‘Extortion without encrypting files’ is a growing risk to cybersecurity of medical computer networks.
Stealing patients’ protected health information (PHI) is a growing concern as physicians and health care organizations continue to defend against cyber attacks.
This month, the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HHS-HC3) issued a new threat brief, “Data Exfiltration Trends in Healthcare,” outlining risks and hazards of cyberattackers that pilfer PHI.
In short: “Data exfiltration = security breach!” the threat brief said.
PHI – medical histories, laboratory results, physical records, mental health conditions, insurance information and more – remains a target for hackers, but that’s not all. Health care remains a treasure trove of information including email conversations, sensitive corporate data, financial information, Social Security numbers, and medical research can be taken from computer networks.
The information can be used for state or corporate espionage, or for financial gains through sale, extortion, or blackmail. Hackers get it by having physical or remote access to systems or servers, or by gaining remote access to them, according to HC3.
Data exfiltration is on the rise, with a 20% increase last year in the number of hackers conducting data theft and extortion campaigns, according to HC3. Instead of using computer programs to lock up networks and data, then charging money to release the information, some hackers steal it, according to HC3.
“Over the past year, HC3 has observed new threat actors join the scene, engaged in pure data exfiltration and extortion without encrypting files,” the threat alert said. The agency cited reports by industry analyst The Hacker News and cybersecurity firm BlackFog that stated exfiltration is happening and potentially more damaging than ransomware attacks.
The problems may get worse by online connectivity of patients and health care systems. HC3 noted it is important to “highlight the frequent news headline of unauthorized data collection and sharing of private user data by legitimate organizations.” Last year, Facebook’s parent company was sued over allegedly improperly collecting patient data, and patients are suing various hospitals and health care systems for allegedly violating patient privacy laws due to social media data collection, according to online news reports.
Cloud-based backups are not entirely safe, as hackers “are increasingly targeting backups to inhibit reconstitution after an attack.”
Meanwhile, ransomware has not gone away. In 2022, PHI was taken in at least 70% of ransomware incidents involving health care organizations, with the number of affected patient records growing by 22%.
Health care organizations also may suffer from insider threats, when workers knowingly or mistakenly hurt their organization’s cybersecurity, according to HC3. There are at least six signs to look for insider threats:
There are at least three high-level measure health care organizations can use to reduce risks: