How the Dark Web Is Making Ransomware Attacks on Healthcare More Scalable

Cool Photos from Depositphotos

By Troy Ament, field CISO for healthcare, Fortinet

Operational technology (OT) systems and critical infrastructure (like healthcare) continue to be in the crosshairs for ransomware attacks. In fact, a recent U.S. Cybersecurity & Infrastructure Security Agency (CISA) report noted that cybercriminals pose an increasing ransomware threat to operational OT assets and control systems. Attackers are well aware that the dependencies between an organization’s IT and OT systems can provide a path for attackers.

A survey conducted by Fortinet of OT teams in healthcare, manufacturing, energy and utilities, and transportation found that 9 out of 10 organizations had experienced an intrusion in the past year. And what’s more, attacks on critical infrastructure like healthcare are becoming easier to pull off, thanks to the dark web. Healthcare systems are already straining under the stress of the past two years, but healthcare IT and security leaders can’t let their guard down.

Healthcare’s security battle

Even before the pandemic, the healthcare sector had been targeted by malicious actors. 2020 certainly added to those challenges and 2021 didn’t let up. In November, the U.S. Department of Health and Human Services issued a threat briefing warning of zero day attacks and their potential risk to the healthcare system. And previous research by FortiGuard Labs in early 2021 found that hackers continue to treat IoT and Internet of Medical Things (IoMT) devices as front lines for attack. 

Much like the manufacturing and utility industries, hospitals and healthcare organizations now have hundreds of operational technologies in play – everything from patient monitors to imaging devices, infusion pumps and HVAC systems. Any of these can be used to gain access to critical information systems. 

Attacks on OT systems become commodified

It used to be the case that only highly specialized threat actors attempted attacks on OT and critical infrastructure systems. But bad actors have realized they can double-dip financially; not only can they develop malware to execute attacks that produce revenue, but they can also make money reselling their malware online as a service.

As this dark web market becomes crowded, these bad actors will differentiate their offerings to include OT-based attacks, especially as OT and IT systems continue to converge at the edge. Holding such systems and critical infrastructure for ransom will be beneficial for criminals while threatening dire consequences for others, including affecting the lives and safety of individuals. Because networks are increasingly interconnected, virtually any access point could be a target to gain entry to the network. 

Updating the security arsenal 

All signs point to the fact that an increase in new cybercriminals armed with advanced technologies will increase the likelihood and volume of attacks. To address potential increases in attack volumes, standard tools must be able to scale. Security solutions also need AI enhancement to spot attack patterns and stop threats in real time. Tools should include endpoint detection and response (EDR), next-gen firewalls (NGFWs), advanced intrusion prevention system (IPS) detection, sandbox solutions augmented with MITRE ATT&CK mappings, and anti-malware engines using AI detection signatures. 

Best practices dictate that these tools consistently deploy across the distributed network – data center, campus, branch, multicloud, home office, endpoint – using an integrated security platform that can see, share, correlate and respond to threats as a unified solution. 

Toward stronger healthcare IT security

Nothing is wholly new under the sun, and that includes malware. Many threats on the horizon are simply extensions of those we experience today. They just tend to be faster, harder to detect, more malicious or combine existing threats in new combinations. Even new zero-day threats have one thing in common: They all want to get your network or devices to do something you do not want them to do — add or remove a function, take something or leave something behind, inject something into a normal process, or change, add or delete a file. Once you understand that, you can implement security strategies designed to baseline normal operations and detect and intervene when something unexpected occurs. 

Of course, that’s much easier to know than to implement. These strategies require solutions designed to interoperate rather than function in siloes. They require smarter solutions that know how to ingest real-time threat intelligence, detect threat patterns and fingerprints, correlate massive amounts of data to detect anomalies, and automatically initiate a coordinated response. Such a holistic approach will help healthcare IT teams protect critical assets – including patients’ lives.

About the author 

Troy Ament is Fortinet’s field CISO for healthcare. He brings more than 20 years of experience to Fortinet, transforming information technology and security programs, with 14 years in the healthcare sector as an executive overseeing clinical technology implementations, and serving as the chief information security officer (CISO) at two of the largest integrated health delivery systems in the U.S. Before joining Fortinet, Troy held the positions of CISO and Director, CISO chief at Sanford Health where he had oversight of the Security Technology, Security Operations, Identity and Access Management, and Governance Risk and Compliance (GRC) Teams.