Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/30/2020
04:00 PM
50%
50%

Healthcare Targeted By More Attacks But Less Sophistication

An increase in attacks targeting healthcare organizations suggests that perhaps new cybercriminals are getting into the game.

Healthcare organizations are experiencing an increase in probes and fraud attempts against their businesses and suppliers, but the attacks appear not to be very sophisticated, security experts said this week.

Organizations, for example, saw a 30% increase last month in the number of COVID-19-themed phishing sites and lures, but they have not seen a commensurate increase in the number of successful breaches, according to the Healthcare Information Sharing and Analysis Center (H-ISAC). The mix of more but less sophisticated attacks has led to a greater number of investigations – yet about the same number of breaches, says Michael Hamilton, chief information security officer at cybersecurity-response firm CI Security. Half of the company's client base is made up of healthcare firms, he says.

"The downturn in the global economy has likely led some people into cybercrime, so it's not surprising that we are seeing more attacks but not necessarily by more sophisticated actors," he says. "I think there is a reluctance to single out hospitals right now by a lot of the threat actors, however."

Healthcare companies have struggled with securing their networks, and the recent chaos caused by the coronavirus pandemic and managing the response at hospitals and clinics has left cybersecurity as a secondary concern.

More than 80% of healthcare firms, for example, have medical imaging equipment and devices running older, unpatched operating systems, according to Palo Alto Networks

In addition, external indicators of cybersecurity have dropped, according to SecurityScorecard, a cybersecurity ratings firm that attempts to replicate attacker reconnaissance and rate firms on their apparent cybersecurity posture. The cybersecurity score of the Department of Health and Human Services has dropped from 88 last year to 72 this past month. The healthcare industry as a whole has lower scores than other most other industries, says Alex Heid, chief research officer at the company.

"There has not been a lot of movement, either up or down, for the healthcare industry. They pretty consistently have a low score, a C+/B- average," he says.

Because hospitals have had to cancel elective surgeries and turn away many categories of patients, budgets are tight. While some IT workers are often cut during a downturn, cybersecurity teams will likely remain in demand because of the massive changes happening to IT infrastructure, Heid says.

"Any time there are budget cuts due to anything, IT is often the first to go," he says. "[But] I don't think they will because of the work-from-home stuff. The need for cybersecurity during times of panic or crisis [is] always significant."

While some ransomware groups are avoiding attacks against healthcare firms, others are continuing their efforts, with 14% of attacks in the first quarter targeting the healthcare sector. In February, for example, health-administration tool maker NCR Health acknowledged it had been compromised by ransomware.  

Attempts at outright fraud have not abated, says CI Security's Hamilton. Business e-mail compromise and spear-phishing that target accounts payable with invoices have continued unabated, with attackers looking to cash in on the confusion but not disrupt operations in the same way that ransomware does.

"The confusion and the need for immediate procurement is making some health organizations the victim of outright theft," he says. "They know the stuff they need to buy, and they are getting offers on fake invoices. That type of activity has not gone away."

The H-ISAC has warned healthcare organizations that attackers also continue to seek vulnerabilities in common virtual private network (VPN) devices and software from Citrix, Pulse VPN, and Microsoft's Remote Desktop Protocol, says Errol Weiss, chief security officer for the H-ISAC.

"Health-ISAC continues to warn our members about on-going cyber attacks," he says. "We're also working closely with several volunteer information security research and cyberthreat intelligence groups and sharing threat indicators we derive from partnerships with the CTI League and the Cyber Threat Coalition, just to name a few."

While healthcare companies may be prepared for such attacks, hospital suppliers are often vulnerable since their cybersecurity programs lack the maturity of larger firms. 

"The supply chain is an easier mark," Hamilton says. "All the large firms have their shields up at this point. But if you get into a vendor and leverage a position of trust, it's like finding an unlocked window."

One factor in being a target of cybercriminals: The healthcare industry has a reputation for paying ransoms, SecurityScorecard's Heid says. Until the industry commits to not paying ransoms, attackers will continue to target them with ransomware.

"Yes, healthcare companies need to stay up and running and providing services, but when they get hit, they pay," he says. "That's a problem."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Election Security in the Age of Social Distancing."

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
homerepair
50%
50%
homerepair,
User Rank: Apprentice
5/13/2020 | 4:57:02 AM
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/30/2020 | 6:10:36 PM
Understandably So...
Being a Security Engineer who has worked in Healthcare I can easily explain why (at a highlevel). The landscape has gotten better but the relationship used to be this: Does the make the healthcare professionals job change an iota? If the answer is yes then without a large degree of support from executive leadership its not getting done. This has definitely changed but not to the degree of other industry sectors. 

It is understandable that patient care is of the utmost importance but it is also imperative that we secure their data in the best way we can. Protecting both their physical and personal wellbeing.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20811
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.
CVE-2019-20812
PUBLISHED: 2020-06-03
An issue was discovered in the Linux kernel before 5.4.7. The prb_calc_retire_blk_tmo() function in net/packet/af_packet.c can result in a denial of service (CPU consumption and soft lockup) in a certain failure case involving TPACKET_V3, aka CID-b43d1f9f7067.
CVE-2020-13776
PUBLISHED: 2020-06-03
systemd through v245 mishandles numerical usernames such as ones composed of decimal digits or 0x followed by hex digits, as demonstrated by use of root privileges when privileges of the 0x0 user account were intended. NOTE: this issue exists because of an incomplete fix for CVE-2017-1000082.
CVE-2019-20810
PUBLISHED: 2020-06-03
go7007_snd_init in drivers/media/usb/go7007/snd-go7007.c in the Linux kernel before 5.6 does not call snd_card_free for a failure path, which causes a memory leak, aka CID-9453264ef586.
CVE-2020-4026
PUBLISHED: 2020-06-03
The CustomAppsRestResource list resource in Atlassian Navigator Links before version 3.3.23, from version 4.0.0 before version 4.3.7, from version 5.0.0 before 5.0.1, and from version 5.1.0 before 5.1.1 allows remote attackers to enumerate all linked applications, including those that are restricted...