Wed, Dec 21, 2022

Cyber Threat Intelligence Series: A Lens on the Healthcare Sector

A review of recent Kroll incident response cases consistently proves that the healthcare industry is one of the most frequently targeted sectors. This observation mirrors what is experienced by national cybersecurity agencies as multiple warnings have been launched during 2022, highlighting how ransomware gangs and nation state actors are now aggressively targeting healthcare institutions.

As a sector, healthcare may be particularly attractive to threat actors for a number of reasons, such as the volume of confidential data, particularly protected health information that they hold, and the critical risks posed by the disruption of business services.

Healthcare Under Attack: An Overview

Cyber Threat Intelligence Series: A Lens on the Healthcare Sector

In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted in comparison with Q1 2022. Ransomware helped to fuel this uptick against healthcare as a focus for attacks, at a time when services were undoubtedly under pressure, recovering from the duress caused by COVID-19. Though always disruptive, ransomware in the context of healthcare, with its disruption to business continuity, can end up putting lives at risk.

Types of Cyber Threats Affecting the Healthcare Sector

Cyber Threat Intelligence Series: A Lens on the Healthcare Sector

Kroll has observed email compromise (36%) as the most common threat incident type impacting the healthcare sector, followed by ransomware (31%) and unauthorized access (28%). 

Email compromise attacks, such as business email compromise schemes, are typically aimed at tricking an unsuspecting user into approving a fraudulent transaction and are common in occurrence. Ransomware attacks pose a more severe risk in that a successful ransomware attack could impact the ability to access patient charts or other data required for essential patient care. Likewise, the majority of ransomware attacks in 2022 implemented a double extortion tactic in which actors exfiltrate data prior to network encryption and then threaten to leak the stolen data as leverage during negotiations. 

In terms of the methods threat actors are using to gain footholds into systems, phishing is the most common approach for initial access, followed by account takeover using legitimate credentials (21%) and External Remote Services (21%).

Cyber Threat Intelligence Series: A Lens on the Healthcare Sector

Kroll Case Study: From Phishing to Ransomware

The following case study begins with a phishing email and ends with the publication of sensitive data, highlighting the critical impact of such attacks.  

In this instance, an employee at a healthcare organization received a spoofed email from an outside contact purporting to contain a data file that a team member had previously requested. Unknown to the user, the attached document introduced Qakbot malware into their system. Once inside the network, the threat actors used remote access to the network to deploy a tool called Cobalt Strike, which helped them move throughout the environment, collecting data such as credentials and network folders along the way. During a period of approximately 15 days, actors stole nearly 20GB data before encrypting the network with ransomware. 

Derek Rieck, Associate Managing Director in the Cyber Risk practice at Kroll, comments, “More than ever, healthcare is a highly attractive target to ransomware groups, as the disruption of critical networks impacting life-saving services may encourage organizations to pay ransom demands. This is intensified by the double extortion tactic, where threatening to publish confidential information, such as protected health information (PHI), can further intimidate victims.”

How Healthcare Organizations Can Defend Against Ransomware

Healthcare organizations can take six fundamental security steps to immediately add layers of protection from ransomware:

  • Institute least privilege policies for data/system access
  • Delete unused email addresses
  • Implement and enforce strong password policies
  • Use multifactor authentication
  • Create, update, segregate and protect viable backups
  • Allowlist safe applications

In the event of a ransomware attack, healthcare organizations should already have a response plan in place that includes the following six steps:

  • Isolate impacted systems from other computers and servers on the network and disconnect from both wired and wireless networks
  • Identify the type of infection. This is sometimes stated in an attacker’s ransom communications but can also be determined from numerous open-source sites. Kroll can also help pinpoint the type of ransomware as well as any other malware and persistence mechanisms still present in the system.
  • Report the incident to the appropriate local law enforcement agency
  • Think before you pay, following the decision-making processes that should already be outlined in the company’s incident response plan. Victims should also contact their cyber insurance carrier to inquire about ransomware coverage.
  • Retain log data. Timely action is often necessary to retain any potentially relevant event data for a subsequent investigation.
  • Restore systems and ensure there are effective backup policies and protocols in place

As these findings highlight, every healthcare organization can be a target for ransomware. With Kroll’s help, they can build smarter defenses, close gaps, strengthen vulnerabilities, better safeguard sensitive data and more quickly respond and recover from an attack. Kroll has developed a Ransomware Preparedness Assessment to help your organization better understand your unique vulnerabilities and know ways to avoid or mitigate ransomware harm. Call us today to learn more.


Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.


Cyber Governance and Strategy

Manage cyber risk and information security governance issues with Kroll’s defensible cyber security strategy framework.

Threat Exposure and Validation

Proactively identify your highest-risk exposures and address key gaps in your security posture. As the No. 1 Incident Response provider, Kroll leverages frontline intelligence from 3000+ IR cases a year with adversary intel from deep and dark web sources to discover unknown exposures and validate defenses.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.