According to new data from Check Point Research (CPR) for January to September 2024, the global weekly average number of attacks per organization in the healthcare industry reached 2,018, up 32% compared to the same period last year. The CPR data comes as healthcare organizations around the world continue to grapple with an alarming increase in cyber attacks since the beginning of the year.
“The North American healthcare sector remains an attractive target due to its wealth of sensitive patient data and established digital infrastructure, with an average of 1,607 attacks per week, up 20 percent,” CPR data released on Tuesday noted. “From January to September this year, Asia Pacific led the way in attacks, with an average of 4,556 attacks per organization per week, up 54 percent. The rapid digital transformation of Asia Pacific’s healthcare systems, driven by digital medical records and greater access to telehealth, has increased vulnerabilities due to a lack of robust cybersecurity infrastructure needed to protect against advanced threats, making them an attractive target for cybercriminals.”
In Latin America, CPR data shows an average of 2,703 attacks per organization per week, representing a 34% increase. These attacks are likely due to weak regulations and underfunding of cybersecurity measures in the healthcare sector, providing an easy entry point for attackers. Despite having a lower number of attacks per week (1,686), Europe saw the largest increase (56%), indicating an increased reliance on digital tools without sufficient investment in security measures, making the region a prime target for ransomware and data theft.
CPR data points out that RansomHub, the most active ransomware group in July and August, advertised on dark net forums, promising that partners would keep 90% of ransom revenues, with only 10% going to the group in return for providing infrastructure. “In return, partners would receive advanced attack management tools and other perks. The ads mimic traditional companies offering services and touting a competitive advantage. This shows again that cybercrime is a pure business and that many hacker organisations are structurally no different from other technology companies,” it adds.
CPR data is provided because hospitals and other healthcare organizations cannot afford outages or disruptions to their services, which could directly endanger patients’ lives. Sensitive patient data is also a highly sought-after commodity on the dark net and used as a means of extortion by companies. However, the biggest threat today is ransomware, which has already crippled countless hospitals around the world.
“In most cases, cybercriminals do not reveal to their partners the targets of their attacks. Only attacks on the Commonwealth of Independent States are usually taboo, but there are no other restrictions,” Sergey Shikevich, Threat Intelligence Group Manager at Check Point Research, noted in the CPR report. “We can assume that this is because hackers do not want to attack the country in which they operate. Early on, some RaaS groups claimed that they would not attack healthcare organizations, but later changed their claim to not encrypt data to avoid service interruptions, but would tolerate data theft and extortion. In reality, none of these rules are followed.”
Shaikevich added that an analysis of victims publicly threatened on ransomware groups’ websites found that around 10% of victims last year were in the healthcare sector.
“Patient safety is not just a matter of physical care: if they are attacked by cyberattacks, their health and even their lives can be at risk. The problem is made even more severe by the many cybercriminals working together,” the CPR report detailed. “Some offer access to organizations they have previously compromised, while others rent out their infrastructure for a fee. The darknet is filled with ads offering ransomware-as-a-service (RaaS), meaning that even amateur cybercriminals who lack the technical knowledge or experience to carry out similarly serious attacks can threaten hospitals and other healthcare organizations.”
The CPR report cited an example where a hacker under the nickname “Cicada3301” posted an ad on a closed Russian-language underground forum announcing a new team offering ransomware as a service, demanding only a 20% commission in case of a successful attack, adding: “This is an example of how RaaS cybercriminals recruit partners and what the standard revenue sharing looks like. What’s interesting is that some forums have arbitration and dispute resolution mechanisms in case both parties do not agree on the payment or the services provided. This is essential, since all communicating parties are criminals communicating in an anonymous environment,” it added.
In addition, hacker Cicada3301 posted information about several victims, including the Italian medical institution ASST Rhodense, on a special extortion site. As a result of this attack, the hospital had to cancel and reschedule surgeries. However, this is not an isolated case.
The CPR report also revealed that ransomware groups often provide encryption tools and infrastructure to collaborators to pressure victims into paying by posting stolen confidential data online. This tactic exploits fears of heavy fines for privacy violations and risks to patient safety and hospital operations. Additionally, hackers sell access to hospital systems on underground forums. Some hackers act as middlemen, buying initial access to assess its quality for privilege abuse and mapping the network before selling this access to others.
Overall, the cost of many of the cyber tools, data and access, and infrastructure is relatively low, but successful attacks can cause enormous damage, with ransoms reaching millions, and sometimes tens of millions of dollars, putting patient health at risk.
Another key point from the CPR report is that the differences between the groups are mostly subtle. “However, there are exceptions. ALPHV/BlackCat has publicly encouraged its partners to place a particular focus on hospitals and healthcare. This was supposed to be in retaliation for police operations against the group’s infrastructure. As a result, victimisation rates in the healthcare sector exceeded 15% over the past 12 months,” the report added.
Shaikevich explained that in some cases, “we found that after one attack, another could follow relatively quickly. Cybercriminals are counting on the fact that proper recovery may fail, that there may still be disruptions, or that hospitals may underestimate the impact because they do not expect repeated attacks.”
A World Health Organization (WHO) report released earlier this year highlighted the need for increased cyber maturity to address the growing number of digital threats to healthcare. Cybersecurity maturity refers to an organization’s preparedness to protect itself and its digital assets from cyber attacks. This includes investments in people, processes and technology, such as cyber awareness training and the development of incident response plans that staff rehearse in preparation for a cyber attack.
The WHO report also notes the importance of strengthening communication and collaboration with law enforcement agencies (police, Interpol, etc.), government agencies (cybersecurity agencies, public health laboratories, national agencies for the safety of medicines and health products, nuclear safety agencies, etc.), the private sector, and non-governmental organizations that can provide alerts and warnings about ongoing cyber attacks.
Earlier this month, the U.S. Department of Health and Human Services (HHS) Healthcare Sector Cybersecurity Coordination Center (HC3) issued a Healthcare Sector Alert to alert owners and operators to the Apache Tomcat vulnerability. The bulletin provides an overview of the Apache Tomcat vulnerability, mitigation strategies, and an overall approach to maintaining security.