Trustwave SpiderLabs Research: Cybersecurity in the Healthcare Industry

The Trustwave SpiderLabs team conducted a months-long investigation into the cyber threats facing the healthcare industry and has provided a roadmap displaying how threat actors conduct an attack, methodologies used, and what organizations can do to protect themselves from specific types of attacks.

In the new report: Cybersecurity in the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape, SpiderLabs researches and explains the emerging and prominent threats facing the healthcare industry and breaks down the attack flow threat groups rely upon to conduct a successful attack.

Attackers often employ multiple vectors to target healthcare organizations persistently. While the technical aspects of these attacks may change over time, the underlying tactics tend to remain consistent. Traditional methods such as phishing emails, exploiting known vulnerabilities, and compromising third-party vendors continue to pose significant threats, which threat actors steadily improve to remain useful and dangerous.

A 2022 U.S. Department of Health and Human Services report spells out the danger noting attackers breached more than 28.5 million healthcare records in 2022, up significantly from just a few years earlier when 21.1 million records in 2019.

Stolen data, while important, pales in comparison to the primary danger attacks pose, patient health. Ransomware and Distributed Denial of Service (DDoS) attacks can impair a hospital’s ability to care for its patients by locking life-sustaining medical systems or denying physicians access to critical records.

Initial Findings

The Trustwave SpiderLabs team found threat groups gaining access often using valid access credentials, unsecured credentials, and Webshells. In addition to using credentials, SpiderLabs researchers noted a variety of specific vulnerabilities being used to gain initial entry, including Apache Log4J (CVE-2021-44228) and Spring Core RCE (CVE-2022-22965) and among the most active ransomware gangs being LockBit and ALPHV/BlackCat.

The highest-profile emerging threat detailed in the report is Generative AI and Large Language Models (LLM), such as ChatGPT, and the danger these pose specifically to healthcare organizations. While AI isn’t new, the advances made in Generative AI and LLMs are setting new benchmarks for what’s possible for healthcare organizations and for both adversaries and defenders. For healthcare, the risks are further heightened due to the sensitive nature of the data potentially being shared with these tools.

The report also takes a deep dive into prominent threats such as ransomware and supply chain exposure specific to this industry. The data points uncovered by SpiderLabs include the threat groups active in this space, the type of malware and tactics employed, and how to mitigate risk.

Trustwave SpiderLabs also extensively looks at how a cyberattack transpires and does so across numerous attack vectors such as business email compromise (BEC), ransomware, and Denial of Service attacks.

For each threat category, the report shows how threat groups:

• Gain an initial foothold in a system
• Down the initial payload
• Move laterally through a system
• Types of malware employed
• Exfiltrate and operate post-compromise.

Although the healthcare industry isn’t alone in facing an elevated threat landscape, the consequences of attacks in this sector can be severe and potentially fatal. Attackers are highly motivated by financial gains and continually adapt their methods to outpace defenses, so it is imperative for healthcare organizations and their staff to be constantly on guard and prepared to deal with the myriad of attack groups, malware variants, and techniques in use.

Webinar

For further details on the report and SpiderLabs’ findings please join us on July 18 at 9:30 am CDT | 3:30 pm BST for the webinar Securing the Healthcare Industry: Actionable Intelligence for an Active Threat Landscape.

Shawn Kanady, Trustwave Director of SpiderLabs Threat Hunting, and Karl Sigler, Trustwave Senior Security Research Manager of SpiderLabs Threat Intelligence will discuss the findings and answer questions from the audience. Register Here.