Cyber Resilience in Healthcare: Tackling Ransomware with Advanced Cyber Defences

When it comes to protecting healthcare data and systems, the threat is high, and the stakes are even higher, warns Dr. Darren Williams

In early June 2024, major London hospitals, including Kings College Hospital and Guy’s and St Thomas’s, declared a critical incident following a ransomware attack on Synnovis, a pathology services provider.

This cyber attack had significant consequences, including the cancellation of thousands of appointments, the diverting of emergency patients to other hospitals, and significant disruption to vital services like blood transfusions and test results.

The perpetrators, a group known as Qilin, took the unusual step of insisting they were not to blame for any harm to patients – a small comfort to those dealing with cancelled appointments and disrupted emergency care, or for any of the individuals whose sensitive healthcare data has since been published online.

This attack underscores the vulnerability of healthcare systems dependent on external partners. Despite earlier speculation that the gang was intent on causing disruption rather than data theft, it also highlights that personal records are still an extremely sought-after prize for criminal groups and a popular commodity for trade and sale across the dark web.

This is an ongoing issue; BlackFog’s research found that May was the second-highest month for ransomware attacks this year, with the healthcare sector bearing the brunt. As the ripples of cyber crime impact business continuity and people’s health and safety, there is an urgent need for enhanced cybersecurity measures in healthcare and in securing third-party relationships to prevent further incidents of this scale.

The growing threat landscape in healthcare

With vast repositories of digitised patient and financial information, coupled with ageing legacy systems and outdated software, criminal groups view healthcare providers as a treasure trove of valuable data. Stolen patient records are sold on the dark web for approximately $50 each (£39), making breaches highly lucrative, with records used to fuel further attacks or as a springboard for blackmail attempts. In the case of the Synnovis breach, Qilin’s apology did not stop the group from promptly sharing more than 400GB of private medical information on darknet sites.

“May was the second-highest month for ransomware attacks this year, with the healthcare sector bearing the brunt”

To add to the challenge, cyber criminals have evolved their ransomware attack tactics beyond breaching and encrypting networks. Today’s ransomware attacks involve multi-layered extortion techniques designed to maximise financial gain. Double, triple, and even image extortion have become the norm, which significantly escalates the pressure on organisations to comply with ransom demands.

Due to the highly sensitive nature of records held, the healthcare sector is particularly vulnerable to image extortion, in which cyber criminals steal patient information, including pre-operative or post-operative photos and threaten to post these images publicly. In one particularly distressing case, the BlackCat ransomware gang published naked images of patients from the Lehigh Valley Health Network after the organisation refused to pay the ransom.

Third-party risks

It stands to reason that cyber attackers often target the weakest link in the network to achieve their aims. As such, third-party vendors, service providers, partners, research labs, and universities must be particularly vigilant, as they can be the unwitting gateway for cyber attacks that disrupt multiple institutions or even entire sectors. To avoid introducing additional risk to their IT environment, health providers should ensure strong measures are in place to vet and monitor partners’ security practices.

To reduce the risk of breaches, strong identity-based security measures are crucial to verify who is accessing information, from implementing least privilege policies to multi-factor authentication, which can serve as robust first lines of defence. As defined by the NIST 800-207 framework, zero trust architecture further secures networks by enforcing untrusted access and layered authentication. This approach prevents hackers from accessing sensitive patient data by ensuring strict verification at every network juncture.

Endpoint detection and response (EDR) capabilities are essential for identifying unusual system activity and thwarting attackers who breach initial defences. Network segmentation is a critical strategy that can limit the spread of cyber attacks and force hackers to leave detectable trails, providing early warning for response teams.

“Cyber criminals steal patient information, including pre-operative or post-operative photos and threaten to post these images publicly”

Next-generation firewalls also play a critical role by enforcing identity-based policies that transcend traditional methods of inspecting connections by port ID and IP address. In healthcare settings, where network assets frequently change IP addresses, these firewalls are particularly valuable.

However, these measures alone are insufficient given the increasing focus on data theft and extortion. Anti-data exfiltration (ADX) technology is becoming indispensable for preventing attackers from exfiltrating data or connecting to command-and-control servers, ensuring that even if they penetrate the network, they leave empty-handed. This proactive measure forces attackers to abandon their efforts; if they cannot steal data, they’ll simply move on.

Ransomware attacks and the resulting theft of any data can have devastating and far-reaching consequences.  In the case of health systems and records, there’s an additional layer of severity that goes beyond issues of trust or cost, as patients’ treatment and well-being are put at risk.

Ultimately, a multi-layered cybersecurity approach is crucial to stopping cyber crime and staying one step ahead of attackers. Proactive cybersecurity not only prevents disruption but also ensures that healthcare providers deliver medical services without disruption or delays to prevent those at their most vulnerable being caught in the crosshairs of the fight against cyber crime.