Ransomware, Risk Assessments/Management

HHS: Ransomware groups will continue focus on healthcare, leveraging legacy tech

A room in the Intensive Care Unit (ICU) at Providence St. Mary Medical Center amid a surge in COVID-19 patients in Southern California on December 23, 2020 in Apple Valley, California. HHS HCS warns providers that ransomware attacks will continue to target healthcare throughout the year. (Photo by Mario Tama/Getty Images)

The latest Department of Health and Human Services Cybersecurity Coordination Center alert pointed to healthcare delivery organizations as a key target of ransomware attacks, often due to its heavy reliance on outdated and legacy technologies, as well as limited security resources.

The alert reaffirms previous Forescout data that showed on average, healthcare delivery organizations have 20,000 devices on the network at any time, and 32% of those devices operate on unsupported Windows versions. Another 0.4% of devices operate on even older platforms like XP.

HC3 reviewed ransomware activity from July 1 and Sept. 30 and identified 10 major ransomware groups impacting healthcare entities and their subsidiaries creating the greatest disturbance across the sector. The team only reviewed incidents for which there was data, warning that there were likely unreported incidents left out of the analysis.

In total, 68 ransomware incidents affected healthcare organizations across the world during the third quarter this year, with 63% impacting the U.S. and 37% compromising global healthcare environments. At least 20 health centers and medical clinics fell victim to ransomware during Q3, and Conti claimed the most US health center and clinics as victims.

The top ten ransomware groups exploiting global healthcare sector targets are Conti, Avaddon, and the REvil/Sodinokibi ransomware-as-as-service (RaaS) groups. The FIN12 group should also be included in this list, as Mandiant is now tracking the prolific ransomware affiliate due to its aggressive targeting of providers,

Further, while Avaddon was the second-most observed threat group on a global scale, data show that just one US healthcare provider was exploited by the hackers during the analyzed time period. Hive is another notable threat, with at least four US healthcare victims in Q3.

The states seeing the most ransomware incidents include California, Florida, and Illinois, among others. Some states may see more incidents due to size and population. 

The data concluded that the Hive and Vice Society ransomware groups will likely continue to target healthcare entities in the U.S. for the foreseeable future. Both threat actors emerged in June 2021 amid a number of ransomware groups rebranding to evade law enforcement and other takedown efforts.

HC3 warns that these threats are likely to continue at the current pace and scope throughout the remainder of the year. In the last month, at least two Indiana providers fell victim to ransomware attacks that drove clinicians back to paper processes.

Johnson Memorial Hospital is continuing to recover its systems alongside an outside security team after an Oct. 2 attack. Schneck Medical Center recently brought the majority of its systems back online, nearly two weeks after its attack.

The largest targets continue to be health and medical clinics, followed by healthcare industry services and hospitals. The HC3 alert shows similar findings to an August report from Clinical Insights that showed outpatient facilities and specialty clinics were compromised nearly as much as hospitals during the first half of 2021. In short, all healthcare entities need to be on alert.

“While it may be tempting to think that clinics do not require the same level of cybersecurity diligence as large healthcare systems, that idea is mistaken,” researchers explained at the time. “Attackers look for the easiest target. Smaller organizations run the same systems and use the same technology as hospital systems, making them potentially just as vulnerable.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.