Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable 部落格

訂閱

Healthcare Security: Ransomware Plays a Prominent Role in COVID-19 Era Breaches

Ransomware is the root cause in a majority of the healthcare breaches analyzed.

As the ongoing COVID-19 pandemic continues to place unprecedented strain on global healthcare infrastructure, attackers are finding what was already an attractive target even more enticing. This unfortunate scenario has greatly expanded the attack surface for these malicious parties with the introduction of greater demand for remote services like telehealth, COVID-19 contact tracing app data, demand from medical manufacturing companies, and a race for medical research facilities to find a cure. An analysis of publicly disclosed breach data by the Tenable Security Response Team (SRT) reveals 237 breaches in the healthcare sector in the calendar year 2020. And the activity looks set to continue unabated in 2021, with 56 breaches already disclosed as of February 28. One finding is clear: ransomware attacks are not going away anytime soon.

資料外洩事件嚴重打擊醫療保健業

The Tenable SRT monitors threat and vulnerability intelligence feeds to help drive and prioritize plugin coverage for Tenable products as well as keeping customers informed of the risks associated with vulnerabilities. For additional context, the team also monitors and tracks publicly disclosed breaches to understand how and when vulnerabilities are a factor. The Tenable 2020 Threat Landscape Retrospective (TLR) revealed a total of 22 billion records exposed as a result of 730 publicly disclosed breaches between January 2020 and October 2020, with healthcare being by far the most affected industry sector.

This comes as no surprise given the critical role healthcare infrastructure has had as a result of the COVID-19 pandemic.

Breaches have long been a profitable business for threat actors, as highlighted in IBM's 2020 Cost of a Data Breach Report, which notes the average cost of a breach at $3.86 million. If that number weren't incentive enough for threat actors, the average cost of a breach for healthcare specifically was $7.13 million, with personally identifiable information (PII) valued at $150 per record making the industry a prime target.

Cost of a data breach

Source: IBM Security Cost of a Data Breach Report 2020

Given the particular importance of the healthcare sector at a time of global pandemic, we felt it was important to expand on the original analysis provided in the TLR, which was limited by our publishing deadlines. In this blog, we examine the full 12 months of publicly disclosed breaches in 2020 and take a closer look at activity we've seen in the first two months of 2021. We've analyzed 293 breaches in the healthcare sector which were publicly disclosed between January 2020 and February 2021; records were confirmed to have been exposed in nearly 93% of these breaches. One obstacle with accurately tracking breaches is that public disclosures can occur days, months or even years after the event itself and, even then, the level of detail available may be scant. Of the 293 breaches known to have exposed records in the 14-month period we analyzed, 57.34% of the affected organizations have publicly disclosed how many records were exposed. The number of records exposed in this period reached a total of nearly 106 million records; 76.45% of these were disclosed in 2020. (Editor's note: At the time this blog was published, the ramifications of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065, four actively exploited Microsoft Exchange Server zero-days, are just beginning to emerge; Tenable Research is closely following developments related to this disclosure.)

醫療保健資料外洩問題根源分析

A root cause was reported in 93.17% of the healthcare breaches disclosed in the 14-month period we've analyzed. Among these, ransomware was by far the most prominent root cause of healthcare breaches, accounting for a whopping 54.95%. Other leading causes included email compromise/phishing (21.16%), insider threat (7.17%) and unsecured databases (3.75%).healthcare breaches: root cause analysisIn some instances, breaches don't occur as a result of direct action against the victim or of their own actions, but rather occur as a result of a third-party breach. This occurs when a third-party vendor that you use is breached and, as a result, attackers gain access to your data which is stored in their system. In some circumstances, attackers exploit vendors to gain direct access to your system. In cases where the numbers were made public, our analysis shows that third-party breaches accounted for over a quarter of the breaches tracked and accounted for nearly 12 million records exposed. The breach of a single company accounted for over 10 million of these records. This breach has been linked back to 61 of their healthcare customers, with the number of exposed records expected to increase as more of these impacted customers disclose their numbers.Healthcare breach analysis: third party as source of breach

某些醫療保健類別受創比其他類別更嚴重

While the term "healthcare" is often used as if it describes a monolithic sector, there are in fact quite significant differences in the types of organizations operating within the broader healthcare category. In order to provide a more granular view, we've further segmented the data into 12 key classifications, which can be found in the table below. Healthcare systems — typically a collective of institutions, people and various resources across a geographical area — accounted for just over 30% of the breaches tracked. Because such systems can include multiple facilities spread across a number of campuses, the impact of 88 breaches is exponentially worse than if they had occurred in an individual, standalone facility such as a single hospital.

