Ransomware, Incident Response, Supply chain

HHS: Majority of health systems faced cyberattack in last 18 months

Medical workers tend to a patient at a Brooklyn hospital that has seen a rise in coronavirus-related cases on Dec. 15, 2020, in New York City. (Photo by Spencer Platt/Getty Images)

Software supply chain attacks increased by 650% in the last year, with 82% of healthcare systems reporting a cyberattack in the last 18 months, according to a recent Department of Health and Human Services Cybersecurity Coordination Center and Healthcare & Public Health Sector Coordinating Council webinar.

For the healthcare sector, supply chain risk is posed by hardware found in medical devices and other tech, as well as software, such as electronic medical record suppliers and internal ports.

Of those healthcare cyberattacks, 34% were attributed to ransomware. Healthcare industry services organizations were the most impacted by ransomware.

The most recent incident is the ongoing ransomware attack on Kronos, the major workforce management and HR software vendor, which has a range of healthcare clients. The vendor is currently facing impacts to its solutions leveraging the cloud. It’s expected to be unavailable for several weeks and could cause disruptions with overtime, bonuses, and other issues.

In total, 210 healthcare entities globally appeared on a ransomware extortion blog, 133 of which were located in the U.S. HC3 also tracked 75 instances of threat actors advertising access to global healthcare networks on dark web forums in the last year. There may be additional cases as threat actors may privately conduct transactions to avoid detection from law enforcement.

Further, the top exploited vulnerabilities in the last two years were tied to Fortinet, Citrix, and Pulse Secure. These attacks were launched by advanced persistent threats and financially motivated threat actors, including commonly used virtual private networks (VPNs).

Meanwhile, the biggest cybercriminal groups targeting healthcare were state-sponsored APTs exploiting Microsoft Exchange through Fortinet vulnerabilities, with the attacks beginning in March 2021. Another leading threat actor includes multiple ransomware groups exploiting the EntroLink VPN zero-day since September 2021.

These attacks led to compromise protected health information and IPs, as well as patient care disruptions. HHS leaders expect threat actors to continue exploiting both newly identified and zero-day vulnerabilities in VPNs with a goal of conducting cyberespionage and financially motivated follow-on attacks, including ransomware.

The recent post-mortem report on the May ransomware attack on the Ireland Health Service Executive provides a strong example on just how these types of follow-on attacks occur and the overall impact to the health system.

In light of these threats, healthcare provider organizations were reminded to leverage the range of free, valuable resources published to support entities struggling to maintain or improve their cybersecurity posture. HHS previously provided guidance broken down by organization size and type, while its new resource page shines a light on ongoing trends and relevant resources.

HSCC has also issued numerous cybersecurity insights directed at the sector’s most pressing cybersecurity challenges, including security staffing. Mitre also has a ransomware resource page specifically directed to the healthcare sector.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.