A Lens on the Healthcare Sector

A review of recent Kroll incident response cases consistently proves that the healthcare industry is one of the most frequently targeted sectors. This observation mirrors what is experienced by national cybersecurity agencies as multiple warnings have been launched during 2022, highlighting how ransomware gangs and nation state actors are now aggressively targeting healthcare institutions.

As a sector, healthcare may be particularly attractive to threat actors for a number of reasons, such as the volume of confidential data, particularly protected health information that they hold, and the critical risks posed by the disruption of business services.

Healthcare Under Attack: An Overview

In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted in comparison with Q1 2022. Ransomware helped to fuel this uptick against healthcare as a focus for attacks, at a time when services were undoubtedly under pressure, recovering from the duress caused by COVID-19. Though always disruptive, ransomware in the context of healthcare, with its disruption to business continuity, can end up putting lives at risk.

Types of Cyber Threats Affecting the Healthcare Sector

Kroll has observed email compromise (36%) as the most common threat incident type impacting the healthcare sector, followed by ransomware (31%) and unauthorized access (28%). 

Email compromise attacks, such as business email compromise schemes, are typically aimed at tricking an unsuspecting user into approving a fraudulent transaction and are common in occurrence. Ransomware attacks pose a more severe risk in that a successful ransomware attack could impact the ability to access patient charts or other data required for essential patient care. Likewise, the majority of ransomware attacks in 2022 implemented a double extortion tactic in which actors exfiltrate data prior to network encryption and then threaten to leak the stolen data as leverage during negotiations. 

In terms of the methods threat actors are using to gain footholds into systems, phishing is the most common approach for initial access, followed by account takeover using legitimate credentials (21%) and External Remote Services (21%).