The Hackability of Health Data

Posted by Trevagh Stankard on Tue, Dec 21st, 2021

An Unhealthy Scam: How and Why hackers Target the Healthcare Sector

Last year, the Cybersecurity and Infrastructure Security Agency at the FBI, and the Department of Health and Human Services (HHS), published a joint advisory warning of increased cyber-threats targeting the healthcare sector. The advisory listed various threats of concern including Trickbot and RYUK, both of which TitanHQ has previously written warnings on. The joint advisory highlighted that these attacks against healthcare organizations would result in “ransomware attacks, data theft, and the disruption of healthcare services.”

As 2021 has continued, this is exactly what we have seen in the healthcare sector. Here we look at some of these attacks, why they happened, and how to prevent them in the future.

Healthcare Hacks in 2021

Healthcare is a data-rich sector. According to research from Capital Markets, the compound growth of data in the healthcare sector is expected to be 36% by 2025; that is a 10% faster growth than in financial services. This rich source of data is generated, accessed, shared, and archived using technology, including cloud computing, internet-connected devices, online apps, AI, etc., to improve hospital administration and productivity, develop new drugs, and improve patient outcomes. This mix of a data explosion coupled with an expanded technology surface has created an attractive feeding ground for cybercriminals. Cyberattacks are targeting this sector for not only data, but to carry out ransomware attacks, denial of services, and payroll fraud.

In the U.S., health-related data, or Protected Health Information (PHI), is covered by the Health Insurance Portability and Accountability Act (HIPAA) protections. If an organization covered under HIPAA suffers a breach that involves the PHI of over 500 people, they must make a breach notification to the U.S. Department of Health and Human Services Office for Civil Rights (OCR). The details of the breach or exposure are then posted to a public website that is often called the ‘wall of shame’.

There were 589 breaches in the sector between 1^st January 2021 and 12th December 2021. The total number of individual health data records exposed during that time was 42,095,226. In the same period in 2020, 12,883,858 data records were exposed, which is a 227% increase within a year.

Healthcare hacks during 2021, generally fall into the areas of unauthorized access to data files and/or ransomware attacks. Two examples of the many incidents that occurred in the U.S. during 2021 give a flavor of the types of outcomes of exposed data:

University Medical Center Southern Nevada

This attack occurred in August 2021 and has since been attributed to the ransomware gang REvil. The attack potentially exposed the protected health information (PHI) and personally identifiable information (PII) of 1.3 million patients. According to reports, the attackers posted driver’s licenses, passports, and Social Security cards, of some of the possible victims on its website. According to Paloalto Networks, REvil typically uses one of two possible techniques to enter a network: either phishing or logging in to Remote Desktop Protocol (RDP) servers using stolen credentials.

American Anesthesiology, Inc.

MEDNAX is a business associate of American Anesthesiology, Inc. The company became a victim of phishing, resulting in stolen credentials that led to unauthorized access of several Office 365 email accounts. The hack potentially affected the PHI and PII of around 1.3 million patients. The cyberattackers were believed to be attempting payroll fraud.

Not just Patient Data but W-2 Information at Risk

Stolen PHI/PII is sold on to commit further fraud, but ongoing attacks against healthcare organizations include Business Email Compromise and payroll fraud, as W-2 data is often exposed during an attack. Employees of healthcare institutions, as well as patients, are at risk of becoming victims of cyberattacks. An attack that originated in 2014, and that affected 65,000 employees of the University of Pittsburgh Medical Center (UPMC), resulted in $1.7 million in false tax refunds made in the name of employees. The attacker stole PII and W-2 information such as Social Security Numbers and salary information to carry out the fraudulent claims. To make matters worse, the fraudster also sold PII on the dark web.

Stopping Healthcare Hacks

Cybercriminals may be targeting healthcare, but they use the same types of techniques to steal data as used to target financial, education, government, and so on. Attackers take advantage of remote access needs and email systems like Office 365. A 2021 paper that explored the cybersecurity challenges and solutions in the healthcare sector states, “The majority of information security incidents are related to human error”. Human error includes everything from accidentally emailing sensitive information to clicking on a link in a phishing email and/or navigating to a spoof or malicious website. One of the key findings of the paper was that human error, in the context of healthcare, is exacerbated by a busy and stressed workforce, especially during a pandemic.

This latter statement evidences the need to provide solutions that take the burden from the user and automatically prevent a phishing email from landing in an email inbox or stop a user from navigating to a malicious website. Relying on busy employees to spot phishing emails or social engineering attempts is not enough. The use of solutions that focus on internet and web-borne threats, works to keep all employees safe. Solutions include:

Automated encryption for email: this solution prevents data leaks by encrypting emails so that only authorized recipients can see the content. Some email encryption solutions also provide Data Leak Prevention (DLP) by automatically encrypting emails based on keywords in the email content and heading.

Content filtering solutions: email security platforms stop phishing emails from entering the inboxes of users. Advanced solutions also add protection against malicious websites by stopping users from accessing the sites.

Healthcare is a sector that is attractive to cybercriminals. To change this requires mechanisms such as automated email security that foils their tactics at the source.