Why Cybercriminals Target the Healthcare Sector and Why We Should Care

According to the HHS Office for Civil Rights, 2023 saw more than 116 million personal patient records compromised across 655 breaches. When personal identifiable information (PII) is compromised, it can be a direct attack on a facility or it can be an attack on a third-party company the healthcare facility has outsourced their digital records to. But have the frequent PII breach headlines desensitized us to the real problem, which is what cybercriminals are doing with personal information that now includes detailed family trees? Sadly, it feels like we’ve gotten to the point that when we see a health-related breach story in the news we respond with a sigh and a collective shrug.

The reality is most people look at their stolen information as an inconvenience and, to a degree, an invasion of privacy. However, there is a more sinister purpose that hasn’t been widely reported. To get to the bottom of what attackers are doing with the data they’re stealing, we need to look at why attackers are targeting the healthcare sector, how they’re getting into those networks and ultimately what facilities need to do to block future attacks from occurring.

Why attackers target healthcare facilities

For this story, we’re going to define “healthcare” as hospitals, doctor offices, insurance companies, and the companies that produce a product or service for the healthcare industry. Most healthcare companies are large and have hundreds of thousands, if not millions, of personal records. Some not only have patient personal records, but financial records, debt/collections information, intellectual property, and family/next-of-kin information.

All U.S.-based healthcare companies must adhere to HIPAA (the Health Insurance Portability and Accountability Act), a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed. HIPAA is government mandated, and failure to comply can result in significant monetary fines and/or jail time. Within the HIPAA framework are five key rules: Security Rule, Privacy Rule, Breach Notification Rule, Enforcement Rule, and Omnibus Rule. All healthcare organizations must adhere to these rules and ensure they are enforced. Neglecting these rules can be expensive, and, to better define that, the act explains penalty tiers.

  • Tier one theorizes if the organization was unaware and did everything they could to stop the violation, it’s $100 per violation, with a cap of $25,000 per year.
  • Tier two states, if there was reasonable cause for the disclosure, but the actions were willfully neglected, then the fine jumps to $1000 per violation, with a maximum of $100,000 a year.
  • Tier three states, if there was willful neglect and the business entity did not attempt to resolve the issue afterwards the fine rises to a $10,000 per violation with a maximum of $250,000 year.
  • Tier four states, if there was willful neglect and no attempt to resolve the issue after a breach, then fines go up to $50,000 per violation and a $1.5 million penalty.

When there’s a breach, it typically falls into tier 3 and 4. These are the highest civil penalties that an organization could face. These fines help hackers understand where in the network they need to target as well as how to target them, as they know exactly what they are looking for, and exactly what it will cost the medical facilities in fines to resolve. However, this isn’t real leverage, because most large medical facilities make way more than a million dollars a year.

So, how can hackers leverage that to their advantage? What we didn’t mention above are patient rights. The patient has the right to sue and to seek damages for a breach. The HIPAA act also provides for provisions to forcefully require the entity that violated the act to provide monitoring services for each violation (a violation would be each individual person whose data was stolen). This could cost the breached entity millions of dollars, and the payout could last for years, because credit monitoring can be up to a five-year commitment. When you add the government fines, potential lawsuits, and multi-year credit monitoring, you start to get the idea of how hackers can leverage a breach to get paid.

Aside from extracting monetary concessions, hackers may also target hospitals and network connected medical equipment to disrupt ambulance services and bring patient treatment and care to a halt; a dangerous proposition for patients requiring immediate, life-saving medical care. Hospitals cannot afford downtime due to ransomware. They cannot wait for negotiations or  for third-party companies to step in and fix things. And they cannot wait for servers to be restored and setup again. As a result, healthcare facilities tend to pay the ransom out of desperation. Hackers know this and know that it’s almost a guaranteed payday.

How Attackers Get into the Network

Hospitals, much like most businesses, are not focused on security. They are focused on patient care, comfort, and ensuring they remain profitable. Security does not contribute to a healthcare facility’s bottom line. For many, it’s more like a bottomless pit. Healthcare leadership knows the institutions they oversee need to be buttoned up, but because they don’t fully understand how security works, or have the time to fully understand it, they’re unnecessarily leaving themselves open to attacks.

IT staffing at most healthcare campuses is not where it should be considering how many connected devices many of them have and the myriad ways bad actors can connect to them from outside of a campus’ walls. As such, they have a hard time keeping up with the newest disclosed vulnerabilities and all the machines that may be susceptible to hacking. Most internet connected medical devices do not have an automatic firmware update mechanism in place. Some devices require a USB drive to load new firmware and other devices cannot be touched because the manufacturer or reseller maintains all software and firmware updates. Because of the need for constant monitoring and upkeep, healthcare networks must remain open.

However, beyond all the threat vectors healthcare campuses face, the number one method for a breach is human error. It’s typically email phishing attacks on hospital staff. If it’s not already, anti-phishing training should be the number one course taught at every healthcare institution.

What Attackers do with PII Data

Medical records can be lucrative to attackers, as they help paint a very detailed patient picture. They can include names of immediate family members, addresses, phone numbers, prescriptions, places of work, emails, emergency contacts, financial data, health history and more. Someone reading this may shrug because they think they’re healthy and have nothing to hide. But what if an attacker got ahold of the medical record of a CEO that reveals he recently saw his doctor about an STD? An extortion attempt could be made. While examples like this may seem like the work of fiction, I assure you as someone who’s been involved in network security for many years, scenarios like this are very real.

2024 will be the year of AI and we’re watching the threat landscape to see how hackers will feed massive amounts of stolen PII into their large language models (LLMs) to further weaponize their attacks by creating extremely targeted campaigns against individuals and families. Beyond going after hospitals and rich CEOs, threat actors could use PII data for politically motivated and nation state attacks and to steal someone’s identity. And PII data could have enough information in it to upset an individual’s daily routines, by turning off phone, power, water, and internet service.

In closing, if you’re a healthcare facility that’s not taking security seriously yet, then stop what you’re doing and make it an immediate priority. Beyond just costing money, you’re jeopardizing the lives of patients who put their trust in you. The same goes with staff digital communications training. There’s no excuse for anyone who can’t correctly identify a phishing email. And while putting all the latest/greatest safeguards in place may eat into your facility’s bottom line, it’s a heck of a lot cheaper than the government fines and patient lawsuits you could get saddled with.

Author: Bobby Cornwell

Bobby Cornwell is a seasoned professional in the cybersecurity industry, currently serving as the Vice President of Strategic Partner Enablement & Integration at SonicWall since February 2023. Prior to this role, he significantly contributed as the Executive Director of Sales Engineering for over five years, liaising directly with the Chief Revenue Officer. His tenure at SonicWall extends over 16 years, showcasing a robust background, notably including a nearly ten-year stint as a Senior Security Systems Engineer. His expertise, particularly in sales engineering and security systems within the Greater Atlanta area, marks a distinguished career with a focus on strategic partner development and technical leadership. Bobby Cornwell also held a significant role at Ricoh Company for over a decade, where he was a National Network Services Engineer/Manager. This position contributed to his extensive experience in the field of network services and management. You can contact Bobby via LinkedIn https://www.linkedin.com/in/bobbycornwell/