Ransomware and data breaches are a serious threat in healthcare, both for healthcare organizations and suppliers. This is due to new phishing techniques used by criminals and because attackers are increasingly quick to exploit vulnerabilities. These and other developments will further increase the threat to the Dutch healthcare sector. This is what Z-CERT (1), the Computer Emergency Response Team for the healthcare sector in our country, predicts in the report "Cybersecurity Threat Assessment for Healthcare 2023" (2).
The threat of ransomware in healthcare is still very high. The number of cyber incidents increased 73 percent worldwide last year compared to 2022. In addition to large healthcare organizations, small healthcare entities are also targeted by malicious actors. Think of a general practice or physical therapist.
Hackers and cybercriminals are still using the same ways to break into a computer network as they did a year earlier. They use an employee's login credentials, many of which they have purchased through another criminal on the dark web. Other ways to get in are through phishing, and by exploiting a vulnerability in an application or system connected to the Internet.
Z-CERT recorded three ransomware attacks on Dutch healthcare providers in 2023. That's two fewer than in 2022. Among suppliers to healthcare institutions, Z-CERT saw an increase in cyber incidents. Among producers of medical technology worldwide, there was a 63 percent increase, in the pharmaceutical industry even 75 percent. In the IT sector, the number of incidents rose 117 percent worldwide.
Dutch healthcare institutions and subcontractors are concerned not only about ransomware attacks, but also extortion in data leaks. Last year, Z-CERT received eight reports from healthcare institutions where data had been leaked through a sub-supplier. The impact was not too bad, but things could have turned out differently.
"In recent years, Z-CERT has seen an increase in chain dependency between healthcare organizations and IT vendors. This entails the risk that a healthcare organization may have its own cyber hygiene in order, while an external party is not sufficiently equipped to deal with today's digital threats," the report states. Z-CERT therefore argues that a data breach via a supplier is real. At the same time, the advisory body does not expect incidents where sensitive data ends up on the street in the near future.
The human factor also played a role in data leaks last year. Due to configuration errors in the cloud, credentials, such as API keys, end up in the hands of hackers and cybercriminals. This allows them to access cloud services and data stored there without multifactor authentication. While the cloud is a safe place to store backup files and confidential data, it does carry risks.
In early 2023, there were quite a few DDoS attacks against Dutch hospitals. Gradually during the year, this type of attack decreased. "However, the threat is greater than last year, as it has become clear over the past year that the Dutch healthcare sector is also being actively attacked by politically activist-inspired actors (hacktivists)," writes Z-CERT. The impact of a DDoS attack is usually limited: websites and patient portals are often unavailable or poorly accessible from several hours to several days.
The threat level for cyber espionage varies by type of organization. For healthcare organizations where much scientific research is done that is relevant to state actors, or that have relevant personal data, this threat is "high. In the past year, Z-CERT did not receive any reports of concrete abuse.
"The Netherlands ranks eighth in the ranking of European countries most targeted by digital attacks by state actors. Yet it does not seem likely that the healthcare sector is currently the main target of state-sponsored espionage campaigns," Z-CERT said.
Financial fraud attempts were also common in 2023. These mostly involved digital means such as e-mail, text messaging, telephony and WhatsApp. A concrete example of this is CxO fraud (3). In this, a fraudster poses as the director, chief financial officer or other high-ranking employee of an external company. In this capacity, he tries to convince the recipient to pay a phantom invoice. Fortunately, the number of healthcare facilities that fell victim to this type of fraud, also known as Business Email Compromise (4) or BEC fraud, was small.
Generative artificial intelligence or GenAI experienced explosive growth last year. This technological development offers plenty of opportunities, but also poses risks to healthcare. Z-CERT acknowledges that no incidents of cyber attacks involving GenAI have yet been reported. However, it does expect GenAI to change the threat landscape for the healthcare industry. Improved phishing attacks and deepfake audio and video are cited as examples.
Home automation poses a relatively new threat to healthcare facilities. The deployment of healthcare home automation can directly affect healthcare delivery, according to Z-CERT. One example is the ransomware attack at Tunstall (5), a major supplier of alarm buttons. This attack caused a nationwide outage in the emergency room, which prevented seniors from using the company's services for some time. In emergencies, they had to call the care facility's number directly.
Wim Hafkamp, director of Z-CERT, says he is pleased that more and more healthcare organizations are seeing the need for good digital security. He therefore urges them to stay sharp, raise awareness among employees, maintain good cyber hygiene and take measures to stay ahead of digital threats.
(1) https://z-cert.nl/wereldwijd-nemen-ransomware-incidenten-in-de-zorg-toe/
(2) https://z-cert.nl/wp-content/uploads/DEF-Z-CERT_RapportDreigingsbeeld2023.pdf
(3) https://www.vpngids.nl/nieuws/computest-ziet-toename-cxo-fraude-in-nederland/
(4) https://www.vpngids.nl/veilig-internet/zakelijk/business-e-mail-compromise/
(5) https://www.vpngids.nl/nieuws/tunstall-hackers-hadden-toegang-tot-data/
