It would be a tremendous understatement to say that the healthcare system is essential for both robust economic activity and individual quality of life. The size and nature of the sector demonstrates this fact. A significant societal and business challenge facing healthcare providers today is the quality of data and network security, which has a direct relationship to care.1
Information provided by the American Hospital Association presently identifies 6,120 hospitals in the United States alone with a staffed bed capacity of 916,000.2 Additionally, there are approximately 10,728 urgent care centers throughout the country, according to Definitive Healthcare, plus thousands of small, private practices.3 Within these facilities, “83.4% of adults…and 93.9% of children” account for more than 1 billion physician visits, per Centers for Disease Control and Prevention data.4 Each one of these visits means doctors and other staff are opening, editing, transmitting, and storing records on each patient. And the unfortunate fact of the matter is that with each new person accessing the sensitive patient data, there is an increased opportunity for threat actors to somehow intercept that information.
Threat actors are heavily targeting the healthcare industry because of the incredible sensitivity found in patient records and the total market capitalization of the sector. Research has found that medical records are the most expensive record sold on the dark web, commanding upwards of $250 while credit card or social security numbers fetch less than $10 on average (mosmedicalrecordreview 5, LinkedIn 6, medicaleconomics 7, NordVPN 8).
Furthermore, the vast amount of money within the sector, estimated by the Centers for Medicare & Medicaid Services (CMC) to be $4.5 trillion, provides a lot of ‘opportunity’ for threat actors to skim some of this off for themselves.9 As a result of the intensive targeting and highly sensitive nature of the data—which, in turn, costs a lot to safeguard—the cost of a data breach in the healthcare industry dwarfs other sectors. When a healthcare provider experiences a data breach, the cost to remediate more than doubles the average among all industries with a spread of $10.93 million and $4.45 million respectively, according to the The HIPAA Journal, citing IBM Cost of a Data Breach Report.10 These costs span several components, including downtime, data recovery, settlement payouts, ransom payments, and more.
The Change Healthcare cyberattack: a case study
Just last month, Change Healthcare, a subsidiary of the world’s largest healthcare insurer (UnitedHealth Group) was targeted by a cyberattack that continues to cause problems throughout the sector11. Given the extensive downtime of payment processing systems, disruptions to prescription filings, and the vast likelihood of millions of stolen records, the U.S. Department of Health and Human Services (HHS) is investigating the incident as a violation of HIPAA, which at its core is law designed to increase protections around patient data12.
So, what happened?
Notorious threat group BlackCat/ALPHV has since claimed total responsibility for the targeted attack and, as some publications report, may have received a $22 million ransom payment to expedite recovery and limit data loss (CRN13, Wired14, Kare1115).
While the root cause has not yet been uncovered and or disclosed, the attack on Change Healthcare is an all-too-common example of a massive and influential organization falling short of patient and customer expectations of data security. While healthcare is an industry that will recover and still serve millions of individuals annually, it is reasonable to ask how providers will be able to regain the trust of patients.
How can organizations respond?
Cybersecurity is not a tool or toolset, but a collaborative practice among informed and discerning people who utilize the best in automated technology, education, and experience to anticipate, prepare for, and counter malicious adversaries.
While every case of a data breach or cyberattack are different in the details, the cases handled by our Security Operation Center (SOC) can provide some insight into the steps organizations, including healthcare providers, can take to improve cyber resilience and harden security around sensitive data.
SpearTip recently responded to a completely separate and distinct attack on a healthcare provider, the details of which may shed some light on just how threat actors infiltrate healthcare networks and wreak havoc. The evolution of cyber threats in today’s landscape calls for an evolution of defense against them. Not only are threat actors targeting the endpoint, but they’re looking for different avenues of exploitation to gain access to digital environments.
In late 2023, threat actors initially accessed the healthcare organization’s environment through their help desk by calling in with a specific user’s biographical data and moving their device into the user’s MFA (multi-factor authentication) process. Once inside the environment, the threat actor collected additional intelligence within the user’s Microsoft O365 account. This information allowed the threat actor to receive a fraudulent wire transfer from a legitimate account to an unauthorized account, which resulted in a large financial loss well over $10M.
A way to combat a breach of this type is through a service that includes active monitoring and real time threat remediation from a SOC. SpearTip’s cloud application monitoring service is such an example as it enables our team to gain vision into your cloud applications and take action in real time to prevent malicious activity.
During the incident response engagement in question, SpearTip enrolled this organization in Cloud Monitoring as part of the breach investigation to identify any other potential issues and ensure the unauthorized account access was remediated. This investigation allowed SpearTip to provide additional security recommendations within the tenant to improve posture for the future and better safeguard sensitive healthcare related data. Similar safeguards can be extended to endpoints, as well.
The point here is that having a depth and breadth of network visibility is vital to limiting the likelihood of an attack, just as extensive preparation and training can potentially lessen resulting damages.
Listen to Andrew Chace, Manager of Incident Response at SpearTip, discuss some of the content of this article with the team at KMOX | Audacy16.
If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.
Sources
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
©2024 SpearTip, LLC. All rights reserved.