortune 500 healthcare organization, Henry Schein. The ransomware gang asserted that they were able to take 35TB of data during the attack.

While it initially appeared that Henry Schein and BlackCat came to an agreement during negotiations, however, before restoration was completed, BlackCat re-encrypted the data. This led to a breakdown in negotiations, with BlackCat publicly releasing payroll data and shareholder folders on their public collections blog, and threatening to continue to release more data daily. 

Despite this initial breakdown and release of data, BlackCat later deleted all previously released Henry Schein information from its website, suggesting that the two had reached an agreement.

In a separate but no less disruptive incident also in November 2023, Ardent Health Services, a healthcare provider operating 30 hospitals across six U.S. states, released a statement saying that its systems had been hit by a ransomware attack. 

In response, the company promptly took its network offline, hired external experts to investigate the attack and notified law enforcement. The affected hospitals were forced to divert patients requiring emergency care to other local hospitals; though they were able to continue to provide medical screening and emergency stabilizing care. As of its latest statement, Ardent Health Services has not confirmed any compromise of patient health or financial data during the attack.

Hackers exploit software vulnerabilities

Hackers employ various strategies to gain unauthorized access to healthcare provider networks by exploiting software vulnerabilities in a number of ways. One of the most common ways hackers are able to gain access is through the use of remote desktop tools. 

A major example of this was the compromise of ScreenConnect, a widely used remote desktop tool, belonging to Transaction Data Systems (TDS). TDS is a pharmacy supply chain and management systems solution provider with offices in all 50 states in the United States.

While the initial access method remains unidentified, research from the security platform Huntress confirmed that attackers leveraged this access to deploy malware on endpoints within two distinct organizations—one in the pharmaceutical sector and the other in healthcare.

In a separate incident, ransomware threat actors know as ‘Clop’ were able to steal sensitive data belonging to The Colorado Department of Health Care Policy & Financing (HCPF). This breach is part of the broader MOVEit supply chain attack, posing a risk to the data of approximately four million customers. MOVEit is a managed file transfer (MFT) program used by many high-profile organizations to share sensitive data securely.

The Colorado Department of Health Care Policy & Financing, utilized MOVEit through its third-party contractor IBM. Bleeping Computer reports that HCPF manages the Health First Colorado (Medicaid) and Child Health Plan Plus programs, as well as support for low-income families, the elderly, and people with disabilities, putting this incredibly sensitive data at risk. 

The data stolen in the attack includes full names, Social Security Numbers, income information, demographic data, birth dates, postal addresses, and other contact information. Medicaid and Medicare ID numbers, as well as health and health insurance data, were also stolen. This  information holds substantial value on the black market and can fuel activities like identity theft, potentially leading to spear phishing, tax fraud, wire fraud, and other malicious exploits.

Malicious actors steal sensitive data for extortion

Healthcare providers need to store sensitive data and images in order to deliver the most comprehensive care to patients. Unfortunately, sensitivity of this data makes it incredibly attractive to malicious actors who are able to use this data to extort both the healthcare providers and patients themselves.

In March 2023, in an all-to-familiar modus operandi, BlackCat released sensitive photographs of cancer patients on the dark web after the Lehigh Valley Health Network refused to pay a ransom. Prior to the data release, BlackCat issued a message stating they had stolen patient data including nude photos, passports, and questionnaires, that they intended to publish if a ransom was not paid. The Lehigh Valley Health Network confirmed that the stolen information includes screenshots of clinically appropriate photographs of cancer patients receiving radiation oncology treatment at LVPG Delta Medix, as well as seven documents containing patient information.

Another notorious case of patient data being used against providers involved Australian health insurer Medibank. The company was hacked in October 2022, with ransomware gang REvil later linked to the cyber attack. The hackers publicly demanded a ransom from Medibank in return for not posting sensitive medical information online. Medibank refused to pay the ransom, leading to six gigabytes of data being posted online.

The data leaked included customer's names, birth dates, passport numbers, information on medical claims and sensitive files related to abortions and alcohol-related illnesses. The blog post has since been made unavailable, making it impossible to independently confirm the authenticity of the data leaked.

A statement regarding the data breach released by Medibank read: “While our investigation continues there are currently no signs that financial or banking data has been taken. And the personal data stolen, in itself, is not sufficient to enable identity and financial fraud. The raw data we have analyzed today so far is incomplete and hard to understand.”

An investigation into the cyber attack revealed that information from approximately 9.7 million customers was extracted from company endpoints, including health claims data related to an additional half a million customers. Medibank's CEO, David Koczkar, released a statement via LinkedIn, reassuring stakeholders that the criminal did not gain access to credit card and banking details or health claims data for extra services.

Later revelations disclosed that REvil had acquired sensitive data, including customer names, birth dates, passport numbers, details on medical claims, and files related to abortions and alcohol-related illnesses. The ransom demand amounted to a staggering $9.7 million, equating to a dollar for each affected customer.

The cyber attack concluded when REvil made a post that read “case closed” to the dark web, and released a compressed folder that contained files amounting to over 5GB. According to the hackers, this was the around 200GB of customer data that had been stolen by the group. Initial analysis by Medibank also implied that this was the case.

How healthcare organizations can secure their networks

In light of the increasing proliferation of ransomware attacks, how can the healthcare industry increase resilience and mitigate risk?

Due to the complexity of the many moving parts of a healthcare network, safeguarding Internet of things (IoT) devices, especially high-value assets like MRI and CAT scanners, is particularly challenging. However, steps can still be taken to ensure the best possible security. 

