The Latest Prime Target for Cybercriminals is Medical Data

Updated on November 29, 2022

45 million individuals were affected by healthcare cyberattacks in 2021 alone.

Cybercrime is set to cost some of the world’s largest companies $10.5 trillion by 2025. That’s more than the amount of funds gained illegally through international drug trafficking and more than the GDP of nearly every country in the world. It’s safe to say that these numbers represent some of the largest transfers of wealth (legal or illegal) recorded to date. But, on a company-by-company basis, the actual cost of global cybercrime is even more devastating. The destruction of data, stolen intellectual property, digital fraud, reputational harm and post-attack disruptions to daily business consistently cripple, even if temporarily, the world’s top enterprises. In a world of rising inflation and growing nation-state tensions, healthcare has become the latest prime target for bad actors looking to weaken critical infrastructures. 

Why the focus on healthcare? 

Valuable information can be simple to steal from systems that are relatively easy to compromise. Phishing attacks and sophisticated ransomware give hackers free reign in highly sensitive environments housing critical patient data. A 2022 survey found that 66% of healthcare organizations are regularly attacked by cybercriminals, a 94% increase year-over-year. Shockingly, 61% paid ransoms to get their systems back up and running.  

Patient data, proprietary information and even system source code is some of the most valuable assets for cybercriminals, particularly protected health information (PHI). PHI includes names, addresses and medical records that can be laundered in criminal marketplaces. In private markets where social security numbers, credit card numbers and even hacked social media accounts go for just under $10, the hottest commodity remains patient records that regularly sell for thousands of dollars a piece. 

The financial impact of a breach isn’t limited to victim companies — consumers already dealing with a bleak economic outlook take a hit as well. To cover the cost of data breaches, sixty percent of healthcare organizations have had to raise prices. These higher costs directly impact the consumers ability to afford healthcare and receive needed treatment.

Effective and tailored cybersecurity solutions are a must for healthcare organizations. Through a strong network detection and response platform, ExtraHop was able to help improve the security posture of one of the top enterprise healthcare engagement platforms in the world.

The Basics

MEDHOST has delivered market-leading healthcare engagement solutions nationwide to healthcare facilities of all types and sizes nationwide for the last 35 years. Its integrated product portfolio that focuses on how to manage the business of healthcare better includes a wide range of cloud-based clinical, financial, and operational solutions that are both clinician and consumer-focused. 

Its fundamental mission involves passing along and updating critical medical and personal data, so it’s critical that the data and network are properly secured. This is especially true as selling personal data has become increasingly lucrative and attractive targets for malicious actors. The organization needed a comprehensive strategy and resources to address the cyberattacks impacting their networks — including an instance of malicious traffic from North Korea.

The Challenge

MEDHOST manages its cybersecurity while hosting several hospital systems in its cloud servers. Though they do not and cannot legally own its customers’ networks and internal security controls, it can still be impacted by bad actors. By hacking into the devices or systems of contractors or offshore vendors along the supply chain, cybercriminals could seek to exploit lax security protocols or any number of customer vulnerabilities. 

The threat became even more acute when, in early 2022, the threat landscape shifted for enterprises like MEDHOST as Russia’s war on Ukraine put critical industries like healthcare in the crosshairs. The Biden administration warned potential Russian cyberattacks may target crucial healthcare infrastructures to gain any advantage they can to explicit financial losses and indirect loss of life. From geographically distributed systems to connected medical devices, MEDHOST needed to reevaluate its cybersecurity readiness to ensure effective execution of the fundamentals –– for itself and its customers. 

Core requirements included preventing ransomware and data exfiltration, faster and more complete issue identification manipulation, and alleviating software supply chain attacks on its CI/CD development pipeline. 

The Results

The secure cyber solution that could deliver the most comprehensive security framework was a network detection and response solution. The company leveraged a comprehensive NDR platform from ExtraHop to take on real-time threat detection across its hybrid environment. 

1. Better Baked-In Security 

More efficient security via network coordination helped MEDHOST create a substantially more secure product to keep its hosted hospital data safe. By applying a machine learning-powered level of data visibility, log aggregation, and behavior monitoring, its systems could detect threats in real-time.

For example, the solution alerted MEDHOST to an attack through its on-premises Active Directory federated services. The attack used password spraying to lock out users, and the cybersecurity response allowed MEDHOST’s team to look into the payload and trace it to North Korean hackers before it was promptly shut down.

2. Balanced Detection and Response Tactics

Decrypting and inspecting details like Active Directory and TLS 1.3 protocols in-line across the entire network, including east-west traffic, shined a light across all facets of the system’s security. This suddenly gave a complete picture of activity along a complex set of touchpoints and uncovered adversaries testing the digital fences to pinpoint any weak points.

During initial penetration tests, MEDHOST’s NDR solution returned alerts that other tools simply missed. The NDR solution also empowered teams with information behind each alert. By surfacing large amounts of data and key information highlighted in the alerts, cybersecurity teams were able to perform root cause analysis investigations to identify activity that occurred during specific incidents.

Unfortunately, healthcare organizations will continue to be a target for cyberattackers. Threat actors know that some of the medical devices being used have vulnerabilities that can be easily exploited. As technology continues to evolve, it is imperative that cyber teams proactively identify solutions to detect and respond to potential threats. Educating staff on the importance of authentication measures and other preventative safety measures will also be helpful with adaptation and implementation of new safety tools. 

Jamie Moles is a Senior Technical Manager at ExtraHop.