Clearwater Cyber Briefing: Key Trends and Takeaways for November 2024

In today’s ever-evolving threat landscape, staying ahead of cybersecurity risks is more critical than ever for healthcare organizations. That’s why, each month, Clearwater Security delivers a Cyber Briefing, providing a comprehensive digest of the latest news, emerging threats, and key updates from across the healthcare cybersecurity ecosystem. These briefings are designed to equip healthcare leaders with the knowledge and insights they need to safeguard their organizations and stay informed on the most pressing issues.

This session was led by Dave Bailey, Vice President, Consulting Services, Security, and each session highlights the latest cybersecurity threats targeting healthcare, shares expert recommendations on how to mitigate these risks, and reviews real-world incidents with actionable takeaways. Additionally, the briefing covers important regulatory updates, explaining how new standards and frameworks, such as NIST 2.0 and HIPAA, impact the healthcare sector. Following this overview, we feature in-depth discussions with subject matter experts, who dive into the complex challenges healthcare organizations face and offer solutions to strengthen cybersecurity defenses.

Read below for a detailed review of November’s key trends and takeaways.

State of the Sector

Ransomware remains a significant threat to healthcare, as cybercriminals continue to evolve their already complex attack methods. The introduction of artificial intelligence (AI) into their methods has amplified the sophistication and efficiency of these threats, enabling attackers to automate tasks such as vulnerability identification, phishing campaigns, and even malware development.

This growing issue affects organizations of all sizes and complexities, leaving no healthcare entity immune, regardless of the maturity of their privacy and security practices. Even the most robust defenses can be bypassed by increasingly clever tactics, making it critical for healthcare leaders to remain vigilant and proactive in addressing these threats.

The Healthcare Target

In the past three months, ransomware attacks have affected 78 healthcare organizations, highlighting the persistent and growing threat this type of attack poses to the industry. Of these incidents, 27 (35%) have been linked to two major ransomware groups, RansomHub and BlackSuit, known for their advanced and aggressive tactics.

Although ransomware can impact any area of healthcare, physician practice management (PPM) groups have been hit the hardest, accounting for 46% of attacks from August through October. Digital health services were targeted in 13% of cases, followed by hospitals at 10%. This data reveals a troubling shift toward more focused attacks on specific healthcare sectors.

See below for a list of prominent attack groups actively targeting healthcare organizations.

• Rhysida (See CISA Advisory AA23-319A for an overview of techniques, tactics, and procedures (TTPs)
• Embargo (using tools like Mdeployer and MS4Killer to deploy ransomware and turn off endpoint security solutions through vulnerable drivers)
• Meow (a new resurgence in healthcare based on the now-disbanded Conti ransomware gang.)
• Everest
• LockBit (CISA Advisory AA23-165A)
• ThreeAM (Symantec uncovered this ransomware strain after a threat actor’s failed attempt using LockBit in September 2023)
• INC Ransom (Microsoft Threat Intelligence team recently warned the Russian-speaking Vanilla Tempest ransomware group (previously known as Vice Society) has been actively attacking the sector.)

The Bigger Picture

The surge in ransomware activity aligns with a broader rise in healthcare data breaches, reflecting the sector’s increasing vulnerability. Since last month’s Clearwater Cyber Briefing, the Office for Civil Rights (OCR) has initiated investigations into 62 new breaches, each involving 500 or more records.

So far in 2024, more than 169 million records have been exposed across 581 breaches. A significant portion of these numbers stems from updated data on the Change Healthcare breach in Tennessee, where the total exposure climbed to 100 million records. This incident alone has pushed the 2024 total to nearly 169.3 million exposed records, making it the largest healthcare breach ever reported. The breach is projected to cost Change an estimated $2.5 billion in response, recovery, and related expenses.

An overwhelming 70% of providers report being affected by this breach, which originated from the ALPHV/BlackCat ransomware group. The attackers exploited a Citrix portal on Change’s network that lacked multifactor authentication controls, highlighting a critical lapse in security.

The year’s second largest breach occurred on April 18 at Summit Pathology in Colorado, affecting 1.8 million individual records. The breach, reported to OCR in mid-October, was attributed to the Medusa Ransomware group, according to an attorney representing Summit Pathology.

