Why Are Cybercriminals Targeting Healthcare?

Why are cybercriminals targeting healthcare when the medical community puts patients first? Why are cybercriminals taking actions that threaten people’s lives at risk? The focused cybercriminal targeting of healthcare is now an increasing cause of death. Is this data suppressed? Why? The liability insurance covering all the healthcare community’s medical care would skyrocket. The closure of St. Margaret’s Health in Spring Valley, Illinois, will impact the health of the people in that community. The cause of the closure – RANSOMWARE.

This empowerment document is a quick tool to explore why cybercriminals target the global healthcare system. The targeting is international, with facilities worldwide getting hit with no indication that the cybercriminal miscreants are aware of the life&death consequences. The summary sections and reference links are included. This SITREP review is 2023-06. Use this document if you are doing your Healthcare Cyber-Risk review.

Why Are Cybercriminals Targeting Healthcare?

Remember, our threat is the cybercriminal miscreants. These are people in many different parts of the planet. Some can be tracked down into countries that will prosecute. Some are protected by the geo-political characteristics of today. Many miscreants are captured when they leave their protections and “vacation” in a location that allows arrest. Attacks on healthcare that lead to death are crimes with an extended statute of limitations. Know the threat. Use various techniques to mitigate the threat (including behavioral deterrence). Finally, hunting, arrest, and prosecution into your healthcare security/resiliency architecture.

Summary First – Why?

Today cybercriminals target healthcare because it is easy to break in. They don’t have to work hard. Given that it is a life-critical infrastructure, there is a strong incentification for the target to pay. The data pulled from healthcare has immediate (ransom) and derivative value. It can be sold many times to many parties and then later used in other attacks.

Finally, the Healthcare industry does not go hunting. The insurance agencies that cover the facilities don’t go hunting. If there is a death from a cybercriminal attack, the victim’s lawsuit targets the healthcare facility, not the cybercriminal.

Bottom line, Healthcare Facilities are low-risk, easy criminal operations with a higher payout chance and multiple criminal monetization vectors (i.e., many ways to make money.

Large Volume of Personal Sensitive Data – Immediate

Ransomware & data breach attacks target patient data. This kicks in processes in the hospital, insurance, and other factors that provide immediate value.

Long Term Sensitive Data Risk

Data encrypted in a ransomware attack or exfiltrated in a breach has long-term value. Never expect the cybercriminals/miscreants to delete the data. It would likely be sold or traded to criminal “data aggregators” who collate all breached information. Combining one healthcare facility’s data with other breach information builds illegal derivative value – enabling extortion, targeting, and many other criminal activities.

Operational Disruption

Many of the initial attacks on healthcare focused on administrative disruption. Forcing the whole medical facility to use all the manual backup processes as all the IT infrastructure goes down is an “extortion and ransom” payment incentivization. How long would the Healthcare Facility’s Board of Directors wait as lives are risked and liability increases? Combining ransomware, breach, and operational disruption is a powerful criminal triad to encourage payment.

Medical Devices & Solutions are Easy Targets

Habit 2 of the 7 Habits of Highly Effective Cyber-Criminals is Don’t Work Too Hard! Healthcard device, solution, and integration vendors are not putting security on the top of their list. Every day you get “yet another vulnerable medical device” listed. The Healthcare’s security and IT teams are stuck and overruled by the Doctors in charge who need the latest tool to help their patients. The Board of Directors are driven to pull in the next piece of technology without considering the security consiqences. Cybercriminals know this weakness. Look for the new “shiny medial widget,” and you have an entry point into the organization. Don’t work too hard to break in. Just wait. The shiny, no-security object will be on the network soon.

Target the Remote Access

Remote access is critical for the Healthcare facility’s staff to scale. Remember the “aggregate of breach data?” Imagine a cybercriminal listing all the IT staff at the healthcare facility, then going to the “criminal data archive service” and getting all the details of the staff. They now know who to spear phish into the employee’s remote systems and their family’s systems and use “remote access” to get into the Healthcare facility.

