While the finance and technology industries are still broadly perceived as the most valuable targets for cybercriminals, the truth is that every business is a potential victim. Today’s hackers usually aren’t looking to drain bank accounts or raid corporate coffers. They’re after data—and every business has data. Modern attackers are after passwords and other credentials. They’re after credit card info. They’re after personally identifiable information (PII). Perhaps most of all, they’re after healthcare data, which can be sold on the dark web and used by threat actors for a wide range of nefarious purposes.
The recent Change Healthcare cyberattack is a sobering reminder that determined attackers can cause significant damage when they decide to target healthcare organizations. The breach incurred $872 million in “unfavorable cyberattack effects,” which included service interruptions and outages at hospitals and pharmacies for over a week. In addition to the direct impact on patient care, the attack reportedly resulted in more than six terabytes of data being stolen, which will likely have further downstream effects on those whose medical records were compromised. To protect themselves more effectively, it’s important for healthcare organizations to understand what makes them such an attractive target for attackers, and the steps they can take to mitigate the impact of a breach.
Why Attackers Target Healthcare Organizations
Today’s attackers like to target personal data for one simple reason: it’s valuable. Recent research indicates that medical records sell for an average of $60 apiece on the dark web. That may not sound like much, but it’s enough to make them one of the most valuable commodities an attacker can obtain—especially since Social Security numbers fetch just $15 apiece and credit card information is worth just $3. It’s also important to remember the scale at which attackers operate: while one individual health record may not be particularly valuable, obtaining hundreds or thousands of them can be lucrative. Healthcare data tends to contain highly personal information, which attackers can use to commit a wide range of crimes—most notably identity theft. Unfortunately, there is already evidence that that data compromised in the Change Healthcare breach is being sold online.
While credit card numbers tend to be churn and burn—which is to say, attackers will get what they can and quickly move on—the information contained in medical records can be used in all manner of ways. The HIPAA Journal notes that stolen medical records are often more difficult to detect than other personal information, which means they can be used by criminals for a longer period of time before setting off any alarms. While a purchase made with a stolen credit card is likely to be flagged for potential fraud, bad actors can use the information garnered from medical records to impersonate patients, obtain medical services or prescriptions, apply for loans, or even open entirely new credit cards. Because these services are not monitored as closely for fraud as credit card transactions, criminals can often carry on using this information for weeks, months, or even years before being caught. This is dangerous for individuals, and it also creates liability for the breached organization.
Exploiting the Vulnerability of Healthcare
Attackers don’t just target healthcare organizations because healthcare data is valuable—they also do it because healthcare is relatively vulnerable. That isn’t to say healthcare organizations don’t do a good job protecting their data. Most organizations do the best they can, and regulations like HIPAA are designed to keep it that way. But the simple truth is that healthcare is made up of a large number of interconnected (and interdependent) systems, creating a massive web of organizations and networks that leave countless opportunities for misconfigurations or coverage gaps. What’s more, attacks targeting healthcare providers can carry significantly more serious consequences than those targeting other industries. No business wants to suffer a breach, but a disruption in patient care has the potential to result in injury or loss of life.
This makes healthcare providers highly motivated to resolve threats more quickly—which means ransomware attackers often target healthcare providers in the hopes of a quick payout. Unfortunately, this means security teams need to be prepared for anything in the healthcare industry. It isn’t enough to have a wide range of solutions in place—security teams need to know whether those solutions are functioning as intended, or whether there are gaps or misconfiguration that need to be plugged.
What the Change Healthcare Breach Teaches Us
While it remains uncertain how the attackers were able to breach Change Healthcare, there are still specific lessons that organizations should take away from the incident. One of the most damaging elements of the breach was the long recovery time, underscoring the need for organizations to have a thorough business continuity plan (BCP) in place for incidents like this. A good BCP should address business continuity in the event of a crisis (cyberattack or otherwise), including backups and the ability to restore assets and services in a timely manner. That means implementing not just a technical backup, for alternative payment and collection routes as well.
The fact that the attackers managed to gain access to critical Change Healthcare systems, cause damage, and steal data without being caught in a timely manner may also indicate an insufficient “security-in-depth” approach. While having the right policies and solutions in place is critical, it is equally important to verify that those solutions are having the intended effect. Healthcare organizations need to proactively assess their security controls using tools like breach and attack simulation, security control and threat validation, and other methods of determining whether their controls are performing effectively against real-world attack tools and tactics. It isn’t enough to have the right solution in place—organizations need to be sure it is integrated properly with their other solutions, and not leaving dangerous coverage gaps. This is knowledge that can only be gained through proactive testing.
Finally, it’s important for healthcare organizations to adopt an “assumed breach” mentality. Rather than taking security for granted, organizations should proceed with caution, operating under the assumption that they have already been breached. It’s an important mentality shift, because it emphasizes the need to limit what an attacker can do inside the network, rather than simply attempting to keep attackers out. It’s impossible to prevent 100% of breaches, so the ability to limit the damage after a breach has occurred is critical.
Don’t Be an Easy Target for Attackers
While the Change Healthcare breach had damaging consequences for the organization and its patients, it hardly comes as a surprise. The healthcare industry is in the spotlight for attackers who see it as an easier target than finance or tech and recognize the potential value they can derive from compromised patient data. It is increasingly important for healthcare organizations to ensure that their security solutions are performing as expected and that they are prepared to both limit the damage caused by a security incident and respond to it effectively. Change Healthcare was not the first healthcare organization to be victimized by a breach, and it certainly won’t be the last—but today’s organizations can take concrete steps to avoid being low-hanging fruit for attackers.
David Kellerman
David Kellerman is Field CTO for Cymulate.