These incidents reflect a larger trend. In 2024, the number of exposed records has already surpassed the record-breaking 167.7 million reported to OCR in 2023, which was initially estimated at 144 million. To put this into perspective, the 2023 total represented a 196% increase over 2022, which saw 56.5 million records exposed.

AI Escalates Ransomware Complexities

Ransomware remains a preferred attack method, but advanced persistent threat (APT) groups are taking it to new heights with the integration of artificial intelligence (AI). These groups are leveraging AI to streamline and amplify their attacks, employing it for tasks such as:

• Prompt injections
• Fraud
• Vulnerability research
• Scripting
• Generating spear-phishing content
• Automating malware development
• More effectively targeting specific vulnerabilities

In the healthcare sector, the U.S. Department of Health and Human Services’ Office of Information Security has reported the Scattered Spider hacking group using AI-powered voice spoofing to steal user credentials through social engineering tactics.

Threat actors are not only using AI to enhance their attacks but also targeting AI users themselves. Recently, Barracuda Networks identified over 1,000 phishing emails that bypassed sender policy framework (SPF) and domain key identification mail (DKIM) security controls. These phishing attempts, part of an OpenAI impersonation campaign, aimed to trick ChatGPT users into clicking malicious links under the guise of resolving payment issues.

Recent and Ongoing Ransomware Attacks

Healthcare organizations experience an average of 2,018 attacks per week, representing a 32% increase from last year. These incidents highlight the growing sophistication and frequency of ransomware attacks in the sector.

For instance, on August 14, cybercriminals breached the networks of St. Anthony Regional Hospital in Iowa, a critical access hospital and 79-bed nursing home. The attack went undetected until August 26, and the hospital did not notify OCR until late October. Preliminary reports indicate data may have been downloaded to an offsite location, potentially affecting 501 patients, though the exact number is still being determined.

Similarly, on November 3, Memorial Hospital and Manor in Georgia announced via Facebook that it was experiencing a ransomware attack detected the day before. The attack disrupted IT systems, leaving the hospital unable to access its electronic medical records (EMR) systems, email, or website. As a result, staff resorted to paper-based processes, leading to longer wait times for patients. The full scope of the impact is still under investigation.

Why Ransomware?

Ransomware remains a favored attack vector because of its ability to generate significant financial returns for attackers. By moving through systems undetected, sometimes for months, threat actors can steal, delete, or corrupt data before deploying ransomware.

For example, Change Healthcare paid $22 million in ransom to the ALPHV/BlackCat group, hoping to prevent the deletion or release of stolen data. However, BlackCat’s affiliate group, RansomHub, felt slighted and demanded additional payments. When Change refused, RansomHub leaked some patient data, demonstrating the double-edged risks of paying ransoms.

How Ransomware Works

Groups like RansomHub and BlackSuit operate as ransomware-as-a-service (RaaS), providing tools and support for affiliates in exchange for a share of the profits. These groups evade common security defenses using techniques like:

• “EDR killers” such as TDSSKiller, a legitimate tool from Kaspersky used to disable endpoint detection and response (EDR) services.
• EDRKillShifter, a tool that installs drivers with exploitable vulnerabilities.

Example: RansomHub Attack Chain

1. Exploits a security gap.
2. Executes a PowerShell command.
3. Reboots the affected system in safe mode.
4. Deletes files.
5. Moves laterally to other assets.
6. Exfiltrates sensitive data.
7. Deploys ransomware to lock systems.
8. Demands ransom, threatening to delete or leak stolen data.

Similarly, BlackSuit poses a significant threat to healthcare entities by employing advanced capabilities, including double extortion tactics. These methods involve encrypting data and threatening to release sensitive information unless a ransom is paid.

The Royal Ransomware Group also continues to target healthcare organizations, with multiple advisories issued by the FBI, CISA, and HHS. These attacks often begin with phishing emails or by exploiting known vulnerabilities such as CVE-2024-4577 and CVE-2020-1472.

Example: BlackSuit Attack Chain

1. Phishing email compromises user credentials.
2. Executes a PowerShell command.
3. Manipulates user accounts and deletes files.
4. Scans networks using stolen credentials.
5. Moves laterally across the network.
6. Collects and exfiltrates data.
7. Deploys ransomware.
8. Demands ransom.

