Medical data theft. A high-voltage threat
Table of Contents
Attacks on hospitals, insurers and healthcare software companies are on the rise, targeting medical data theft
The worst-case scenario for a hospital is that its activities are paralyzed. In the past, this could occur due to a lack of electricity supply in extraordinary circumstances (wars, natural disasters, etc.). Today, on the other hand, hospitals are fully digitalized centers where a successful cyberattack can paralyze medical services essential for patients’ health.
However, many attacks against healthcare organizations are not primarily aimed at undermining their business continuity, but rather at the medical data theft.
Why? Health information is particularly sensitive, and its malicious use can be devastating. In fact, in April 2023, the ransomware group Rhysida threatened to leak medical information about the British Royal Family after successfully attacking the computer systems of King Edward VII’s Hospital. Even the Royals are not safe.
1. Data protection at the European level
In recent years, data privacy and the protection of personal information have been at the center of public debate. So much so that we have witnessed the adoption of highly demanding regulations on processing, storing, and protecting personal data; among all, the famous General Data Protection Regulation (GDPR), approved by the European Union, stands out.
The European Commission is also proposing the regulation to create the European Health Data Space (EHDS), which aims to help individuals control their health data and establish a reliable and secure framework for exchanging such data at the EU level.
However, information about people’s health status is a very private sphere of their data. This is why malicious actors see the opportunity to do business and get rich by stealing medical data, selling it or using it for spurious purposes.
Below, we will delve into the attacks that criminals launch to carry out medical data theft, as well as the cybersecurity services that help companies and administrations in the healthcare sector avoid them.
2. Ransomware campaigns against hospitals, a veritable cyber pandemic
If there is one attack technique against hospitals that is repeated over and over again, it is ransomware campaigns. To such an extent that every month there are ransomware cyber-attacks that perpetrate medical data theft and even paralyze medical activities by making it impossible for centers to access documents such as medical records.
In the first quarter of 2023, there was a cyberattack in Spain that we have already discussed on other occasions and severely affected one of the most important hospitals in our country: the Clínic in Barcelona. In the following months, some patients’ data, such as names and ID numbers, but also information on pathologies, were leaked on the Dark Web.
This security incident was not an anecdote but a confirmation of a global trend.
Without going any further, a month ago, it was made public that Norton Healthcare, a US conglomerate of eight hospitals and 40 clinics, had suffered a ransomware cyberattack in mid-2023. Once the investigation was completed, it was determined that the criminals managed to steal the medical data of 2.5 million people and security numbers or data on their health insurance.
Around the same time, another New York hospital group, HealthAlliance, began sending letters informing patients that their personal information had been exposed in a security incident.
The key to this case lies in the duration of the attack. The malicious actors persisted in the medical systems for almost three months and, during this time, were able to steal their patients’ medical data, such as diagnoses, test results, medications, or information about their treatments.
3. Supply chain attacks: When the entry vector is technology providers
Digitalization has made the software supply chain of healthcare companies and public administrations more complex. Hospitals, insurance companies, medical and dental clinics… These organizations use a variety of technological equipment and software daily.
For example, all medical centers, from the most prominent hospitals to the minor clinics, have software to digitize fundamental issues such as patient records, inventory of medical products, or management of healthcare personnel.
Most of these tools are developed and marketed by technology vendors susceptible to attack by malicious actors. In fact, at the end of 2023, ESO Solutions, a company that provides solutions for healthcare organizations, suffered a ransomware attack that allowed criminals to steal the medical data of 2.7 million of its customers’ patients: information and date of injury, diagnoses, treatments, Social Security number…
Even more severe was the security incident suffered by the dental insurance company Delta Dental of California. In this case, the ransomware group Cl0p exploited a zero-day vulnerability affecting the MOVEit file transfer software to steal the private data of almost 7 million policyholders of the Californian company.
4. Exploiting vulnerabilities in smart medical devices
The Internet of Things (IoT) has reached the healthcare arena. Many medical centers and patients use smart devices in their daily lives. For example, pulse oximeters that continuously monitor the percentage of oxygen saturation in the blood, smart pacemakers that can detect any arrhythmia in the heart immediately or devices against sleep apnea.
The benefits of this kind of medical devices are evident because they facilitate permanent health monitoring. But what about the risks?
The Tarlogic Innovation team has developed BSAM, the world’s first methodology to test the security of Bluetooth communications of millions of smart devices in our daily lives: wireless mice, smart TVs, headsets, locks and medical devices.
During the research, the company’s professionals conducted security audits using BSAM that allowed them to identify exploitable threats in medical devices. In this way, malicious actors could access and steal the medical data of the patients who use them.
Thus, to further secure these devices, Tarlogic has unveiled a new attack vector that criminals could use to undertake the medical data theft, in addition to other techniques such as phishing or spear phishing campaigns, as well as the exploitation of zero-day vulnerabilities in the systems of healthcare organizations or in the software they use.
5. Why do criminals want to carry out medical data theft?
Regarding cybersecurity, it is the what or how that needs to be unraveled and the why. Stealing patients’ or insured people’s medical data is, first and foremost, a very lucrative business for cybercriminal groups. How do they use people’s health information and private data?
5.1. Extorting companies in the healthcare sector… and their patients
In most cases where malicious actors use ransomware to steal the medical data of thousands or millions of citizens, they contact the attacked companies or institutions to demand a ransom payment to return the data and not expose it publicly.
