2024 has been a record-breaking year for cyberattacks on the healthcare sector. Hospitals and other medical facilities reported hundreds of health data breaches, including the massive Change Healthcare ransomware attack that compromised the privacy of 100 million Americans. The Department of Health and Human Services’ Office for Civil Rights’ HIPAA Breach Reporting Tool website lists a total of 677 major health data breaches affecting more than 182.4 million people in 2024.
A Global Threat
These attacks are not just a domestic threat but a global one. Briefing ambassador, Tedros Adhanom Ghebreyesus, WHO Director-General, stated the severe impact of cyberattacks on hospitals and healthcare services, calling for urgent and collective global action to address this growing crisis. He said “Ransomware and other cyberattacks on hospitals and other health facilities are not just issues of security and confidentiality, they can be issues of life and death.”
The most prevalent form of cyberattacks against healthcare are ransomware attacks. These are much more than data thefts or financial crimes; they are a threat to life designed to shut down vital systems and cause maximum delay and disruption to patient care, threatening the safety of patients. Cyberattacks also extended beyond hospitals to disrupt the broader biomedical supply chain. What makes these attacks so prevalent and seemingly unpreventable?
Social Engineering
The main vector of ransomware attacks is phishing. A typical attack attempt begins when a user receives an email that instructs them to open a malicious file attachment. In other cases, the email prompts the target to click on a malicious link which may redirect them to a website that contains fake software downloads designed to distribute ransomware. While there’s definitely a technical process involved, the component that makes these attacks so effective is social engineering.
Social engineering can be defined as influencing someone to make a decision that may or may not be in their best interest. Attackers use social engineering to exploit human emotions such as curiosity, greed, or fear. They use principles of influence such as authority, reciprocity, and urgency, to get people to react quickly and without thinking. In addition to these psychological aspects, they produce incredibly realistic emails which make it difficult to detect that they’re not coming from a reliable source. The combination of these factors makes social engineering attacks very effective.
Reduce the Risk
Unfortunately, there is no formula to completely prevent cyberattacks. However, there are steps you can take to reduce the risk and mitigate the effects of a damaging attack. The following are some suggestions found on NSA.gov (National Security Agency).
1. Update and Upgrade Software Immediately
Apply all available software updates, automate the process to the extent possible, and use an update service provided directly from the vendor.
2. Defend Privileges and Accounts
Assign privileges based on risk exposure and as required to maintain operations. Use a Privileged Access Management (PAM) solution to automate credential management and fine-grained access control. Create procedures to securely reset credentials (e.g., passwords, tokens, tickets).
3. Enforce Signed Software Execution Policies
Use a modern operating system that enforces signed software execution policies for scripts, executables, device drivers, and system firmware. Maintain a list of trusted certificates to prevent and detect the use and injection of illegitimate executables.
4. Exercise a System Recovery Plan
Create, review, and exercise, a system recovery plan to ensure the restoration of data as part of a comprehensive disaster recovery strategy.
5. Actively Manage Systems and Configurations
Take inventory of network devices and software. Remove unwanted, unneeded, or unexpected hardware and software, from the network.
Be Prepared
Cyber-criminals are constantly finding new ways to defeat cyber threat defense initiatives. Healthcare organizations increasingly transmit data electronically. Effective cybersecurity is a combined effort involving technologies that protect digital data and well trained, security conscious employees. Be prepared to respond to a possible cyberattack by having a crisis response team.
Prepare employees to appropriately respond to a potential attack by providing realistic testing and training. Exposing employees to possible cyberattack scenarios will empower them to stop and use critical thinking before taking any action. Social-Engineer LLC provides awareness through hands-on services designed to test, educate, and protect, your human network from Vishing, Phishing, SMiShing, and Impersonation, attacks. We apply scientifically proven methodologies to uncover vulnerabilities, define risk, and provide remediation. Comprehensive training is essential in preventing cyberattacks, as it empowers individuals with the knowledge and skills to recognize, respond to, and mitigate potential threats, ultimately strengthening an organization’s overall security posture.
Written by
Rosa Rowles
Human Risk Analyst
Social-Engineer, LLC