State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Healthcare and Public Health Sector

Threat-Analysis-Report

Original Release Date: 3/2/2023

Updated: 11/27/2023

The NJCCIC assesses with high confidence the cyber threat and overall risk to the healthcare and public health sector is high and increasing.

Many critical infrastructure sectors have been increasingly targeted by disruptive cyberattacks as bad actors find new ways to use and monetize data. One such sector affected by the rise in cyberattacks is the Healthcare and Public Health (HPH) Sector. The attack surface of the HPH Sector is large and includes medical devices and software and patient records, including Protected Health Information (PHI). 

Due to legacy systems and irregular software updates, medical devices remain a viable vector of approach for cybercriminal operations. Historically, healthcare institutions have been perceived as having weak cybersecurity controls, making them desirable targets for threat actors. Unpatched and end-of-life (EOL) operational technology systems and Internet of Things devices, such as office automation equipment, printers, VoIP phones, and networking devices, may be used as initial access points into vulnerable networks or for lateral movement and pivoting. Exploitation of vulnerable medical devices, such as intravenous pumps and ventilators, can adversely impact healthcare facilities’ operational functions, patient safety, data confidentiality, and data integrity.  Because this attack vector remains a potential access point and has yet to be exploited, this writing will focus on the theft and exploitation of PHI.  However, it is important to address vulnerabilities found within medical devices to avoid potentially catastrophic outcomes for patients relying upon these life-enabling devices. 

The HPH Sector suffered at least 337 breaches in the first half of 2022 alone, impacting roughly 19 million records. The majority of these breaches originated from third-party vendors, indicating that threat actors are shifting their tactics and finding success by targeting vendors rather than large healthcare systems directly.  Third party vendors include those commercial “off the shelf” systems healthcare systems may use for operations such as electronic patient care reports or asset management, to name a few. Cybercriminals targeting healthcare organizations are focused on brand damage, loss of production, and delay of basic care to motivate organizations to pay their ransom. Cybercriminal gangs are also aware of the strict regulatory environment regarding patients’ PHI and will threaten the disclosure of such information to encourage healthcare organizations to pay their ransom without delay.

The shift from paper health records to electronic health records has brought several benefits to the HPH sector.  One of the most important benefits is quicker access to up-to-date patient medical information which can be used to base treatment regimens.  However, this transition has made these records more vulnerable to attacks and have been shown to be extremely lucrative due to the sensitivity of their content. If sensitive patient information is not protected, healthcare providers face costly legal, ethical, and moral dilemmas.

When the healthcare industry is targeted, data compromise (including ransomware) can result in disruptions to patient records, surgical services, medical devices, appointment systems, all with the potential to disrupt emergency or life-saving care, potentially resulting in worsening of patient conditions and even loss of life. COVID-19 has created many exploitation opportunities for threat actors due to the value of vaccine research and data, a rapid deployment of remote systems to support remote workforces, and an amplified opportunity to target individuals via phishing campaigns to gain access to systems. 

The FBI indicated that it received multiple reports of threat actors increasingly targeting healthcare payment processors to redirect victim payments. Threat actors were observed compromising user login credentials of healthcare payment processors and diverting payments to accounts controlled by the cybercriminals. Current reporting indicates that threat actors will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access.

Recent Incidents

In late November 2023, two New Jersey hospitals - Pascack Valley Medical Center and Mountainside Medical Center - were impacted by a ransomware attack that caused incoming emergency room patients to be diverted to other hospitals and follow established downtime protocols. Some elective and non-emergency procedures and surgeries were rescheduled. The ransomware attack originated on the Ardent Health Services network to which the impacted New Jersey hospitals and dozens of others around the United States are connected and several facilities may be impacted. Additionally, Vanderbilt University Medical Center disclosed that they identified and contained a cybersecurity incident on November 23 that resulted in a compromised database. 

Advocate Aurora Health is one of the largest healthcare providers in the Midwest. Their improper use of a common website tracking device led to the exposure of 3 million patients PHI in July of 2022. Meta Pixel uses JavaScript to track visitors on websites, supplying vital information on how they interact. However, in the case of Advocate Aurora Health, the use of Meta Pixel on patient portals, where patients enter sensitive information, caused PHI to be disclosed.  This was exacerbated if users were logged into Facebook or Google at the same time, they accessed the patient portal. 

In May of 2022, a Massachusetts-based medical imaging service provider managed by Shields Health Care Group, reported a cybercriminal had gained unauthorized access to some of its IT systems in March 2022. It is reported that over 2 million patients had their PHI stolen which included names, addresses, Social Security numbers, insurance information, and medical history information. The full cost of this breach is unknown because Shields Health Care Group supplies management and imaging services for approximately 50 healthcare providers, thereby making the scope of the attack massive.

Trinity Health experienced a ransomware attack in 2020, when Blackbaud, a vendor of cloud-based customer relationship management software, came under attack. The attack on one of Blackbaud’s self-hosted cloud servers affected hundreds of customer organizations around the world, including more than two dozen healthcare organizations. This led to the compromise of more than 10 million records.  Blackbaud stopped the cybercriminals before they fully encrypted files in the hacked databases, but not before they exfiltrated sensitive data. The company paid an undisclosed sum to the hackers to destroy the stolen data. In total, 3.32 million people were affected. Trinity Health’s donor database was among the files the attackers managed to steal which included electronic protected health information (ePHI) such as dates of birth, physical and email addresses, Social Security numbers, treatment information, and financial payment data. Blackbaud said it fixed the vulnerability that attackers exploited.