An effective option is adopting a Unified Secure Access Service Edge (SASE). Unified SASE seamlessly merges network security and wide area networking (WAN) functionalities into a unified cloud-native service. This can help address the main conflict the healthcare sector faces- balancing improving security and reducing costs. Security controls like micro-segmentation offered in Unified SASE help to limit the impact of future online attacks. This is particularly beneficial for healthcare providers with numerous interconnected devices, as it contains the threat is confined to a single network segment. 

In particularly high-risk situations, including ransomware attacks,  Unified SASE can identify and neutralize threats before they are able to steal data. This includes use of security measures like advanced threat protection and intrusion prevention. 

By consolidating multiple security services into a single platform, healthcare companies can optimize their security operations and decrease the cost of employing multiple security solutions. 

How to secure your data following a cyber attack

If your data has potentially been exposed in a cyber attack there are steps you can take to help secure your data.

Despite high-profile data breaches often involving large companies taking prevalence in the news, it's important to recognize that some of the most significant breaches of personal identity information stem from phishing schemes. This is a technique used by hackers which involves them mimicking a legitimate message that you might receive from a company or someone you know. Using this technique, hackers can either ask for personal information, including bank details,  as a direct response to the message or via a link to a legitimate-seeming website, or spread malware via innocuous-looking files.

To reduce the likelihood of being phished, ensure you are careful with every email you open and learn to identify potential phishing tactics, for example creating false urgency through fake emergencies or posing as someone in a position of power over you. This is referred to as social engineering and is specifically done to trick you into responding to the message without thinking too hard about whether it is legitimate. When in doubt, step away from the situation and analyze it logically - would this company or person request this of you? Is their email the one they typically use to send messages to you? Is their email or message worded in a way to induce fear, panic, anxiety or urgency? If you are still unsure as to whether the message is legitimate, it is always the best policy to contact the person or company who is allegedly contacting you either by a separate message channel or by calling them directly.

Another way to combat the threat of phishing is by installing antivirus software. Antivirus software helps combat cyber attacks and prevent information stealing by detecting and intercepting cyber threats before they can impact you. Some antivirus providers also offer identify theft protection, giving you an additional layer of security against malicious actors. Using antivirus is especially important if you work in a high profile industry and use a personal device to do so as cybercriminals will target the home computers and personal devices of those who work in these sectors in case they do any work from home or even check emails anywhere outside of the office. If malicious actors infiltrate your device, it can be very easy for them to move laterally across your network, infecting your colleagues with malware and wreaking additional havoc.

Another way to protect yourself from the fallout of data breaches is to use a password manager. Password managers help keep you safe by both generate more secure passwords as well as store your login credentials safely. By using secure, protected passwords for each account, this avoids catastrophe if one of your accounts is hacked as without repeat passwords or accessible documents including lists of passwords, hackers will be unable to access any of your other accounts. Some password managers also offer dark web monitoring, meaning you will be alerted if your data is leaked.

Another major way to ensure the security of your devices is to invest in a VPN. A VPN, or Virtual Private Network, is a tool that encrypts your online identity as you browse online. This means your history is not saved to your device, your connection is encrypted and you are protected from unsecured Wi-Fi networks.

By implementing these measures, you can secure your data and create a robust defense against cyber threats. In an ever-evolving digital landscape, proactive cyber security practices are essential to safeguard your personal information.

The best VPN in 2023

 Virtual Private Networks (VPNs) are an essential tool to ensuring you have robust cyber security on your personal devices.  Below is a summary of our top three picks.

How to pick a VPN to secure your device

Virtual Private Networks (VPN’s) encrypt your connection and protect your device from unsecured Wi-Fi networks- but with so many on the market it can be difficult to know which one is right for you. Here’s what to consider when choosing your VPN to meet your needs.

Features: review additional features offered that make the cost the most worthwhile to you. These include options like NordVPNs' built in ad blocking or Express VPNs 24/7 customer support.

Unblocking capability: Consider how important  unblocking streaming shows and movies is for you and consider a VPN which is able to unblock services like Netflix.

Simultaneous connections: Many VPN services limit the number of devices you can protect at any one time. Confirm how many devices you will need to protect and ensure your VPN provider covers this.

Apps: Think about how you would like to access your VPN. Depending on your device, you may be limited in your choice of what provider you can pick. For example, many VPN’s offer apps for Windows, Mac, iOS, and Android, however do not offer support for Linux, routers, and smart TVs.

Price: After considering the functionality you need for robust cyber security on your devices compare offers on VPN’s that meet your needs. Ensure you do not compromise on quality by reading our list of the best cheap VPN services.

How we test VPNs

Evaluating a VPN begins by collecting details on the service and its features from its website. We sign up as anonymously as possible and verify server claims by connecting to test locations.  We read through privacy policy documents and analyze the small print to ensure robust security and, where possible, test privacy claims. 

We test every VPN provider's speeds at least 120 times across two sessions, and use both a US home connection and a 1 Gbps UK data center to show us a provider's potential versus the real-world application. 

A good VPN should be able to unblock multiple streaming services. To check this, we try to access geo-exclusive content from Netflix, Amazon Prime Video, Disney Plus, and BBC iPlayer, repeating the test from three different locations around the world to get an idea of how the service performs in real life.  We carry out constant real-world testing to make sure our analysis is always accurate and relevant.

However, we don't just trust what we see on the surface of a VPN provider's website.We'll view the contents of its RAM, even decompile and browse its source code (if we can) to find out what's going on behind the scenes and whether the service gives genuine protection or just a false sense of security.

Read our full testing methodology on our VPN testing methodology page.

Using a VPN FAQs