Cyberattacks against the healthcare sector have economic consequences and can affect people’s well-being

At the beginning of the year, and within days of each other, one of Spain’s leading hospitals, the Clínic in Barcelona, and one of the major drug wholesalers, Alliance Healthcare, suffered security incidents that paralyzed their activities. Cyberattacks against the healthcare sector have been on the rise recently, affecting hospitals, healthcare centers, health insurance companies, research centers, and pharmaceutical companies worldwide.

In August, for example, a massive cyberattack disrupted the services of dozens of hospitals in the United States, an incident that led to the closure of emergency service units. Worse still, the recovery process dragged on for weeks.

The attack has had an enormous economic and reputational impact on the companies involved and, more importantly, on the well-being of their patients but also for the entire population that relies on closed emergency services.

Last year, the European Union adopted the NIS2 directive to address this trend, which aims to strengthen the security of strategic sectors, including healthcare. This regulation includes cybersecurity risk management obligations, incident reporting mechanisms, and administrative penalties to sanction non-compliant companies.

In addition, the European Union Agency for Cybersecurity (ENISA) has just published its first study on cyberattacks against the healthcare sector and its threats.

Below, we will analyze the critical aspects of cyber-attacks against the healthcare sector and highlight the need for organizations operating in this sector to have cybersecurity services and prevent incidents from affecting people’s well-being.

1. The assets of healthcare organizations and their cyber exposure

First, we must consider what assets companies and institutions operating in the healthcare sector must protect. These assets include as many issues directly linked to healthcare:

• Medical information.
• Health systems and services.

As well as other essential aspects for any organization in the sector:

• IT systems are not directly related to health.
• Business data and employee information, such as financial data or strategic documents.
• Intellectual property.

It’s remembering the most valuable asset, especially for companies and institutions that provide healthcare services: patients.

All of these must be considered when designing an effective security strategy.

The technological revolution in which we live and the digitalization of society have had an impact on all economic sectors, including, of course, healthcare. Hence, there is even talk of health 4.0, especially in the wake of the pandemic and the rise of telemedicine.

Medical information is entirely digitized. IoT devices have transformed medical activity, and incorporating Big Data, Machine Learning, and cutting-edge Artificial Intelligence solutions are changing pharmacological research.

In addition, the world is witnessing the development of new techniques and substantial improvements in detecting, diagnosing, and treating diseases and injuries.

This situation implies that the level of cyber exposure of healthcare organizations has increased decisively in recent times. As a result, cyberattacks against the healthcare sector are growing, and the impact of security incidents in hospitals, pharmaceutical companies, or insurance companies can be enormous and have repercussions on people’s well-being.

2. The undeniable value of medical data

In recent years, ransomware attacks have become one of the main threats to companies and public administrations, regardless of their economic sector or size. The theft, hijacking, and exfiltration of confidential information and private data is the priority target of most cybercriminals.

Either they want to get rich by collecting ransoms to return the data to their rightful owners, or they use the information to sell it to competitors. Or even to exfiltrate it and damage the reputation of an organization or undermine the productive fabric or the democratic system of a country.

It’s often said that data is the oil of this era. Well, no one has this more ingrained than hostile actors.

While the financial data of companies and their customers is a coveted target for many cybercriminals, we must maintain sight of the value of medical data.

In fact, according to ENISA’s study on cyberattacks against the healthcare sector, almost half of them seek to access information improperly, proceeding to disclose it, manipulate it, hijack it, prevent legitimate access to it, or sell it. What data are we talking about?

• Patient data and medical records. In most of the cases analyzed by ENISA related to the theft or disclosure of confidential information, it was found that patient data were affected.
• Intellectual property. Hospitals, pharmaceutical companies, and medical research centers. Protecting their intellectual property is vital for many healthcare organizations, and its infringement can lead to substantial competitive and economic losses.
• Other company data. Like other companies, healthcare organizations store confidential information about themselves and their employees: financial data, credentials, and strategic corporate communication.

2.1. Ransomware, industrial espionage, and undermining people’s privacy

What can hostile actors do with data obtained during an attack against a company or institution in the healthcare sector?

Their uses are manifold, from extortion to returning the seized data to marketing confidential data on technologies, research, and innovations to enemy states and competing companies.

