The State of Healthcare Cybersecurity and the Dark Web Economy
There are few industries where the cybersecurity stakes are higher than in the healthcare space, with medical organizations running the risk of life-threatening disruptions at the hands of malicious actors. Beyond the more dire consequences, the sensitive nature of the data these organizations store (e.g. social security numbers, blood types, patient history, etc.) means that patients could become the victims of impersonation, fraud, theft and manipulation if their data were exposed through an insecure service provider.
Making matters worse, the healthcare industry has historically lagged behind other sectors in terms of cybersecurity practices. With costly and high profile cybersecurity incidents such as the recent Quest Diagnostics breach, which left nearly 12 million patient records exposed, including credit card numbers, bank account information, medical information and Social Security numbers, or the Labcorp breach which took place just a day after with similarly devastating effects, it is clear that hackers have no intentions of shifting their sights away from healthcare organizations.
Indeed, research suggests cybercriminals’ interest in the sector is only growing, with 83 percent of healthcare CISOs surveyed in a recent Carbon Black study reporting an increase in cyberattacks over the past year and the average healthcare endpoint seeing 8.2 attempted attacks per month. It has never been more imperative to understand the threats these organizations are facing, their origins on the dark web and the potential steps they can take to protect themselves, and most importantly, their patients.
Hackers Upping Their Game
Understanding the current state of cybersecurity means acknowledging that hackers have been steadily getting better at what they do. In fact, 66 percent of respondents to Carbon Black’s recent survey acknowledged that they saw increasingly sophisticated cyberattacks over the past year, with 33 percent reporting instances of both island hopping and counter incident response. This is a concerning trend, as cybercriminals have become adept at leveraging vulnerabilities in third party networks (as was the case in the Quest Diagnostics breach), allowing them to get to their primary target while covering their tracks and actively resisting security teams along the way. Beyond this, hackers have also become more prone to breaching organizations with the specific intent of destroying data, with 45 percent of surveyed organizations reporting such attacks.
Dark Web Origins
As important as understanding the types of cyberattacks the healthcare industry is facing is understanding the monetary incentives that motivate hackers. Currently, healthcare provider data is some of the most highly valued information on the dark web, alongside Personal Health Information (PHI), forged prescriptions, and health insurance login information. Cybercriminals seek this data for its unique profitability, as obtaining these materials opens the door for a number of different forms of cybercrime.
Being aware of which types of data hackers value is a good starting place, but in order to truly understand what they’re after, let’s look at why they value it:
- Provider Data: Most often this data comes in the form of administrative paperwork that would aid a hacker in forging a legitimate doctor’s identity. Once this information is obtained, a hacker can then sell it on the dark web to buyers who then pose as the doctor and submit fraudulent Medicare or insurance claims, or even claims for expensive, high-end surgeries; pocketing the cash and leaving the victims to deal with the costs. This type of data regularly sells at $500 per listing.
- Health Insurance Login Information: A hacker will first compromise a web server or credential database and then sell the target information to a buyer at a relatively low price. Before the data becomes obsolete or outdated, the buyer will then quickly log in and gain access to medical insurance information, possibly combining it with forged medical information to obtain services at the cost of the victim. Due to the high volume and turnover rate of this data, it often sells for as little as $3.25 on the dark web.
- Forged Prescription Labels: In these cases, the sellers are sent the necessary information for forging a prescription which they then share with their buyer. These forged documents can then be used to smuggle illicit drugs, as a trafficker can flash the prescription to justify their possession if asked about it by authorities.
- Personal Health Information: PHI is some of the most highly valued information because it is permanent and personal. As such, it is often worth three times as much as Personal Identifiable Information (PII). In the worst cases, this information is collected by malicious nation-state actors who then use it to blackmail or extort individuals.
A Healthier Cybersecurity Posture
Knowing the types of attacks healthcare CISOs are seeing, as well as the motivations behind them, the road ahead may seem daunting for leaders looking to secure their networks. But by following a set of key best practices, the healthcare industry can significantly up-level its security posture and make things harder for cybercriminals.
- Increase endpoint visibility: As hackers become more sophisticated and adept in their methods, CISOs need to start viewing the attack surface as including anything and everything that is connected within their organization. Medical-record systems, networked medical devices, payment processing systems and more are all fair (or rather, unfair) game, so be sure that if something is online, it’s on your radar as a security risk.
- Establish protection from emerging attacks: Again, owing to the increased attack surface, organizations need to use every tool at their disposal to detect and shutdown attacks once they inevitably occur. From security tools, to streaming analytics, to training: leave no stone unturned.
- Run automated compliance and vulnerability assessments: With island hopping attacks as a constant risk, organizations need to regularly audit their network security and establish robust, quick-response procedures for remediation when gaps in the security infrastructure are identified.
- Work with healthcare-focused Managed Detection & Response providers (MDRs): One of the quickest and most efficient ways to improve organizational security posture is to turn to experts in the field. There are a number of service providers that specialize in healthcare security, and their wisdom and insights can help bring an organization’s cybersecurity into the 21st century.
- Backup your data: With cyberattackers infiltrating networks for the express purpose of destroying data, one of the best ways an organization can protect itself is to make sure that data is stored off network for quick recovery in the event of a successful attack.
The Road to Recovery
Citing concerns around lack of budget, legacy systems, and an increasingly connected attack surface, the leaders of healthcare organizations have increasingly become more aware of the dangers they face. In fact, 84 percent of surveyed healthcare organizations train their employees on cybersecurity best practices at least once per year, and nearly half (45 percent) conduct training multiple times per year. However with the majority (33 percent) of CISOs self-grading their security posture as a C, it is clear that significant work remains to be done. By improving understanding of the threats these organizations face, and where these threats come from, as well as incorporating the key best practices outlined above, we are confident that leaders in the healthcare industry will be able to secure their networks and help build a safer world for everyone.