For example, RansomHouse, the criminal group that successfully attacked the Hospital Clínic, demanded a ransom payment of 4.2 million euros from the Catalan health authorities.
However, the direct victims of extortion are not only the healthcare sector companies but also their patients or policyholders.
In mid-November 2023, The Hunters International, a criminal organization that markets Ransomware-as-a-Service, carried out a cyberattack against a medical center specializing in the fight against cancer, the Fred Hutchinson Cancer Center.
Although the company claimed that the attackers had not succeeded in stealing its patients’ medical data, the gang has made public documents on its Dark Web extortion portal that imply otherwise.
In addition, they have sent emails to different patients at the center, threatening to publish their Social Security numbers, medical records, or lab test results.
The criminals demand the payment of $50 from each victim to prevent their personal information from being used in other attacks or traded on the black market, making it easier for other actors to commit fraud with data such as Social Security numbers. If, as the malicious actors claim, they have been able to steal the medical and personal data of 800,000 patients, we could be talking about a vast haul if the victims agree to the blackmail.
5.2. Marketing information to facilitate identity theft and financial fraud
Even if companies or citizens pay the ransom demanded by criminals, there is no guarantee that they will keep their word. This is why both public administrations and cybersecurity experts advise against making any payment. This will also help finance criminal groups’ future activities, giving them more resources to carry out more complex attacks.
In such a way that, after carrying out the medical data theft, cybercriminals can, in addition to extorting people:
- Employing this information to launch new, more sophisticated attacks that allow them to obtain more significant financial gain or damage companies, citizens and public administrations.
- Selling people’s medical data on the Dark Web. With information such as Social Security numbers, other malicious actors can commit financial fraud by stealing victims’ identities to obtain credit from banks.
6. NIS2 Directive: Managing risks effectively
Just over a year ago, the European Parliament and Council adopted the NIS2 directive, an update of the first European cybersecurity regulation. The aim of this directive, which the States must transpose by October 17, 2024, is to improve the resilience of organizations operating in critical sectors, including healthcare.
To this end, NIS2 focuses on managing the security risks of medium and large healthcare entities to prevent criminals to carry out medical data theft, paralyzing the activity of organizations, and causing damage to people’s health. Risk management includes:
- Analysis of risks and threats affecting information systems.
- Comprehensive management of security incidents, from prevention to recovery.
- Business continuity.
- Securing the supply chain, with particular attention to data processing services.
- Prioritizing security when procuring and maintaining networks and information systems.
- Continuously evaluate the effectiveness of implemented measures and defensive capabilities.
- Use cryptography and encryption to protect human resources and manage critical assets.
The directive also makes healthcare company managers responsible for compliance with these measures. They must be trained in cybersecurity to assess the risks of security incidents, during which people’s medical data can be stolen, or healthcare procedures can be paralyzed.
7. Strengthening the security of medical systems and equipment
In light of the threat landscape, the rise of cyberattacks against healthcare organizations and the adoption of stringent and demanding cybersecurity regulations, it is clear that companies and public administrations need to improve their resilience to attacks.
To this end, it is essential that both healthcare organizations and the companies that provide them with software and hardware place security at the center of their strategies and have cybersecurity services that enable them to improve their prevention, detection, response and recovery capabilities:
- Ensuring security from design and throughout the systems, software, and hardware lifecycle used by hospitals, healthcare facilities, and other organizations in the sector.
- Audits of web security, Bluetooth, IoT, cloud infrastructures, mobile applications and source code.
- Advanced penetration testing to assess the security of systems and equipment and optimize defensive capabilities.
- Vulnerability management and detection of emerging vulnerabilities affecting the organization’s technological infrastructure.
- Threat Hunting to detect threats proactively.
- Incident Response to minimize the impact of an attack and prevent criminals from stealing patients’ medical data or threatening business continuity.
- Red Team scenarios to perform ransomware simulations, in which the objective is to steal patients’ medical data to improve the resilience of organizations against this kind of attack.
7.1. Protecting patients and organizations against medical data theft
Over the past year, it has become clear that one of the most important and alarming trends in cybersecurity is the increase in cyberattacks against hospitals and other entities in the healthcare sector.
The increase in the number of incidents and their seriousness highlight the importance of having comprehensive cybersecurity services that enable companies and administrations to avoid paralysis and the shutdown of services and to protect their patients’ medical data.
The growth of telemedicine, the use of mobile and web apps to consult medical records or the development of smart devices to monitor patients’ health or perform medical interventions bring with them a host of benefits. However, they also increase the attack surface to which organizations must pay attention.
Protecting information as sensitive as health information, which we all are so jealous of, has become a strategic issue for the healthcare sector. The medical data theft can lead not only to financial losses but also to irreparable reputational damage.
If, in addition, the hijacking of medical records makes it impossible to access this critical information, essential healthcare services will likely be affected, from consultations or the preparation of prescriptions to surgical interventions, including emergency services. This can directly affect people’s health and cause irreparable damage.
Suppose we add that the measures in the NIS2 directive will be mandatory by 2024 and that non-compliance can lead to fines running into millions of dollars. In that case, security risk management must be at the heart of the strategy of companies and public administrations in the healthcare sector.