Sometimes, illicitly obtained data is publicly disclosed to undermine a company’s credibility and position in the market.

We must also consider the impact of cyberattacks against the healthcare sector on individuals. Suppose a criminal group discloses a patient’s medical data. In that case, it can cause significant social and economic damage to the patient, for example, by revealing that a company executive is suffering from a severe illness or that an elite athlete is suffering from a pathology that they do not wish to make public.

Of all the spheres that make up our private lives, health is one of the most sensitive and one we protect with the most extraordinary zeal. Cyberattacks against the healthcare sector can have a double impact. Firstly, on the organizations under attack. Secondly, on the patients or people linked to them.

If a hospital patient’s data is made public, they will irrevocably lose confidence in the medical institution.

3. Business continuity takes on a different aspect in cyber-attacks against the healthcare sector

If protecting company data is a central aspect of any cybersecurity strategy, maintaining business continuity is just a little behind.

It’s vitally important for companies to have sufficiently robust defensive capabilities. A wall of defense to prevent security incidents from paralyzing business activity and to restore normality in the shortest possible time.

As far as the healthcare sector is concerned, business continuity is essential. Especially for organizations that provide medical services (hospitals, health centers, dental clinics, social health centers, mental health clinics). Why? The paralysis of their services entails financial losses and damage to their reputation and directly affects patients’ health.

The security incident suffered by Hospital Clínic and three primary care centers in Barcelona led to the cancellation of outpatient consultations, the paralyzation of services as essential as oncological radiotherapy, and the referral of cases of heart attacks or strokes to other centers.

For example, in the industrial sector, cyberattacks against the healthcare sector can have direct consequences that affect the integrity and well-being of people and can even cause the aggravation of diseases and pathologies and even death.

Hospitals have substantially increased the presence of technology in the healthcare sector.

4. Types of cyber-attacks against the healthcare sector

What are the types of cyber-attacks against the healthcare sector most commonly used by hostile actors? ENISA says ransomware attacks are the most common in many other economic sectors. However, attention should be paid to other threats, such as DDoS attacks, social engineering techniques, or supply chain attacks.

4.1. Ransomware and malware

In the study conducted by ENISA on cyber-attacks against the healthcare sector between 2021 and the first four months of 2023, almost 6 out of 10 incidents resulted from the execution of ransomware or malware. This agency has identified some of the significant ransomware groups behind many of the incidents analyzed, such as LockBit or BlackCat, which have implemented Ransomware-as-a-Service models.

Ransomware attacks are mainly focused on stealing, hijacking, or leaking data. In some cases, they have led to the interruption of medical services, as well as other types of services of the organizations attacked, and can directly affect people’s health due to the closure of units, the suspension of surgical interventions, or the delay of treatments.

The execution of malware affects services and processes unrelated to healthcare, such as the email services of the companies attacked. Malware execution is used in conjunction with social engineering techniques to launch campaigns targeting patients and customers of the organizations.

4.2. DDoS attacks

Although DDoS attacks are less common than ransomware attacks, they are becoming more numerous. What is their purpose? Attackers want to prevent access to relevant information, such as patient’s medical data and other services and resources.

One of the reasons for the rise of this type of threat is the consolidation of DDoS-as-a-service platforms. Just this year, medical institutions in the United States, the United Kingdom, and the central countries of the European Union, including Spain, suffered DDoS attacks launched through the Passion platform.

Hacktivists carry out DDoS attacks. But also by criminal groups associated with states wishing to destabilize Western democracies, such as Russia, as well as by cybercriminals seeking financial gain from the payment of a ransom to prevent or stop an attack.

4.3. Others

Social engineering techniques can be used to gain access to confidential information or services of organizations in the sector. They are thus used in conjunction with the execution of ransomware or malware, for example, by sending emails to company professionals encouraging them to download and open a malicious file.

The rise of supply chain attacks is one of the most critical trends in cybersecurity. Hence, we need to be aware of these attacks in the healthcare sector.

Hostile actors can attack a company’s supplier and exploit vulnerabilities present in some of the components of the applications and devices they employ. Assessing supply chain security and using secure software by design is critical.

While not attacks per se, human error, misconfigurations, lack of updates, and insecure cybersecurity practices can become security breaches. Incidents through which hostile actors can sneak in to steal information, paralyze business continuity, and generate economic, reputational, and human damage.