 

Threat Types

  • Ransomware: During a ransomware attack, malware is injected into a network to infect and encrypt sensitive data until a ransom amount is paid. This malicious software is usually injected into a system through a phishing attack.
  • Phishing/Spear-Phishing/Whaling Attacks: Attackers go to great lengths to ensure that their emails appear as legitimate as possible, thereby increasing the chance of the phishing attack to be successful. These emails contain links that direct target recipients to an attacker-controlled website that delivers malware or steals user credentials. Such an attack can lead to more sophisticated attacks such data breaches, malware or ransomware attacks.
  • Third-Party/Partner Breach: A third-party data breach happens when a vendor or business partner’s computer system is compromised and exposes another healthcare facility’s sensitive data. Any vendor in a business ecosystem is vulnerable to attacks by cybercriminals.
  • Data Breach: A data breach occurs when an unauthorized person gains access to protected information such as dates of birth, Social Security numbers, banking information, and medical records. Data breaches can have a devastating impact on healthcare sector as it not only results in the loss of patient confidentiality but may also make the patient less willing to share important medical information, signs an symptoms.  Most data breaches occur as a result of human error when a user falls victim to phishing attacks or other social engineering tactics.

 

Recommendations

The NJCCIC highly recommends HPH Sector organizations to follow the guidance identified below.

  • Actively secure medical devices and identify potential vulnerabilities.
  • Increase employee awareness education and reporting to reduce the risk of compromise from cyber threats. 
  • Exercise caution with emails – particularly those from unknown senders – and refrain from enabling macros in email attachments.  This should be included in the cyber awareness employee training program.
  • Perform attack surface reduction.  This might include reducing or eliminating external-facing systems.
  • Practice solid business continuity and emergency operation planning which may include having a comprehensive data backup plan that includes offline backups and ensure there are incident response and continuity of operations plans in place, particularly for ransomware. Further information and recommendations can be found in FBI Private Industry Notifications 20220912-001 and 20220914-001.

Additionally, the HPH sector, including interconnected organizations, are advised to implement the following for their OT/IT environments:

  • Tamper-resistant controls on field devices: Field devices must implement hardware security controls to prevent physical tampering.  This is especially important on components like Intravenous Pumps, ventilators, etc.
  • Trusted procurement procedures: Commercial off-the-shelf hardware and software IT products that are ready-made and available for purchase by the public must follow strict procurement procedures that only allow installing certified devices that follow strict security standards.  This also includes proper attack surface mitigation and go through an updated vetting process.
  • Patching and updating: Information Technology staff must install critical updates to operating systems and IoT devices as soon as they are available and have been properly vetted. Install and regularly update anti-virus and anti-malware software on all hosts.
  • Perform attack surface mitigation: This includes disabling unused remote access/RDP ports and monitor remote access/RDP logs.
  • Encryption: Devices must implement end-to-end encryption and include embedded security in their processes. In some cases, certificate pinning (SSL pinning) must be required to avoid spoofed devices. It includes protection from side channel attacks that can compromise encryption keys. 
  • Authentication and access control procedures: Facilities should implement strict authentication and authorization procedures for their employees and for all software interfaces. Develop access control measures to prevent unauthorized access to critical medical systems.
  • Penetration testing and internal audit: All facilities must implement rigorous vulnerability assessment and penetration testing audits on a regular basis to ensure continuous analysis of operational systems.
  • Employee training and awareness: All employees must have at least an awareness level of cybersecurity training.  Those working on critical systems must have proper training or certifications to support the elevated threat level of their positions. Human error and phishing attacks are most effectively avoided through proper employee awareness rather than technical means.
  • Network segmentation: All facilities must deploy proper network segmentation with DMZ configured and network isolation to protect critical systems. Whenever possible, healthcare significant networks should not share the same network with internet-accessible devices.
  • Use of different technologies: When possible, devices and systems from different vendors should be used to reduce the number of compromised assets per vulnerability. Although this measure introduces management complexity, it is a vital control to increase resilience of critical systems.
  • Segregation of duties and minimum privileges: Staff must have discrete credentials and relevant privileges based on their job description and needs. The Principle of Least Privilege must be implemented on all accounts and require administrator credentials to install software.
  • Catalog and reduce system dependencies: Critical systems must identify and minimize dependencies on other systems and services, such as third-party processes.
  • Create backups: Regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Recovery plan: Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud). Establish, exercise, and update incident response (IR) plans and continuity of operations plans (COOPs).
  • Ensure password security: Use multi-factor authentication where possible. Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable time frame for password changes. Avoid reusing passwords for multiple accounts.
  • Use secure networks only: Only use secure networks and avoid public Wi-Fi networks. Consider installing and using a virtual private network.
  • Email security: Consider adding an email banner to messages originating outside your organization and disabling hyperlinks in received emails.

Further Resources:

Royal Ransomware Attacks Targeting Healthcare and Public Health Sector Rapidly Increasing

Threat Actors Continue to Target Healthcare

Health & Human Services

HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework

Healthcare System Cybersecurity: Readiness & Response Considerations

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.