June 23, 2021

The State of Healthcare Cybersecurity: VMware Security Business Unit Explores the Surge in Cyber Threats

Written by Samantha Mayowa

On the frontline of the pandemic, perhaps no industry was impacted and forced to innovate and transform as quickly as healthcare in 2020. Whether it was the rapid development of COVID-19 testing technology or the explosion of telehealth, healthcare organisations accelerated digital transformation in record time. But with these innovations came new and unprecedented security vulnerabilities that cybercriminals quickly looked to exploit and profit from.

Healthcare in Crisis: A Look Back at 2020

To help understand the state of healthcare cybersecurity, we took a look back at 2020 and found that there were 239.4 million attempted cyberattacks targeting VMware Security Business Unit healthcare customers. We also found an average of 816 attempted attacks per endpoint in 2020, a staggering 9,851% increase from 2019. The surge in attacks began as early as February just as the pandemic started to spread worldwide. From January to February, the number of attempted attacks shot up by 51% as cybercriminals set their sights on vulnerable healthcare organisations that were navigating tremendous changes in the way they operate and treat patients.

In the latter half of the year, we saw the attempted attacks per endpoint peak with an 87% increase from September to October. The timing of this significant spike corresponds with the October alert from the Cybersecurity and Infrastructure Security Agency (CISA), which warned of increased cyberattacks by a Ryuk ransomware gang specifically targeting healthcare organisations.

“Amid the pandemic, cybercriminals now have limitless attack methods,” said Rick McElroy, Principal Cybersecurity Strategist at VMware Security Business Unit. “Whether it is using tried and true malware like EMOTET or using BitLocker to ransom systems, malicious actors continue to gain ground. The FBI, Department of Homeland Security (DHS), and other federal agencies have all issued warnings about the surge in cyberattacks against healthcare organisations.”

We are now also seeing “secondary infections,” which are leveraged to facilitate long-term cyberattack campaigns, happening across the digital healthcare supply chain and have led to a surge of extortions and helped fuel a cybercrime market. Our research found protected health information (PHI) being bought and sold on dark web markets as cybercriminals look for the easiest way to cash in on data.

A Ransomware Pandemic

In 2020, we saw ransomware go mainstream. The wide-reaching impact of ransomware has been assisted largely by way of affiliate programs. Many ransomware groups offering ransomware-as-a-service (RaaS), making the deployment of ransomware easily accessible to millions of cybercriminals who previously did not have the tools to carry out these attacks. Compounding these risks is the adage of affiliate programs for ransomware groups, providing new and unique ways for malware operators to have others deploy their payloads for a cut of the eventual profits.

“As RaaS explodes in popularity on the crimeware forums, cybercriminals are finding new and unique ways to deploy ransomware across organisations,” said Greg Foss, senior cybersecurity strategist at VMware Security Business Unit. “Similar to how spies are recruited for espionage against government agencies, regular everyday people with access to high-value targets can be recruited to deploy malware. Often, they are lured through offers of significant sums of money or even a percentage of the ransomware payout, with some offering hundreds of thousands of dollars per victimised organisation. Affiliate programs and partnerships between ransomware groups have also become a common occurrence alongside the general recruiting of insiders. These affiliate programs look to partner with initial access brokers – criminals that specialise in breaking into organisations and subsequently sell direct access and other ransomware gangs to improve their tradecraft, furthering their reach and overall profitability.

The above image taken from the dark web is a recent example of a recent post by the ransomware group, Darkside, actively looking for affiliates to add to their operation.

Throughout 2020, we have seen expansions in the use of ransomware with some threat actors repurposing ransomware for use as pure wipers, wherein the decryption keys will be able to recover the lost data, and more recently in Denial-of-Service (DoS) attacks, impacting core services that citizens rely on every day. There is no sign of these groups slowing down. We are witnessing the exact opposite, with groups beginning to collaborate at an unprecedented scale, share stolen resources, and even combine forces.

“COVID-19 test results are a hot commodity on the dark web right now, mostly in the form of large data dumps,” said Greg Foss. “An interesting component around today’s ransomware attacks is that underqualified, lesser-known cybercriminal groups are behind them thanks to the rise in RaaS. All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets. Today, it’s unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware.”

The above image taken from the dark web shows patient data for sale, specifically related to COVID-19 test results, appointments, and other PHI.

The Rise in Secondary Extortion

Ransomware groups have widely adopted double extortion as a core tactic to ensure profitability. By taking time to quietly exfiltrate sensitive information from the organisation, cybercriminals gain incrementally significant leverage on their victim organisations, forcing organisations to not only pay to decrypt their content but also prevent potentially harmful data from being sold or otherwise publicly disclosed. Thus, significantly increasing the impact and damage that ransomware groups can inflict upon their victims and sending a stark warning to others to protect their networks from this ever-evolving threat.

How to Fight Back: Three Security Recommendations for Healthcare CISOs

For healthcare organisations, understanding the evolving threat landscape is half the battle. Now that CISOs have a grasp of what they are up against, there is a key defence that should be in place. Here are three best practices to help CISOs stay one step ahead of attackers:

Next-generation Antivirus (AV): CISOs can start by ensuring their endpoint protection solution incorporates defences for each phase of ransomware attacks: the delivery, propagation, and encryption stages. Today, traditional AV focuses mostly on the delivery stage, but this leaves a security gap with new malware. To detect and stop these attacks from propagating, solutions should also track endpoint activity to root out common behaviours such as privilege escalation and lateral movement, and finally prevent encryption by employing decoys and protecting local files and critical boot sequences.

Endpoint Protection: CISOs need an endpoint protection solution that easily scales and deploys to new users. The inability to rapidly provision new remote endpoints is another vulnerability and break in security postures. Healthcare organisations need the ability to easily provision access to new users while maintaining data privacy, compliance, and security practices. Siloed and on-premises security products increase complexity and delay progress in standing up and securing remote workers. Endpoint cloud helps organisations transform security with cloud-native endpoint protection that eliminates many of the time and resource-consuming barriers that often slow down deployments. The solution also offers security teams the full visibility and control required to help prevent, detect, and respond to endpoint threats.

IT Tracking Tools: For CISOs to understand any area of vulnerability it is important to employ a solution that enables organisations to assess and harden system state. It is much easier to patch and prevent attacks than it is to remediate them. When it comes to helping prevent ransomware attacks, solutions that offer automated reporting to track configuration drift will help ensure environments stay as secure as possible. A cloud audit and remediation solution allows security teams to easily track drift and comes ready with built-in response tools to apply updates or run scripts for full remediation in minutes.

Securing Healthcare Organisations in 2021 and Beyond

The pandemic has brought about not only operational and patient challenges but also new cybersecurity threats and vulnerabilities for healthcare organisations. For CISOs and security leaders, it is time to ensure the proper security controls are in place as new technology is implemented to support remote work, patient care and more.

Healthcare organisations will continue to be extorted by cybercriminals looking for a payday or to monetise medical and patient data. As we move forward, it is critical to pay close attention not only to how these criminals achieve their goals but also to how we respond to these threats. We must continue to leverage organisations like the H-ISAC to bring the industry together and enable real-time collaboration and threat intelligence sharing. Our 2020 findings should serve as a starting point for a discussion between the cybersecurity community and the defenders of the healthcare sector on how to best collaborate and ensure patient care are not disrupted by cyberattacks.