Clearwater Cyber Briefing: Key Trends and Takeaways for October 2024

In today’s ever-evolving threat landscape, staying ahead of cybersecurity risks is more critical than ever for healthcare organizations. That’s why, each month, Clearwater Security delivers a Cyber Briefing, providing a comprehensive digest of the latest news, emerging threats, and key updates from across the healthcare cybersecurity ecosystem. These briefings are designed to equip healthcare leaders with the knowledge and insights they need to safeguard their organizations and stay informed on the most pressing issues.

Led by Steve Cagle, CEO of Clearwater, each session highlights the latest cybersecurity threats targeting healthcare, shares expert recommendations on how to mitigate these risks, and reviews real-world incidents with actionable takeaways. Additionally, Steve covers important regulatory updates, explaining how new standards and frameworks, such as NIST 2.0 and HIPAA, impact the healthcare sector. Following his overview, we feature in-depth discussions with subject matter experts, who dive into the complex challenges healthcare organizations face and offer solutions to strengthen cybersecurity defenses.

Read below for a detailed review of October’s key trends and takeaways.

State of the Sector

Last year, the Office for Civil Rights (OCR) investigated data breaches affecting more than 144 million patient records, a staggering 156% increase over the previous year.

And, unfortunately, this year is on pace with the upward trend.

At well above 60 million for the first 10 months of 2024, there were more than 9 million exposures from 48 breaches in a single month alone. These reported breaches, each affecting more than 500 patient records, do not reflect the full extent of record exposures from the Change Healthcare or Ascension data breaches, which are still being reported. As those numbers come in, total record exposures will likely top 2023.

Among the notable, Acadian Ambulance fell victim to a Daixin group ransomware attack in June. Daixin Team claimed responsibility for the attack in July, saying it had exfiltrated data of about 10 million patients and employees. It demanded $7 million in ransomware. When Acadian did not pay, Daixin released data from nearly 3 million records.

Alarming as they are, these numbers shouldn’t surprise most healthcare security leaders, especially since healthcare has been one of the most targeted — and most expensive cost of a data breach — for nearly a decade.

In fact, this year, the industry has faced more than 2,000 attacks each week, up 32% from the previous year.  The healthcare industry isn’t just constantly under siege. It’s also taking longer to recover from successful attacks.

In 2022 and 2023, more than 40% of healthcare organizations could recover from a ransomware attack in about a week. In 2024, 42% said it’s taking them up to a month to fully recover. Close to a third say that can take one to three months.

The statistics paint an alarming picture, but just scratch the surface. Each healthcare breach has far-reaching implications for patient safety, trust, operational resilience, and compliance. By taking a closer look at some of the most recent breaches, healthcare leaders can better understand critical vulnerabilities bad actors use as attack vectors so they can make plans to proactively protect and respond to cyberattacks.

Current Threats:  Real World, Real Breaches, Real Impact

In late September, the University Medical Center in Lubbock, Texas, announced it was dealing with a ransomware attack disrupting IT infrastructure. The medical center had issues with its phone systems and patient portal access.

Last week, officials said they were still dealing with the attack’s impact but had made “substantial progress” with phone system restoration and had decreased the number of patients it was sending to other facilities.

Other recent healthcare cyber threats of note:

• Microsoft Threat Intelligence team recently warned that the Vanilla Tempest ransomware group (previously known as Vice Society) has been actively attacking healthcare.
  • What’s happening:
    • Works with Storm-0494 threat actor, who deploys GootLoader Malware for initial access.
    • Once inside, attackers use Supper malware and deploy legitimate AnyDesk remote monitoring and MEGA data synchronization tools.
  • This enables lateral movement through remote desktop protocol (RDP) and uses the Windows management instrumentation provider host to deploy an INC ransomware payload.
• RansomHub has become one of the most active and successful threat actors, building the largest affiliate network. In August, there were nearly 80 known ransomware attacks from the group. That’s up from 53 in July. Three healthcare organizations, Patient Care, Southeastern Retina Associates, and Cardiology of Virginia reported RansomHub-related attacks in September.
  • What’s happening:
    • Defense evasion techniques include “EDR killers,” such as using TDSSKiller, a legitimate Kaspersky tool, to disable endpoint detection and response (EDR) services on target systems.
    • Uses EDRKillShifter to install drivers with exploitable vulnerabilities.
  • MEOW ransomware quickly reached second place for the number of healthcare ransomware attacks in August. This ransomware first emerged back in 2022. From July through September, Advanced Physician Management Services, Zydus Pharmaceuticals, American Contract Systems, and the Physical Medicine Rehabilitation Center indicated the ransomware had impacted their operations.
    • What’s happening:
      • Derived as a strain from Conti Ransomware.
      • Free encryptor available in 2023.
      • Targeting mainly U.S. companies, with healthcare as a primary target.

Remediation: Protect Your Healthcare Organization From Ransomware and Other Cyber Threats

With these types of attacks, big and small, making headlines daily, healthcare organizations must understand it’s no longer about if they’ll experience a ransomware attack or other data breach, it’s more likely when.

That’s why it’s critically important to build a mature cybersecurity program that enlists a multilayered approach which focuses on risk and uses industry-recognized best practices for threat analysis and mitigation. Organizations should, at a minimum, be HIPAA compliant, and ideally, also adhere to legally recognized frameworks such as NIST 2.0 and the 405(d) Health Industry Cybersecurity Practices (HICP) publication. This ensures both compliance and enhanced security.

Here are 10 ways you can address the current threat environment and keep sensitive data — and your patients — safe:

1. Ensure you have a complete information asset inventory, including asset type, location; how it’s used; and when, how, and how much protected health information (PHI) it can access.
   1. How critical is each asset to your core operations?
   2. Remember, you can’t protect what you don’t know you have.
   3. Asset discovery is particularly challenging for healthcare organizations that only use periodic asset and vulnerability scanning tools. These tools often miss short-lived assets that quickly spin up and down in your environments, like laptops, smartphones, tablets, and some web apps and cloud services. Consider using continuous asset and risk monitoring for enhanced protection.
2. Conduct risk analysis at the information system and component level to address specific risks.
3. Require phishing-resistant and non-SMS-based multi-factor authentication, like authenticator apps or biometrics.
4. Educate users to recognize and report phishing attempts.
5. Separate user and admin privileges.
6. Assess third-party access across your supply chain. Understand who accesses PHI, why, and how much. Limit as much as possible. Verify all vendors implement required privacy and security controls.
7. Install updates for operating systems, software, and firmware immediately. Make mitigation plans when this is not possible. For example, an update may disrupt critical services and create downtime.
8. Ensure current password controls are in place.
   1. Review NIST SP 800-63-4 Digital Identity Guidelines.
9. Evaluate your monitoring, detection, and response capabilities.
   1. Are they sufficient?
10. Validate security controls mapped to the MITRE ATT&CK framework (Secure Controls Validation Assessment).

Have questions or concerns about your organization’s cybersecurity resilience? We’re here to help. Reach out to us at info@clearwatersecurity.com for guidance.

Don’t forget to join our next Cyber Briefing on Thursday, Nov. 7, where we will again review the latest cybersecurity and regulatory developments impacting the healthcare industry. If you’re not already registered for our Monthly Cyber Briefing series, you can learn more and register here: Clearwater Monthly Cyber Briefing.

Take charge of your security – Stay ahead of threats, stay compliant, and stay protected with Clearwater.