Cyber-attacks against the healthcare sector can have direct consequences that affect the integrity and well-being of individuals.

5. Who is attacking healthcare organizations and why?

In light of the multiple security incidents recorded in recent years, we can examine the hostile actors and the motivations that move them to launch cyberattacks against the healthcare sector. In terms of the actors behind a security incident, ENISA differentiates between five primary types:

1. Cybercriminals. Criminal groups pose the greatest threat to companies and public administrations related to the health and welfare sector. Their objectives are usually financial, for example, by demanding a ransom payment to enable access to the information they have stolen.
2. State-sponsored groups. Hospitals, pharmaceuticals, or research centers are sensitive organizations for any country. Hence, criminals directly related to states can attack them to compromise their operations or obtain confidential information.
3. Hacktivists. Cyberattacks against the healthcare sector generate enormous media attention, making them an exciting target for hacktivists.
4. Internal attackers. Professionals of the organization or ex-employees with different objectives: personal revenge, extortion, industrial espionage?
5. Human error. Sometimes, the professionals of an organization do not seek to attack it premeditatedly, but their actions (or lack thereof) provoke an incident or open a security breach.

As for the motivations of hostile actors, we could summarize them in three types:

1. Financial gain. This goal is the main motive behind most cyberattacks against the healthcare sector, whether executed by cybercriminals or insider attackers.
2. Espionage. Obtain industrial information or valuable data to attack a country’s sector or the state.
3. Ideological.

6. NIS2 Directive: Legal obligations to strengthen the security of the healthcare sector

The NIS2 Directive, an update of the Network and Information Security Directive, was finally approved at the end of 2022. The new standard aims to create a common regulatory framework that will increase the level of protection for companies in Europe’s critical sectors. These sectors include, unsurprisingly, healthcare.

Does this mean that all companies in the healthcare sector will have to comply with the regulations? No. Small companies will be exempt. After all, a large pharmaceutical laboratory cannot be required to provide the same level of protection as a small dental practice.

6.1. Security requirements to be implemented

What are the security requirements of the NIS2 directive for health and welfare companies?

• Risk analysis.
• Incident management (prevention, detection, response, and recovery).
• Business continuity.
• Supply chain securitization.
• Network and IT systems protection.
• Design policies to evaluate the effectiveness of the measures implemented to manage risks and threats.
• Use of cryptography and encryption.

There are also stringent obligations to report incidents to the relevant authorities.

What happens if they are breached? Administrative penalties can amount to up to 10 million euros or 2% of the turnover of the penalized company.

It should be noted, however, that, as this is a directive, it has no direct effect on companies but must be transposed into the national law of each country within a maximum period of 21 months from its approval.

However, healthcare companies must be obliged by their size to comply with the directive’s rules and begin to implement the changes it brings with it. In this way, they will avoid the heavy penalties that could be imposed. And, above all, to undertake the securitization of their assets as soon as possible.

7. Cybersecurity services for successfully dealing with threats

To help companies and public administrations strengthen the security of their assets and prevent security incidents, Tarlogic Security offers a wide range of services to manage risks effectively:

• Application security testing to continuously analyze enterprise software: static source code analysis (SAST), software composition analysis (SCA), supply chain security (SCS), and dynamic application security (DAST).
• Security audits of IoT devices and cloud infrastructures are relevant for many companies in the sector.
• Denial of Service or DoS Testing to improve resilience and response to DDoS attacks.
• Vulnerability management and detection of emerging vulnerabilities to find weaknesses before hostile actors prioritize and mitigate them.
• Pentesting services assess the potential impact of an incident and establish a series of recommendations to help mitigate the risks detected during the penetration test.
• Training and awareness-raising activities ensure that all professionals in a company are aware of the threats they face and carry out insecure practices.

In addition, larger companies with a higher level of cybersecurity maturity can hire Threat Hunting and Red Team services to improve their resilience against advanced persistent threats (APTs).

In short, cyberattacks against the healthcare sector are not a news anecdote but a trend that has been consolidated so far this decade. Attacks can generate enormous economic and reputational losses for hospitals, insurers, pharmaceutical companies, and other players in the sector. But, above all, they can damage patients’ health, aggravating pre-existing ailments, and diseases, delaying treatment and even causing deaths.