The warnings on the vulnerability of healthcare systems to criminal activity come from global security firm FireEye in a report just released.
According to FireEye the healthcare vertical in Australia, and worldwide, faces a range of threat actors and malicious activity as, in some cases, criminals seek to monetise personally identifiable information (PII) and protected health information (PHI).
On security incidents occurring in healthcare sectors FireEye reports that between Oct. 1, 2018 and March 31, 2019, its Threat Intelligence systems observed multiple healthcare-associated databases for sale on underground forums, many for under $2000.
“Actors buying and selling PII and PHI from healthcare institutions and providers in underground marketplaces is very common, and will almost certainly remain so due to this data’s utility in a wide variety of malicious activity ranging from identity theft and financial fraud to crafting of bespoke phishing lures,” FireEye’s report notes.
FireEye also says that, in some cases, nation states carry out intrusions to steal valuable research and mass records for intelligence gathering purposes - and disruptive threats like ransomware have the potential to “wreak havoc among hospital networks and impact the most critical biomedical devices and systems”.
Based on FireEye’s observances of threat activity across the healthcare vertical, the security firm says the threats facing healthcare organisations can be grouped into the following:
Theft of Data
- Financially motivated threat activity represents a high-frequency, high-impact threat to healthcare organisations.
- Cybercrime actors may conduct focused intrusions into specific targets that house or have access to valuable patient records and data, or carry out opportunistic targeting of poorly secured organisations and networks.
- In comparison to cyber crime activity, cyber espionage campaigns pose a lower frequency but still noteworthy impact risk to healthcare organisations, particularly those in some subsets of the industry. Much of what FireEye has observed from such threat actors—particularly those with a nexus to China—appears to driven by an interest in acquiring medical research and collecting large data sets of information, potentially for the purposes of fostering intelligence operations.
- In our 2018 M-Trends report, FireEye observed that healthcare was the third-highest industry to be retargeted following an incident.
Disruptive and Destructive Threats
- Disruptive threats driven by extortionist cyber criminals and nation state actors continue to present a threat to continuity of operations for healthcare providers and others in this space.
- Both targeted activity such as ransomware delivered post-compromise, and less frequent but widespread nation-state-originated threats like WannaCry can pose threats to poorly secured infrastructure.
- Similar to operational technology networks within critical infrastructure, security organisations within healthcare providers face difficulties in maintaining visibility of threats targeting these systems.
FireEye stresses that, looking forward, the increasing number of biomedical devices used for critical functions within hospitals and healthcare providers presents a growing security challenge.
“Furthermore—given their importance and value—a growing willingness by cybercrime, or, in a period of heightened geopolitical tensions, nation state actors—to deploy disruptive and destructive tools may significantly increase the impact from these threats we have observed to date,” FireEye says.
FireEye warns that within any industry, threat actors will often gravitate to the least secured points in the ecosystem to obtain the data or access they are seeking.
"Beyond insurers, cyber criminals will often gravitate to poorly secured healthcare providers to obtain personally identifiable information (PII) and protected health information (PHI), FireEye says – and warning that cyberespionage actors can leverage this data for intelligence collection purposes, to further target high-profile individuals or those who may have access to valuable information.
“Additionally, organisations involved in research and development, whether for treatments, medical devices, biotechnology, or other subsets of the industry, have valuable intellectual property that is a driver for economic espionage,” FireEye’s report observes.
“Notably, China’s strategic “Made in China 2025” plan includes a push for increased domestic development of medical technologies and devices, which may drive threat activity against IP holders and producers of these technologies.
"FireEye Intelligence assesses with 'high confidence’ that financially-motivated cyber threat activity poses a frequent threat with significant impacts due to compromise of large volumes of highly sensitive personal identifiable information (PII), PHI, and financial data.
And notably, according to the vendor descriptions, FireEye says the timing of these database advertisements did not typically correlate with the timing of a breach - and many of the observed advertisements were for databases that had been compromised in previous months or years:
- March 19, 2019, actor InfoMerchant – Unspecified amount of data associated with an unnamed “health card” company that contains PII and healthcare information.
- Feb. 21, 2019, actor NetFlow – 4.31 GB of data associated with a U.S.-based healthcare institution that contains patient data, including driver’s licenses, health insurance, and ZIP Codes.
- Feb. 12, 2019, actor specfvol – 50,000 records associated with a U.S.-based healthcare institution that contain medical records, PII, and health insurance information.
- Feb. 6, 2019, actor the.joker aka Achilles – 128,764 records associated with an Australian-based healthcare institution that contains credit card data and limited PII.
- Feb. 2, 2019, actor fallensky519 – 6,800,000 records associated with an Indian-based healthcare website that contains patient information and PII, doctor information and PII, and credentials.
- Jan 28, 2019, actor x999x – Unspecified amount of records associated with a Canadian-based healthcare website that includes access to the domain admin, access to the network, and includes the server name, IP address, and platform information.
- Jan 22, 2019, actor emoto - 58,000 records associated with a U.S.-based healthcare institution that contain PII.Jan 16, 2019. actor ping advertised 100,000 records with personally identifiable information (PII). According to the advertisement, the actor obtained the data from a server used by more than 270 U.S. hospitals.
- Dec 15, 2018, actor emoto – 19,000 records associated with a U.S.-based healthcare institution that contain financial data, email addresses, and information on employees.
- Dec 4, 2018, actor the.joker aka Achilles – 11,700 records associated with an Australian-based healthcare institution that contains employee information.
- Nov 15, 2018, actor Lavanda – 20,000 records associated with U.S.-based medical universities that contain employee data and PII.
- Nov 4, 2018, actor Merky – 180,000–200,000 records associated with a UK-based healthcare institution that contain PII.