The NJCCIC assesses with high confidence the cyber threat and overall risk to the healthcare and public health sector is high and increasing.
Many critical infrastructure sectors have been increasingly targeted by disruptive cyberattacks as bad actors find new ways to use and monetize data. One such sector affected by the rise in cyberattacks is the Healthcare and Public Health (HPH) Sector. The attack surface of the HPH Sector is large and includes medical devices and software and patient records, including Protected Health Information (PHI).
Due to legacy systems and irregular software updates, medical devices remain a viable vector of approach for cybercriminal operations. Historically, healthcare institutions have been perceived as having weak cybersecurity controls, making them desirable targets for threat actors. Unpatched and end-of-life (EOL) operational technology systems and Internet of Things devices, such as office automation equipment, printers, VoIP phones, and networking devices, may be used as initial access points into vulnerable networks or for lateral movement and pivoting. Exploitation of vulnerable medical devices, such as intravenous pumps and ventilators, can adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity. Because this attack vector remains a potential access point and has yet to be exploited, this writing will focus on the theft and exploitation of PHI. However, it is important to address vulnerabilities found within medical devices to avoid potentially catastrophic outcomes for patients relying upon these life-enabling devices.
The HPH Sector suffered at least 337 breaches in the first half of 2022 alone, impacting roughly 19 million records. The majority of these breaches originated from third-party vendors, indicating that threat actors are shifting their tactics and finding success by targeting vendors rather than large healthcare systems directly. Third party vendors include those commercial “off the shelf” systems healthcare systems may use for operations such as electronic patient care reports or asset management, to name a few. Cybercriminals targeting healthcare organizations are focused on brand damage, loss of production, and delay of basic care to motivate organizations to pay their ransom. Cybercriminal gangs are also aware of the strict regulatory environment regarding patients’ PHI and will threaten the disclosure of such information to encourage healthcare organizations to pay their ransom without delay.
The shift from paper health records to electronic health records has brought several benefits to the HPH sector. One of the most important benefits is quicker access to up-to-date patient medical information which can be used to base treatment regimens. However, this transition has made these records more vulnerable to attacks and have been shown to be extremely lucrative due to the sensitivity of their content. If sensitive patient information is not protected, healthcare providers face costly legal, ethical, and moral dilemmas.
When the healthcare industry is targeted, data compromise (including ransomware) can result in disruptions to patient records, surgical services, medical devices, appointment systems, all with the potential to disrupt emergency or life-saving care, potentially resulting in worsening of patient conditions and even loss of life. COVID-19 has created many exploitation opportunities for threat actors due to the value of vaccine research and data, a rapid deployment of remote systems to support remote workforces, and an amplified opportunity to target individuals via phishing campaigns to gain access to systems.
The FBI indicated that it received multiple reports of threat actors increasingly targeting healthcare payment processors to redirect victim payments. Threat actors were observed compromising user login credentials of healthcare payment processors and diverting payments to accounts controlled by the cybercriminals. Current reporting indicates that threat actors will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access.
Recent Incidents
In late November 2023, two New Jersey hospitals – Pascack Valley Medical Center and Mountainside Medical Center – were impacted by a ransomware attack that caused incoming emergency room patients to be diverted to other hospitals and follow established downtime protocols. Some elective and non-emergency procedures and surgeries were rescheduled. The ransomware attack originated on the Ardent Health Services network to which the impacted New Jersey hospitals and dozens of others around the United States are connected and several facilities may be impacted. Additionally, Vanderbilt University Medical Center disclosed that they identified and contained a cybersecurity incident on November 23 that resulted in a compromised database.
Advocate Aurora Health is one of the largest healthcare providers in the Midwest. Their improper use of a common website tracking device led to the exposure of 3 million patients PHI in July of 2022. Meta Pixel uses JavaScript to track visitors on websites, supplying vital information on how they interact. However, in the case of Advocate Aurora Health, the use of Meta Pixel on patient portals, where patients enter sensitive information, caused PHI to be disclosed. This was exacerbated if users were logged into Facebook or Google at the same time, they accessed the patient portal.
In May of 2022, a Massachusetts-based medical imaging service provider managed by Shields Health Care Group, reported a cybercriminal had gained unauthorized access to some of its IT systems in March 2022. It is reported that over 2 million patients had their PHI stolen which included names, addresses, Social Security numbers, insurance information, and medical history information. The full cost of this breach is unknown because Shields Health Care Group supplies management and imaging services for approximately 50 healthcare providers, thereby making the scope of the attack massive.
Trinity Health experienced a ransomware attack in 2020, when Blackbaud, a vendor of cloud-based customer relationship management software, came under attack. The attack on one of Blackbaud’s self-hosted cloud servers affected hundreds of customer organizations around the world, including more than two dozen healthcare organizations. This led to the compromise of more than 10 million records. Blackbaud stopped the cybercriminals before they fully encrypted files in the hacked databases, but not before they exfiltrated sensitive data. The company paid an undisclosed sum to the hackers to destroy the stolen data. In total, 3.32 million people were affected. Trinity Health’s donor database was among the files the attackers managed to steal which included electronic protected health information (ePHI) such as dates of birth, physical and email addresses, Social Security numbers, treatment information, and financial payment data. Blackbaud said it fixed the vulnerability that attackers exploited.