Ransomware, Threat Management, Distributed Workforce

Daixin ransomware poses critical threat to healthcare, says AHA cyber chief

First Aid Kit
The American Hospital Association's senior advisor for cybersecurity said the Daixin ransomware poses a significant risk to the healthcare sector. (U.S. Air Force)

Reports consistently note the rising risk to patient safety after a ransomware attack. But the most pressing variant facing healthcare is Daixin, a technologically advanced, stealthy malware variant, according to American Hospital Association’s Senior Advisor for Cybersecurity and Risk John Riggi.

Riggi spoke to sector leaders during a University of California San Francisco Stanford Center of Excellence in Regulatory Science and Innovation discussion on Tuesday, outlining the risk areas providers should be working to address into the foreseeable future.

He also had a stern warning for provider organizations still dragging their feet on implementing multi-factor authentication across the enterprise, particularly as threat actors continue to target critical infrastructure and supply chain partners in force.

“If we're not doing MFA at this point, it would be hard to defend both civilly and regulatory the actions against you as it is a very, very basic technique at this point,” said Riggi. “The White House has implored us to implement basic cybersecurity procedures, which alone at a very low costs could prevent a significant portion of ransomware attacks.”

MFA should be at the top of the list for securing all remote access points into the organization, as the threat of ransomware and other cyberattacks continue to plague the sector and cyber insurance becomes less and less of a guarantee, he added.

The use of MFA is crucial as Daixin actors typically prey on virtual private network (VPN) servers, then move laterally across the network through Secure Shell and Remote Desktop Protocol. The group has also used privileged accounts to gain access to VMware vCenter Server and reset account passwords for ESXi servers in the environment, according to the Cybersecurity and Infrastructure Security Agency.

In healthcare, Daixin has claimed multiple victims that include the cyberattack on OakBend Medical Center in September 2022. The incident led to weeks of network downtime and the alleged theft of patient health information from the hospital’s internal servers. Data proofs of the stolen data were leaked on the Daixin dark website.

Daixin was also behind the major attack on AirAsia in November, as well as Fitzgibbon Hospital, Trib Total Media, and ista International GmbH.

The impact of these attacks led to multiple federal agency alerts, including one directed to the healthcare sector that warned public health and healthcare sectors were predominant targets. Riggi expects this relentless targeting to continue into the foreseeable future.

Diaxin targeting intellectual property

For Riggi, the risk of Daixin and other nation-state actors is multi-faceted. There’s clearly a goal to gain access to patient data or to disrupt operations for a quick payout, but these actors are specifically targeting the troves of medical research and innovation, some of which is tied to medical device development and medical technology. 

The Chinese government is one of the “most prolific and aggressive” of these groups, specifically targeting “intellectual property,” he explained. The government has even issued a plan to be globally dominant by 2049, not just militarily but “by being economically dominant, including in healthcare and specifically medical technology.”

Device manufacturers should view these plans as a call to action, and to “think about your proprietary information in your medical technology, who might be after that for their own economic gain, or to understand the complexity of the software the design for possible future exploitation once sold and deployed into the healthcare environment,” said Riggi.

These attackers aren’t heavily leaning on new and evasive tactics to crack into networks. Riggi explained that it’s the tried-and-true methods that the hackers have been and will continue to use to gain access to victim’s systems, including exploiting vulnerabilities in medical devices and phishing attacks.

“Quite frankly, the way the bad guys are getting in is they’re exploiting known and published vulnerabilities: they’re simply beating us to the patch,” said Riggi. Entities must work to expedite the patching processes, even though it’s difficult with medical devices.

Every entity in the sector needs to review the past successful attacks deployed against the sector and learn from past mistakes. Citing the outages brought on by Kronos and others, Riggi reiterated the importance of integrating cyber incident response plans with emergency preparedness plans and with disaster recovery, business continuity plans and downtime procedures. 

Business continuity, in particular, should be refined and well-practiced, he warned. That means understanding the criticality of the tech used to support all care models and ensure delivery to the patients who need care the most, such as emergency and cancer patients.

Third-party and second-party impacts must be calculated into those plans as well, using this information to establish downtime procedures when supply chain partners go down.

“We have come to learn the painful lesson that cyber risk in healthcare is not just an IT issue, it’s an enterprise risk issue that impacts every function of the organization,” said Riggi. “Most importantly, it impacts the ability of hospitals and health systems to deliver patient care, and it does present a risk to patient safety.”

Update: This story incorrectly stated Daixin's attribution and has been updated to clarify the details.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.