The healthcare sector is a desirable target for cyber
crooks. Hospital security systems are generally
less secure than those of financial organizations, as monetary theft has always
been perceived as the greatest threat for organizations, and dangers to other
sectors were usually underestimated. Moreover, awareness of cyber-attacks
against hospitals and medical centers is much lower than it is to financial
cybercrime, and as a result, the employees are less well-trained on how to
avoid falling victim to a cyber-attack.
This concept has revealed the potential damage that can be
caused by the theft and leakage of patient data. However, the ‘bad guys’ remain
one step ahead and we have witnessed a spate of attacks targeting the
healthcare industry: ransomware attacks encrypting essential data and demanding
payment of a ransom, numerous data leakages revealing confidential patient
data, unauthorized access to medical networks and even the hacking of medical
devices, such as pumps and X-ray equipment.
Moreover, the healthcare sector is being targeted by hackers
not only directly, but also via third-party companies in the supply chain, such
as equipment and drug suppliers. These companies usually store some
confidential data that originates in the hospitals’ databases and may even have
access to the hospital IT systems, but they are far less secure than the
hospitals themselves. Thus, they serve as a preferable infiltration point for
malicious actors pursuing the theft of medical data and attempting to
infiltrate the hospitals’ networks.
The consequences of attacks on the healthcare industry may
be extensive, including the impairment of the medical center functioning, which
may result in danger to human lives in the worst case scenario. In other cases,
personal data will be stolen and sold on underground markets. Cybercriminals
will take advantages of these personal details for identity theft or for future
cyber-attacks combining social engineering based on the stolen details.
Deep-Web and Darknet sources have shown a growing interest
toward the healthcare sector among cyber criminals. Databases of medical
institutions are traded on illicit marketplaces and closed forums, along with
access to their servers. In the last few months alone, there has been several
occurrences indicating extensive trade of medical records and access to servers
where this data is stored.
In May 2016, was the sale of RDP access for a large clinic
group with several branches in the central U.S., which was offered for sale on
a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would
receive access to the compromised workstation, with access to 3 GB of data
stored on four hard disks. Additionally, the workstation allows access to an
aggregate electronical system (EHR) for managing medical records, where data
regarding patients, suppliers, payments and more can be exploited.
The relatively high price for this offer indicates the high
demand for medical information. With RDP access, the potential attackers can
perform any action on the compromised workstation: install malware, encrypt the
files or erase them, infect other machines in the network and access any data
stored in the network. The consequences can be tremendous.
In June 2016, another cyber-accident related to healthcare.
This time, three databases allegedly stolen via an RDP access to a medical
organization were offered for sale for more than $500,000 on a dedicated
Darknet marketplace. In one of his posts, the seller claimed that one of the
databases belongs to a large American health insurer.
Before long, more evidence of hacking into a medical-related
organization, this time by Russian-speaking hackers. On one of the forums we
monitor, a member tried to sell an SSH access to the server of an American
company supplying equipment to 130 medical center in the U.S. He uploaded
screenshots proving that he accessed the server where personal data of patients
is stored.
The conclusions following these findings are concerning. An
extensive trade in medical information and compromised workstations and servers
is a common sight on underground illegal markets. This business generates
hundreds of thousands, if not millions of dollars annually, ensuring its
continuation as long as there are such high profits to those involved. Since
the ramifications can be grave, the healthcare sector must take all necessary
measures to protect their systems and data.