Every healthcare organization and business associate should take the threat of ransomware attacks seriously.

Ransomware attacks are complex and disruptive, affecting your systems and networks and putting your patients’ lives at risk. Your best defense is HIPAA-compliant, best-practice security controls aligned with the NIST Cybersecurity Framework (CSF) and other NIST-recommended practices.

Below are seven steps to stay ahead of ransomware attackers, mapped to NIST CSF controls and supported by recommended practices.

1.  Know your adversaries.

• NIST CSF Mapping: IDENTIFY (ID.RA-02), IDENTIFY (ID.RA-03)
• Recommended Practices:
• Engage in regular threat intelligence sharing with Information Sharing and Analysis Centers (ISACs) or other trusted organizations.
• Monitor Tactics, Techniques, and Procedures (TTPs) of ransomware groups relevant to healthcare.
• Use threat intelligence to tailor defensive measures to known adversaries.

2. Conduct ongoing and comprehensive risk analysis from the top down.

• NIST CSF Mapping: IDENTIFY (ID.RA-01), IDENTIFY (ID.RA-05), IDENTIFY (ID.AM-01 to ID.AM-05)
• Recommended Practices:
• Use HIPAA-compliant risk analysis to identify, document, and validate risks to electronic Protected Health Information (ePHI).
• Maintain a complete asset inventory, including devices, software, and data flows.
• Include business associates in risk analyses and establish cybersecurity requirements in contracts.
• Use Business Impact Analyses (BIAs) to understand and prioritize critical operational assets.

3. Protect user identities with appropriate authentication and access controls.

• NIST CSF Mapping: PROTECT (PR.AA-01), PROTECT (PR.AA-05)
• Recommended Practices:
• Enforce multi-factor authentication (MFA) for all user access, particularly privileged accounts.
• Implement role-based access controls (RBAC) aligned with the principle of least privilege.
• Regularly audit and update access permissions to prevent unnecessary exposure.

4. Continually train your entire workforce, not just those who provide patient care, on current cyber threats and best practices.

• NIST CSF Mapping: PROTECT (PR.AT-01), PROTECT (PR.AT-02)
• Recommended Practices:
• Conduct organization-wide phishing simulations and tailor training based on results.
• Regularly update training materials to address emerging threats and attack methods.
• Foster a culture of cybersecurity awareness where employees feel confident reporting suspicious activity.

5. Continually test and validate response and recovery plans.

• NIST CSF Mapping: RESPOND (RS.MA-01), RECOVER (RC.RP-01), IDENTIFY (ID.IM-02)
• Recommended Practices:
• Perform regular tabletop exercises and simulated ransomware attack drills.
• Include third-party stakeholders and business associates in incident response testing.
• Regularly update response and recovery plans based on lessons learned from testing and real-world incidents.

6. Patch vulnerabilities.

• NIST CSF Mapping: IDENTIFY (ID.RA-01), PROTECT (PR.PS-01), PROTECT (PR.PS-02)
• Recommended Practices:
• Implement a vulnerability management program to identify, prioritize, and remediate vulnerabilities promptly.
• Conduct regular system configuration audits to identify misconfigurations and unnecessary services.
• Use automated tools to detect excessive permissions and ensure compliance with security baselines.

7. Continually validate the effectiveness of your current security controls.

• NIST CSF Mapping: DETECT (DE.CM-01 to DE.CM-09), IDENTIFY (ID.IM-01)
• Recommended Practices:
• Use continuous monitoring tools to detect anomalies, suspicious behavior, and policy violations.
• Regularly review and update security configurations to address evolving threats.
• Perform penetration testing and vulnerability scanning to ensure controls remain effective.

Have questions or concerns about your organization’s cybersecurity resilience? We’re here to help. Reach out to us at info@clearwatersecurity.com for guidance.

Don’t forget to join our next Cyber Briefing on Thursday, Dec. 5th, where we will again review the latest cybersecurity and regulatory developments impacting the healthcare industry. If you’re not already registered for our Monthly Cyber Briefing series, you can learn more and register here: Clearwater Monthly Cyber Briefing.

Take charge of your security – Stay ahead of threats, stay compliant, and stay protected with Clearwater.