Ransomware still a threat, but watch out for hackers invading to steal health care data

Stealing patients’ protected health information (PHI) is a growing concern as physicians and health care organizations continue to defend against cyber attacks.

This month, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HHS-HC3) issued a new threat brief, “Data Exfiltration Trends in Healthcare,” outlining risks and hazards of cyberattackers that pilfer PHI.

In short: “Data exfiltration = security breach!” the threat brief said.

Purloined PHI

PHI – medical histories, laboratory results, physical records, mental health conditions, insurance information and more – remains a target for hackers, but that’s not all. Health care remains a treasure trove of information including email conversations, sensitive corporate data, financial information, Social Security numbers, and medical research can be taken from computer networks.

The information can be used for state or corporate espionage, or for financial gains through sale, extortion, or blackmail. Hackers get it by having physical or remote access to systems or servers, or by gaining remote access to them, according to HC3.

Not just ransomware

Data exfiltration is on the rise, with a 20% increase last year in the number of hackers conducting data theft and extortion campaigns, according to HC3. Instead of using computer programs to lock up networks and data, then charging money to release the information, some hackers steal it, according to HC3.

“Over the past year, HC3 has observed new threat actors join the scene, engaged in pure data exfiltration and extortion without encrypting files,” the threat alert said. The agency cited reports by industry analyst The Hacker News and cybersecurity firm BlackFog that stated exfiltration is happening and potentially more damaging than ransomware attacks.

The problems may get worse by online connectivity of patients and health care systems. HC3 noted it is important to “highlight the frequent news headline of unauthorized data collection and sharing of private user data by legitimate organizations.” Last year, Facebook’s parent company was sued over allegedly improperly collecting patient data, and patients are suing various hospitals and health care systems for allegedly violating patient privacy laws due to social media data collection, according to online news reports.

Cloud-based backups are not entirely safe, as hackers “are increasingly targeting backups to inhibit reconstitution after an attack.”

Meanwhile, ransomware has not gone away. In 2022, PHI was taken in at least 70% of ransomware incidents involving health care organizations, with the number of affected patient records growing by 22%.

Stopping the threats

Health care organizations also may suffer from insider threats, when workers knowingly or mistakenly hurt their organization’s cybersecurity, according to HC3. There are at least six signs to look for insider threats:

• Unusual data movement.
• Use of unsanctioned software and hardware.
• Increased requests for escalated privileges or permissions.
• Access to information that is not core to job functions.
• Renamed files where file extensions do not match content.
• Departing employees.

There are at least three high-level measure health care organizations can use to reduce risks:

• Integrate security awareness and best practices into corporate culture.
• Regularly evaluate risks of interactions with computer networks, devices, apps, data, and users.
• Use periodic audits to verify best practices are followed.