The top five healthcare categories experiencing the most breaches in the past 14 months were:

  1. 醫療保健系統 (佔所有外洩事件的 30.03%)
  2. Hospital (19.11%)
  3. Mental health care/rehabilitation (6.14%)
  4. Medical clinic (5.12%)
  5. Government agency (4.10%)
TOP 12 BREACHED SECTORS
Healthcare sector Breach count Share of overall breaches (%)
2020 2021
YTD
Total 2020 2021
YTD
Total
Healthcare system 72 16 88 24.57% 5.46% 30.03%
Hospital 43 13 56 14.68% 4.44% 19.11%
Mental health care / rehabilitation 17 1 18 5.80% 0.34% 6.14%
Medical clinic 11 4 15 3.75% 1.37% 5.12%
Government agency 7 5 12 2.39% 1.71% 4.10%
Children's hospital 9 0 9 3.07% 0.00% 3.07%
Healthcare software 8 0 8 2.73% 0.00% 2.73%
Laboratory testing 4 3 7 1.37% 1.02% 2.39%
Health insurance 7 0 7 2.39% 0.00% 2.39%
Pharmaceuticals 6 0 6 2.05% 0.00% 2.05%
Medical research 5 1 6 1.71% 0.34% 2.05%
Medical manufacturing 5 1 6 1.71% 0.34% 2.05%

Source: Tenable Research analysis of publicly disclosed breaches, January 2020 - February 2021.

勒索軟體 - 醫療保健資料外洩的問題根源

Ransomware accounted for 54.95% of breaches tracked, or 161 breaches. For 108 of these breaches, the culprits responsible never became publicly known. There are a variety of reasons for this, including:

  • They were never identified.
  • They decided to remain anonymous.
  • The victims never publicly disclosed the details.
  • They were never observed to have listed their victims or dumped their data on ransomware sites.

When it came to healthcare, Ryuk stood out above the rest, repeatedly appearing in breach disclosures and accounting for 8.64% of ransomware-related breaches, followed by Maze (6.17), Conti (3.7%) and REvil/Sodinokibi (3.09%), as shown in the chart below.Healthcare breach analysis: ransomware groups

At one stage, towards the beginning of the pandemic, there was a glimmer of hope for the healthcare industry. Bleeping Computer reported that some ransomware groups claimed they would cease attacks against the sector. However, these ransomware gangs reneged on their promises, continuing to be tied to breaches throughout 2020, raising the question of whether ransom payments will be honored.

受到勒索軟體集團利用的未修補弱點

The root cause of the breaches tracked was predominantly disclosed as a result of ransomware or phishing/email compromise; it is a rare occurrence that exact methods used to breach a company are disclosed. Ransomware groups tend to favor leveraging certain attack vectors, so much so that they have their own fingerprints. Some are known to exploit vulnerabilities while others will utilize phishing/email compromise to establish an initial foothold before dropping malware or leveraging a vulnerability to gain further access to the victim's systems to deploy the ransomware.

Ryuk ransomware, the leading culprit for ransomware attacks against the healthcare industry, is known to favor a number of vulnerabilities, including those associated with Microsoft Server Message Block (SMB) as reported by Trend Micro. Analysis from researchers at The DFIR Report demonstrated how Ryuk threat actors went from sending an initial phishing email (similar to Conti) to controlling an entire domain using CVE-2020-1472 to elevate privileges less than two hours after the initial phish. This vulnerability, also dubbed "Zerologon," targeted a vulnerability in Netlogon which could allow attackers to hijack a Windows Domain Controller (DC). This vulnerability is highlighted as the top vulnerability in the Tenable 2020 TLR, so severe that Microsoft rolled out a second patch for it in February 2021 to enable Enforcement Mode by default.