How hard is this? Here is a quick test.

  • Put your staff’s work and person email into “Have I Been PWND.” If there is a hit, ask your team to do the same with all their and their family’s accounts. Then have them check …
  • Check their password for “Pwned Passwords.

Don’t panic when everyone is surprised. It is an example of the risk. Cybercriminals know when an organization says “we’re protected,” it most likely will miss all the healthcare team’s homes, families, and “remote access” risk.

Smaller healthcare organizations are Side Doors into the Healthcare Network.

If large healthcare organizations have problems, image the smaller organizations as part of the local ecosystem. The cybercriminal can use Google Maps to examine the targeted facility and surrounding areas. Next, they list out all the smaller healthcare offices. These usually are “connected” and “integrated” as part of a “healthcare network.” They are also easier targets to reach and laterally move within the “healthcare network.”

Again, why are cybercriminals targeting healthcare? They do not have to work hard!

Outdated technology that cannot be upgraded

The new budget goes to new things that impact the healthcare facility’s constituents. The Board of Directors will invest in the latest and not upgrade outdated technology with vulnerabilities. This is a cybercriminal’s opportunity for an easy way into the organization OR used to move through the organization laterally.

Ironically, there is a time window of risk. Pre-IT healthcare equipment is NOT Connected. The backup plan might be to safely store and maintain the older equipment before everything was integrated into the network and cloud.

Time Critical Sharing = Short Cuts to Deployment

“Get the lab results stat” is a common phrase in medical dramas. Shared data is critical to diagnosis and treatment. Time is critical to the survival of a person in need. But what is the security balance? How does facial recognition with MFA work when the surgical team is masked-up? How does thumbprint MFA work with surgical gloves? Sharing data in a healthcare facility needs time to consider these risks and find a way to protect the data and not slow down life-saving processes.

Of course, cybercriminals know these balances, target them, and leverage them in their attacks.

Internal & External Attack Surface Overload

Everyone in the Healthcare facility is adding new things! The number of devices used in hospitals is driven by the medical professionals, not the IT staff. The IT and Security Teams are often the last to know about a new suite of devices deployed in a department. They find out when some threat investigator calls them up and says, “Hey, this device is being used by cybercriminals to exfiltrate your data!”

Yet again, why are cybercriminals targeting healthcare facilities? The dynamics of healthcare professionals seeking the latest tools to improve the health of their patients creates device explosion chaos. That chaos is easily exploitable by cybercriminals.

Lateral Movement through Connected Facilities & IoMT

Everything in a medical facility is interconnected. The explosion of the Internet of Medical Things (IoMT) makes is easy for the cybercriminal to move all through the healthcare provider’s network. Easy access to one IoMT is the gateway for the entire network.

If you aim to profit from your criminal activities, don’t go after the big secure Financial Services. Go after the healthcare networks with vulnerable IoMT spread throughout the interconnected healthcare network.

Nozomi Networks Example of a Connection Healthcare Facility

Cyber Risk vs Health Risk

Question for the Board of Directors. Do you focus on empowering your healthcare team with the latest knowledge to provide better patient care? OR do you take time away from “healthcare empowerment” and teach them about all the cybersecurity risks?

Some will blame the lack of cybersecurity training for healthcare professionals as the problem. It is not that simple. Healthcare science is exponentially growing. The cyber-risk sector differs from all others in this exponential knowledge explosion that requires the healthcare team to focus on empowering their personnel/team/facilities.

That means cyber risk empowerment must be creatively integrated into healthcare empowerment. Most healthcare organizations don’t think this creatively. They neglect cyber-risk empowerment and focus on healthcare empowerment.

Cybercriminals understand this cyber-knowledge gap. They know that makes it easier to get into a healthcare facility where the core principles (healthcare professionals) are ignorant of what they must do to protect their patients.

National CERT, CSIRT, FIRST Advisories

Reference Articles used in this Empowerment Review

This list of articles are reviewed and digested into this document.