The healthcare industry continues to be a prime target for cybercriminals, with data exfiltration posing a significant threat to patient privacy and security. According to a recent report published by the HC3, a cybersecurity agency that collaborates with the Department of Health and Human Services, data exfiltration is becoming increasingly prevalent in healthcare cyberattacks, and the implications can be severe.
Data exfiltration is a security breach where malware or a malicious actor transfer data from a device without permission. It is one of the last stages in the cyber kill-chain and is the target of advanced persistent threats (APTs). Ransomware generally accompanies this activity, involving the encryption of files and demand for payment. As data exfiltration is a major security violation, the results can be serious. The type of data targeted in data exfiltration attacks includes credentials, email conversations, sensitive corporate data, financial information, social security numbers, medical research, and Protected Health Information (PHI), which includes medical histories, laboratory results, physical records, mental health conditions, insurance information, and other data that healthcare professionals collect to identify an individual and determine appropriate care.
The HC3’s report points out that there are various methods threat actors can employ to carry out data exfiltration, split into four main groups: when a threat actor has preexisting physical access to the target structure, achieves physical entry to a target server, has existing remote admin access to the target, or acquires remote admin access to the target system. Data exfiltration can be driven by cyber espionage, financial gain, and insider threats.
The rise of data exfiltration in the healthcare industry is alarming. In 2022, major breaches in organizations such as Nvidia, Microsoft, and others demonstrated the magnitude of the issue that organizations are facing – for some, it makes for a greater challenge than ransomware. Although the total amount of third-party breaches slightly reduced that year, the attacks caused twice as much damage to their targets, with the healthcare sector being hit the hardest. In 2021, ransomware attacks on critical sectors of the government, educational, and healthcare infrastructure caused serious disruption for more than 200 large organizations in the United States. These attacks particularly targeted Healthcare and Public Health (HPH) organizations, impacting 24 healthcare providers operating 289 hospitals. As a result, by 2022, it was reported that 588 data breaches had occurred, which in total affected 44,665,819 patients, of which were reported to the HHS Office of Civil Rights (OCR).
To defend against the risk of sensitive data leaving organizations, the HC3 report suggests several mitigations, including implementing a data loss prevention (DLP) solution, using centralized log management for data exfiltration, and confronting data exfiltration risks in the cloud. The HC3 report also provides a list of six warning signs of potential insider threats, such as abnormal data transfer, utilization of software/hardware not given clearance, amplified inquiries for advanced privileges or rights, getting to data not relevant to the job, renaming files so the suffix does not correspond to the contents, and personnel leaving the organization.
It has never been more important to ensure the security of healthcare data, so healthcare organizations must incorporate security awareness and best practices into their culture, carefully evaluate any interactions with computer networks, devices, applications, data, and other users, and conduct periodic audits to verify that their security standards are being observed.