FBI: Hackers Are Extorting Plastic Surgery Providers, Patients

Cybercriminals are stealing medical records from plastic surgery offices to extort doctors and patients.

On Oct. 17, the FBI published a rather bespoke public service announcement aimed at plastic surgery providers, indicating that hackers have been targeting their industry specifically. Their idea, it seems, is to capitalize on the sensitive nature of these procedures, threatening to publish personal information and explicit photographs in order to get both providers and their patients to pay up.

In the last several months, plastic surgery providers have reported data breaches in California and South Dakota. The trend extends beyond US borders, as plastic surgeons in Brazil and the UK have been hit in recent years with ransomware extortion as well.

It's only the latest evidence of a much broader, deeper issue in healthcare cybersecurity.

"There was a time when malicious actors would 'take it easy' on healthcare providers," says Shawn Surber, senior director of technical account management at Tanium. "However, in the last couple of years, that type of behavior has changed and more healthcare accounts are coming under full attack."

Plastic Surgery Cyberattacks

As Surber points out, "targeting plastic surgeons and their patients makes a lot of financial sense. Plastic surgery is a lucrative and largely pay upfront business. This means that both the surgeon and patients generally have significant disposable income and are interested in protecting their privacy more against embarrassment than concerns about identity theft."

Then, there are the issues that plague any independent practice. "They're small offices with limited, usually contracted IT support, and they often partner with private surgery centers who have similar limitations. This means that the physician and the surgery center are also potentially communicating outside of traditionally secure channels — like using personal or Web-based email, for example — creating further opportunities for malicious actors to intercept data, credentials, and intelligence."

Hackers are taking advantage of all of these security shortcomings, with what the FBI is characterizing as three-phase attacks.

First, the attackers conduct phishing attacks, deploying malware for the purposes of harvesting sensitive patient information and photos.

Next, they "enhance" the data they've collected by pulling more information about patients from social media, or via further social engineering.

With everything they need in-hand, the attackers contact both patients and their providers, requesting payment in exchange for not sharing the harvested data online. This is where the data "enhancement" comes into play. Beyond publishing the data to a public-facing website to exert extra pressure on victims, the attackers share some of the data with family, friends, and colleagues, promising to stop only once they've been paid.

How Doctors and Patients Can Defend Themselves

In its advisory, the FBI offered a few security tips for patients, including practicing good password hygiene, monitoring for suspicious bank account activity, and applying strict privacy settings on social media accounts, to prevent unknown individuals from learning more about you or even posting to your page.

For providers, on the other hand, a few helpful tips won't be sufficient.

"Unfortunately, their infrastructure remains weaker and less cohesive than that of other industries. Add to that the accelerating mergers and acquisitions process in order to keep health systems afloat, and it's become the perfect hunting ground for malicious attackers," Surber laments.

And as bad as extortion is, cyberattackers with the same kind of access to health systems can also do far worse, putting lives at risk by infecting critical devices or otherwise shutting down entire systems.

In lieu of better protections, more stringent regulations, or more funding, Surber offers one potential direction for the industry to pursue.

"I'm of the opinion that healthcare providers need to be more organized into a critical infrastructure working group, with standards of security and group pricing available to them in a managed service model," he suggests. "It certainly won't be a cheap solution, as there are tens of thousands of providers in the US alone. But perhaps if they were all working together effectively, we could see our way to a future where they're not alone and vulnerable. A future where their systems are maintained and updated continuously, and they're alerted as things happen rather than when they get an extortion demand."