In the past few years, ransomware has continued to overwhelm organizations. Although almost every industry has experienced an unprecedented influx of threats, the healthcare industry has been particularly susceptible to ransomware attacks.
Ransomware attacks on healthcare organizations nearly doubled in 2021, with 66% of these organizations experiencing at least one attack in the past year. This influx has also created significant concerns in the industry in regard to data disclosures.
At its core, ransomware is a calculated and measured attack aimed at causing maximum damage. Most ransomware attacks are not random; threat actors tend to know their targets, the types of data they might hold, and what assets to encrypt and compromise. This allows attackers to strike at the most critical sections of an organization’s network, thereby causing maximum disruption.
As healthcare organizations manage a plethora of sensitive and valuable data, it’s critical that organizational leaders understand the frequent trends of data disclosure in a ransomware attack and identify the types of data that are the most vulnerable to such attacks.
Data disclosure has become a pressing concern
Over the last year, ransomware attacks have evolved from the basic principle of: breach a system, encrypting files, and demanding a ransom payment in order to unlock them. Threat actors often spend time in the victim’s system, collecting and exfiltrating sensitive data, with a plan to disclose the data for additional financial gains.
Ransomware data disclosure typically occurs in two stages. Initially, attackers compromise a sample of the encrypted data to make the threat credible to the victims and force them to pay the ransom. The second stage involves disclosing or selling the data to other bad actors, which makes the organization potentially vulnerable to future attacks.
Data disclosures are becoming a common trend for ransomware gangs to earn a quick payday. This is mostly because organizations are increasingly relying on data backups to avoid ransom payouts. Backups allow victims to restore the files that have been encrypted, but it doesn’t provide protection against data disclosure. So, disclosing data often allows threat actors to receive financial gains from their attacks, even if the victim doesn’t pay the ransom. In cases where the victim does pay, data disclosure serves as a means of double extortion. It goes without saying that leaked data can have crippling consequences for healthcare organizations, as these organizations record critically sensitive data such as medical information, patients’ personal data, financial data, and other confidential information. Any disclosure can potentially destroy the organization’s credibility as well as compromise their relationships with patients, employees, partners, and vendors.
So, how can healthcare organizations take steps to protect themselves from the growing threat of data disclosure driven by ransomware attacks? The first step is to identify the types of data that are the most susceptible.
The most frequently disclosed data types in the healthcare industry
As part of our continued research at Rapid7, we investigated 161 data disclosures in separate ransomware incidents across various industries, taking place between April 2020 and February 2022. In the healthcare industry, there was a clear trend of disclosures. Internal finance and accounting files were the most common data types in healthcare
disclosures, with such data occurring 71% of the time. Customer and patient data were disclosed in 66% of the incidents, with sales and marketing data occurring in 19%.
Now the big question is why these categories of data are more frequently disclosed than others. We have found that this is mostly because of the value factor. Healthcare organizations record a large volume of financial transactions from patients and insurers. They also maintain a high volume of accounting data, as they often spend heavily on purchasing tangible resources from vendors.
Similarly, customer and patient data also has a high ‘sales’ value for threat actors, as private user information can allow attackers to craft future attacks and longer attack chains.
Also, in terms of double extortion, disclosing a portion of such sensitive data can often force victims to meet ransom demands.
Building stronger resiliency against ransomware threats
In order to mitigate the threats of double extortion and data disclosure, organizations must move beyond backups. It’s imperative that healthcare organizations introduce more proactive strategies into their security infrastructure, including stronger encryption and network segmentation.
Network segmentation divides the enterprise network into microsegments, with each segment and its different applications isolated from each other. To access different network segments and applications, users need to constantly validate their identities and access privileges – thus restricting a threat actor’s lateral movement. Also, using stronger encryption methods and algorithms in databases can potentially hide the data behind longer and more complex encryption keys. These strategies will help organizations to contain the damage if a breach does occur and potentially stop attackers from exfiltrating critical data.
It is also evident that some types of data need more protection than others. Data centers or applications that contain these vulnerable data types must not only be micro-segmented, but they must also be safeguarded with automated threat intelligence solutions that can detect, report, and eliminate potential threats in real-time.
In some cases, disclosure is often an inevitable reality. Therefore, businesses should always have a response policy and strategy to effectively guide their actions in such scenarios. With ransomware threats soaring every year, these practices can go a long way in protecting healthcare organizations and mitigating the potential impact of an attack.