CPR data reports 32% rise this year, as global healthcare sector faces surge in cyberattacks

According to new data from Check Point Research (CPR) for January to September 2024, the global weekly average number of attacks per organization in the healthcare industry reached 2,018, marking a 32 percent increase compared to the same period last year. The CPR data comes as global healthcare organizations continue to grapple with a troubling rise in cyberattacks since the beginning of this year.

“North America’s healthcare sector, which averaged 1,607 weekly attacks with a 20% increase, remains a lucrative target due to its wealth of sensitive patient data and established digital infrastructure,” according to CPR data released Tuesday. “Between January – September this year, the APAC region was leading in attack volume, averaging 4,556 weekly attacks per organization, a 54 percent increase. The rapid digital transformation in APAC’s healthcare systems, driven by expanding access to digital health records and telemedicine, has increased vulnerabilities, fueled by the lack of robust cyber security infrastructure required to protect against advanced threats, thus making them attractive targets for cybercriminals.” 

In Latin America, CPR data revealed a weekly average of 2,703 attacks per organization, marking a 34 percent increase. These attacks are likely due to weaker regulations and underfunded cybersecurity initiatives in the healthcare sector, which create easy entry points for attackers. Despite experiencing a lower number of weekly attacks (1,686), Europe saw the largest percentage increase (56 percent). This indicates a heavier reliance on digital tools without corresponding investments in security measures, making the region a prime target for ransomware and data theft.

Addressing RansomHub, the most active ransomware group in July and August, the CPR data noted that it posted an advertisement on a dark net forum and promised, that 90 percent of the ransom revenue could be kept by the partners, with only 10 percent to be paid to the group for providing the infrastructure. “In return, partners would receive sophisticated attack management tools and other benefits. The advertisement mimicked traditional companies offering their services and demonstrating their competitive advantages. This again shows that cybercrime is a pure business, with many hacker organizations no different, structurally from other tech companies,” it added.

The CPR data comes as hospitals and other healthcare institutions cannot afford service outages or disruptions, because it could directly endanger the lives of patients. Also, sensitive patient data is a very hot commodity when traded on the dark net and can also serve as leverage in corporate extortion. Though, the biggest threat nowadays, which has already paralyzed countless hospitals around the world, is ransomware.

“In most cases, cybercriminals refrain from indicating to their partners who to attack. Only attacks on the Commonwealth of Independent States are usually taboo, but with no other restrictions,” Sergey Shykevich, Threat Intelligence Group Manager, Check Point Research, noted in the CPR report. “We can speculate that it’s due to hackers’ preference not to attack the countries in which they operate. In the early days, some RaaS groups claimed they would not attack healthcare-related organizations which was later modified to attacks that should not include data encryption to avoid interruption of services, but data theft and extortion are permissible. In reality, none of these rules are followed anyway.”

Shykevich added that an analysis of victims publicly extorted on ransomware groups’ websites showed that nearly 10 percent of victims in the last year are from the healthcare industry.

“Patient safety is not only a matter of physical care but patient’s health and lives may also be at risk in the event of a cyberattack. The problem is even bigger because many cybercriminals are working together,” the CPR report detailed. “Some offer access to organizations they have previously breached, and others offer to rent their infrastructure for a fee. The dark net is full of advertisements offering ransomware-as-a-service (RaaS) so that even amateur cyber criminals who would otherwise not have the technical knowledge and experience for similarly serious attacks can threaten hospitals and other healthcare institutions.”

Providing a real-life example where a hacker with the nickname ‘Cicada3301’ posted an advertisement on a closed Russian-language underground forum announcing a new team offering ransomware as a service, the CPR report added that he only asks for commission of 20 percent on successful attacks. “This is an illustration of how RaaS cybercriminals recruit their partners and what the standard revenue distribution is. The interesting thing is that some forums have an arbitration and dispute resolution mechanism in cases where both parties disagree on payment or services delivered. This is essential as all communicating parties are criminals who communicate in an anonymous environment,” it added. 

Furthermore, Hacker Cicada3301 also posted information on a special extortion site about several victims, including the Italian medical organization ASST Rhodense. The hospital had to cancel and reschedule operations as a result of the attack. However, this is not an isolated case. 

The CPR report also highlighted that ransomware groups provide encryption tools and infrastructure to collaborators, and stolen sensitive data is often posted online to pressure victims into paying. This tactic leverages the fear of hefty fines for privacy violations and the risk to patient safety or hospital operations. Additionally, hackers sell access to hospital systems on underground forums. Some act as intermediaries, purchasing initial access to assess the quality for permission abuse, mapping networks, and then selling this access to others. 

Overall, the cost of many cyber tools, data and access, and infrastructure is relatively low, yet a successful attack can cause enormous damage and put patients’ health at risk with ransoms running into the millions and sometimes tens of millions of dollars.

Another important highlight of the CPR report was that the differences between the groups are mostly subtle. “But there are exceptions. ALPHV/BlackCat has publicly encouraged its partners to focus specifically on hospitals and healthcare. This was supposed to be revenge for the police operation against the group’s infrastructure. As a result, the victim ratio from the health sector reached more than 15% in the last 12 months,” it added. 

Shykevich elaborated that in some cases, “we’re seeing that if one attack occurs, another can follow relatively soon. Cybercriminals are counting on the fact that perhaps there will be a failure to recover properly, that there is still some chaos, or that there will be an underestimation because hospitals won’t expect to be targeted repeatedly.”

A report from the World Health Organization (WHO) earlier this year emphasized the need to enhance cyber-maturity to tackle the increasing digital threats to healthcare. Cybersecurity maturity refers to an organization’s preparedness to protect itself and its digital assets from cyber-attacks. This involves investing in people, processes, and technology, including through cyber-awareness training and developing incident response plans to be rehearsed by staff in anticipation of a cyber-attack. 

The WHO report also noted that it is critical to increase communication and collaboration with law enforcement agencies (e.g., police, INTERPOL), governmental agencies (e.g., cyber-security agency, public health institute, national agency for the safety of medicines and health products, nuclear safety agency), private sector and non-governmental organizations; these entities can provide alerts and warnings about ongoing cyber-attacks.

Earlier this month, the Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) issued a healthcare sector alert, cautioning owners and operators about vulnerabilities in Apache Tomcat. This bulletin will provide an overview of Apache Tomcat vulnerabilities, as well as mitigation strategies and an overall approach to keeping it secure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.