Protecting health data: challenges and solutions in cybersecurity

Cybercrime is a major threat to the public sector and entities which are particularly dependent on service continuity, especially in the health sector. Healthcare facilities are attractive targets for cyber criminals because of their size, dependence on IT and third-party services, and the vast quantities of protected health information (PHI) and personally identifiable information (PII). A 2023 report from the United States Health and Human Services reported a 93% increase in large data breaches in healthcare, with a 278% increase in large breaches involving ransomware from 2018-2022.

Melissa Parsons
Technical Writer
Protecting health data - C-Risk

Healthcare data breaches and ransomware

 

Healthcare data is attractive to cybercriminals because healthcare organizations hold up-to-date financial and personal data and medical records, which can then be used by cybercriminals for social engineering scams and identity theft. Electronic Health Records (EHR) are increasingly being used to facilitate collaboration between doctors and medical labs, and contain patient medical history, diagnoses, and treatments. These are also compromised in healthcare sector data breaches.

 

LockBit ransomware is the world’s most prolific ransomware cybercriminal group offering ransomware as a service (RaaS). Since it was identified in 2019, the group has been responsible for billions of euros in damages globally. And it has caused network outages and service interruption for multiple hospital systems in the US and in France. An international task force of law-enforcement agencies from 10 countries, called Operation Cronos was able to seize LockBit’s technical infrastructure and its public-facing leak site on the dark web after a months-long operation in February 2024.

 

Unfortunately, it seems like LockBit was able to relaunch from another site after regrouping. Strains of LockBit are responsible for the two major healthcare ransomware incidents in early 2024.

Amentières hospital ransomware attack

 

In the early hours of February 11, 2024, printers located in the Armentières hospital began printing out ransomware messages, informing those reading the pages of a cyberattack. Within an hour of discovering the attack, the hospital’s IT team confirmed that all hospital computers had been disconnected from the network and the hospital was already cooperating with French law enforcement.

 

When the attack happened, there were 130 patients in hospital care. Hospital staff quickly printed out each patient’s medical records so that doctors and nurses could continue providing appropriate care. For two days, the hospital was out of service and could not care for the residents who depend on its services. Even emergency services were unavailable, with the exception of emergency labor and delivery. Ambulances were diverted to other hospitals in the region. In the end, more than 300,000 people had their data compromised.

 

In the 2023 Cyber Threat Overview Report from ANSSI, the French National Agency for the Security of Information Systems, 10% of reported ransomware attacks in France were in the public health sector. Local and regional authorities were also hit hard by ransomware, which accounted for 9% and 24% of attacks, respectively.

 

Amentières hospital ransomware attack

Third-party risk and sensitive health data

 

Third-party service providers are another channel for cybercriminals to access sensitive data and cause major health system disruptions. Third parties process vast amounts of health data for hospitals, doctors, health insurers, and government programs. If an ICT third party is the target for cybercriminals, it can have devastating consequences. Events such as the phishing attack on the third-party payments services Viamedis and Almerys and the ransomware attack on Change Healthcare underscore the necessity for robust third-party oversight and the need for third parties to implement strict cybersecurity measures.

 

Critical infrastructure in France and the US was severely impacted by both cyberattacks. In France, more than half of France’s population had personally identifying information compromised because of the Viamedis and Almerys data breaches, which, of course, increases the stores of sensitive information on the dark web that threat actors can access for phishing campaigns. The attacks on Viamedis and Almerys also disrupted the transmission and payment of insurance claims. This led to many people in France being unable to access healthcare services, medicine or health materials, like prescription glasses and prosthetics.

 

The ransomware attack on Change Healthcare in the US, a subsidiary of UnitedHealth Group, disrupted thousands of doctors, hospitals, pharmacies, administrative and billing processes across the healthcare sector, affecting vital healthcare services. There were more than 100 services disrupted for more than four weeks, and remediation efforts are still underway.

 

The scale of the data breach is still being assessed. According to news reports, healthcare providers may have lost up to USD 100 million a day from the cyberattack. And there are already class-action lawsuits filed against the company, reflecting the seriousness of the data privacy concerns arising from this incident.

 

The unfolding situation highlights the critical importance of cybersecurity in the healthcare sector, including third parties, and the cascading effects that such attacks can have on healthcare delivery, emphasizing the urgency for robust security measures and rapid response strategies to protect sensitive health data and maintain healthcare.