In a recent article in SC Magazine, Jamie Hart, cyberthreat intelligence analyst at Digital Shadows, gives insight into Conti ransomware and how it has targeted healthcare facilities. Hart notes that Conti initially targeted victims with phishing emails before leveraging CVE-2020-0796, a wormable remote code execution (RCE) vulnerability in Microsoft SMBv3, to gain access to an admin account. Conti would use well-known open-source tools to enumerate and gain further access to the victim's networks. While Hart provides one observation of Conti ransomware, Coverware researchers highlight that they have observed Conti ransomware favoring the Remote Desktop Protocol (RDP). The Tenable 2020 TLR highlighted the increased use of RDP in the last year favored for remote working as it is included in the Windows operating system (OS). RDP, unfortunately, has a history of having critical vulnerabilities associated with the protocol, including CVE-2019-0708, dubbed "BlueKeep," CVE-2019-1181, CVE-2019-1182, CVE-2019-1222 and CVE-2019-1226, collectively named "DejaBlue."

Maze, prior to shutting down on November 1, 2020, was responsible for a number of attacks as highlighted by the above chart. Much like Conti and other ransomware groups, they are known to favor RDP as an attack vector but also have a history of targeting certain CVEs. These include CVE-2019-19781, a vulnerability in Citrix Application Delivery Controller (ADC) and Gateway, as reported by SHIELDX and CVE-2019-11510, a vulnerability in Pulse Connect Secure SSL VPN, as highlighted by Palo Alto Networks Unit 42. Both of these vulnerabilities made the top five vulnerabilities in the Tenable 2020 TLR despite being disclosed in 2019 as threat actors continue to target unpatched vulnerabilities.

遠距醫療解決方案擴大了攻擊破綻

The new norm of social distancing and doctors being very selective of the patients they see in person has resulted in an exponential rise in the use of telehealth for medical advice. Listening to Patient Data Security: Healthcare Industry and Telehealth Cybersecurity Risks, a study by Security Scorecard and DarkOwl, analyzed 148 of the most-used telehealth vendors from September 2019 to April 2020. The study found a staggering 30% increase per domain in their findings; below are some concerning stats directly from their report:

Finding Meaning
117% increase in IP reputation security alerts Malware infections — as part of successful phishing attempts and other attack vectors — ultimately cause IP reputation finding issues
56% increase in endpoint security Exploited vulnerabilities in endpoint security enable data theft
16% increase in application security Patients connect with telehealth providers using web-based applications including structured and unstructured data
42% increase in FTP issues FTP is an insecure network protocol that enables information to travel between a client and a server on a network
27% increase in RDP issues RDP is a protocol that allows for remote connections, which has seen increased usage since the widespread adoption of remote work

Source: Listening to Patient Data Security: Healthcare Industry and Telehealth Cybersecurity Risks, a study by Security Scorecard and DarkOwl analyzing 30,000 healthcare organizations from September 2019 to April 2020.

While it's a positive to see a 65% increase in patching cadence findings reported, seeing an increase in telehealth IPs flagged as malicious, issues in insecure protocols and an uptick in vulnerabilities in telehealth being exploited do raise flags. It's clear from the Security Scorecard / DarkOwl study that there was an increase in exploiting telehealth in 2020 into the start of the pandemic. It would not be unfounded to assume telehealth was in the scopes of threat actors for the remainder of the year and going into 2021.

疫苗的研究與生產引發了網路攻擊

The research and development of COVID-19 vaccines introduced a prime target for threat actors and organizations involved in these efforts should be on high alert, as warned in a U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) public service announcement towards the early stages of the pandemic. These attacks against vaccine research and production facilities prompted further advisories; the U.K.'s National Cyber Security Centre (NCSC) published one on July 16, 2020, in relation to an advanced persistent threat. The advisory highlighted APT29 as targeting COVID-19 vaccine development and is known to leverage the previously mentioned CVE-2019-19781 and CVE-2019-11510 but also CVE-2018-13379, a vulnerability in FortiGate SSL VPN. These facilities will continue to be targeted as long as they present financial opportunities, whether it's to halt production or research and hold victims to ransom or the act of cyber espionage with the intent to sell the data to the highest bidder.

