In their latest report titled "Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape," the Trustwave SpiderLabs team reveals the data from a months-long investigation focusing on the cyber threats the healthcare industry is currently grappling with.
The report presents a comprehensive roadmap that highlights the attack methodologies employed by threat actors, offering valuable insights on how organizations can safeguard themselves against specific types of attacks. SpiderLabs' research sheds light on the evolving and significant threats confronting the healthcare sector, while also providing a detailed analysis of the attack flow utilized by threat groups to execute successful cyberattacks.
SpiderLabs found that attackers often employ multiple vectors to target healthcare organizations persistently. While the technical aspects of these attacks may change over time, the underlying tactics tend to remain consistent. Traditional methods such as phishing emails, exploiting known vulnerabilities, and compromising third-party vendors continue to pose significant threats, which threat actors steadily improve to remain useful and dangerous.
A 2022 U.S. Department of Health and Human Services report spells out the danger noting attackers breached more than 28.5 million healthcare records in 2022, up significantly from just a few years earlier when 21.1 million records in 2019.
Stolen data, while important, pales in comparison to the primary danger attacks pose, patient health. Ransomware and Distributed Denial of Service (DDoS) attacks can impair a hospital’s ability to care for its patients by locking life-sustaining medical systems or denying physicians access to critical records.
Initial Findings
The Trustwave SpiderLabs team found threat groups gaining access often using valid access credentials, unsecured credentials, and Webshells. In addition to using credentials, SpiderLabs researchers noted a variety of specific vulnerabilities being used to gain initial entry, including Apache Log4J (CVE-2021-44228) and Spring Core RCE (CVE-2022-22965) and among the most active ransomware gangs being LockBit and ALPHV/BlackCat.
The highest-profile emerging threat detailed in the report is Generative AI and Large Language Models (LLM), such as ChatGPT, and the danger these pose specifically to healthcare organizations. While AI isn’t new, the advances made in Generative AI and LLMs are setting new benchmarks for what’s possible for healthcare organizations and for both adversaries and defenders. For healthcare, the risks are further heightened due to the sensitive nature of the data potentially being shared with these tools.
The report also takes a deep dive into prominent threats such as ransomware and supply chain exposure specific to this industry. The data points uncovered by SpiderLabs include the threat groups active in this space, the type of malware and tactics employed, and how to mitigate risk.
Trustwave SpiderLabs also extensively looks at how a cyberattack transpires and does so across numerous attack vectors such as business email compromise (BEC), ransomware, and Denial of Service attacks.
For each threat category, the report shows how threat groups:
- Gain an initial foothold in a system
- Down the initial payload
- Move laterally through a system
- Types of malware employed
- Exfiltrate and operate post-compromise.
Although the healthcare industry isn’t alone in facing an elevated threat landscape, the consequences of attacks in this sector can be severe and potentially fatal. Attackers are highly motivated by financial gains and continually adapt their methods to outpace defenses, so it is imperative for healthcare organizations and their staff to be constantly on guard and prepared to deal with the myriad of attack groups, malware variants, and techniques in use.