醫療保健資料外洩預測

Whether threat actors leverage email compromise/phishing or vulnerabilities to gain an initial foothold in healthcare systems, it is highly probable that vulnerabilities will be the root cause of a system-wide compromise. The healthcare industry should take a two-pronged approach to cybersecurity:

  • Prioritize vulnerabilities: identify and remediate vulnerabilities most likely to target and impact your organization.
  • Address the root cause: while the human element is a factor in some instances, the majority of breaches can be prevented, or at a minimum impeded, by patching target vulnerabilities. The health of the network can be maintained through regular check-ups.

As explained above, the vulnerabilities being leveraged by these ransomware groups are targeted due to lack of patching, and overlap with vulnerabilities targeted by state-sponsored actors for the same reason.

It's clear healthcare will continue to be targeted in 2021 with breaches already making media headlines. Action needs to be taken to nullify the risk before more damage can be done.

深入瞭解

  • Download Tenable's 2020 Threat Landscape Retrospective here.
  • Watch the on-demand webinar, Tenable Reserach 2020 Recap and Defender's Guidance for 2021, here
  • Visit the Tenable Research landing page here

相關文章

您是否容易受到最新攻擊程式危害?

輸入您的電子郵件地址,以便收到最新 cyber exposure 警示。

選擇 Tenable.io

免費試用 30 天

享受現代、雲端型的弱點管理平台,能夠以無與倫比的準確性查看和追蹤所有資產。 立即註冊。

立即購買 Tenable.io

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

65 項資產

選取您的訂閱選項:

立即購買

免費試用 Nessus Professional

免費試用 7 天

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買 Nessus Professional

Nessus® 是現今市場上功能最全面的弱點掃描工具。Nessus Professional 能協助自動化弱點掃描程序、節省您達到合規性的時間並讓您的 IT 團隊合作。

購買多年期授權,節省更多。新增 365 天全年無休 24 小時全天候可使用電話、社群及對談的進階支援。完整詳情請見此處。

試用 Tenable.io Web Application Scanning

免費試用 30 天

享受我們專為現代應用程式而設計,屬於 Tenable.io 平台一部分的最新 Web 應用程式掃描產品的所有功能。不需耗費大量人力或中斷重要 Web 應用程式,即可高度準確且安全地掃描您整個線上產品系列中是否含有任何弱點。 立即註冊。

購買 Tenable.io Web Application Scanning

享受現代、雲端型的弱點管理平台,使您能夠以無與倫比的準確性查看和追蹤所有資產。 立即訂閱一年。

5 個 FQDN

$3,578

立即購買

試用 Tenable.io Container Security

免費試用 30 天

享受整合至弱點管理平台中的唯一容器安全產品的完整功能。監控容器映像中是否有弱點、惡意軟體及政策違規的情形。與持續整合和持續部署 (CI/CD) 系統整合,以支援 DevOps 作法、加強安全性並支援企業政策合規性。

購買 Tenable.io Container Security

Tenable.io Container Security 整合了建置程序,能提供包含弱點、惡意軟體和政策違規等容器影像安全性的能見度,讓您無縫並安全地啟用 DevOps 流程。

取得 Tenable.sc 產品示範

請填寫以下表格並附上您的聯絡資訊,我們的業務代表將盡快與您聯絡,以安排產品示範。您也可以附上簡短註解 (字元上限為 255 個)。請注意,標示星號 (*) 的欄位是必填欄位。

試用 Tenable Lumin

免費試用 30 天

透過 Tenable Lumin,能夠以視覺方式呈現 Cyber Exposure 並加以探索,長期追蹤風險降低狀況,以及對照同業進行指標分析。

購買 Tenable Lumin

聯絡業務代表,瞭解 Lumin 如何協助您獲得整個企業的深入洞見,並管理網路風險。

申請 Tenable.ot 產品示範

取得您所需要的操作技術安全性。
降低您無法處理的風險。

Tenable.ad

持續偵測與回應 Active Directory 攻擊。 無需代理程式、無需特殊權限。提供内部部署和雲端兩種選擇。