EXECUTIVE SUMMARY
The healthcare vertical faces a range of threat actors and malicious activity. Given the critical role it plays within society and its relationship with our most sensitive information, the risk to this sector is especially consequential. In some cases, criminals seek to monetize personally identifiable information (PII) and protected health information (PHI); nation states carry out intrusions to steal valuable research and mass records for intelligence gathering purposes; and disruptive threats like ransomware have the potential to wreak havoc among hospital networks and impact the most critical biomedical devices and systems.
To move beyond compliance with current regulations and address the everchanging threat landscape, organizations in this sector should utilize threat intelligence to understand these threats continue to evolve and minimize risks appropriately.
Based on FireEye’s observances of threat activity across this vertical, the threats facing healthcare organizations can be grouped into the following:
Theft of Data
• Financially motivated threat activity represents a high-frequency, high-impact threat to healthcare organizations. Cybercrime actors may conduct focused intrusions into specific targets that house or have access to valuable patient records and data or carry out opportunistic targeting of poorly secured organizations and networks.
• In comparison to cybercrime activity, cyber espionage campaigns pose a lower frequency but still noteworthy impact risk to healthcare organizations, particularly those in some subsets of the industry. Much of what FireEye has observed from such threat actors—particularly those with a nexus to China—appears to be driven by an interest in acquiring medical research and collecting large data sets of information, potentially for the purposes of fostering intelligence operations.
• In our 2018 M-Trends report, FireEye observed that healthcare was the third-highest industry to be retargeted following an incident.
Disruptive and Destructive Threats
• Disruptive threats driven by extortionist cyber criminals and nation state actors continue to present a threat to continuity of operations for healthcare providers and others in this space.
• Both targeted activity such as ransomware delivered post-compromise, and less frequent but widespread nation-state-originated threats like WannaCry can pose threats to poorly secured infrastructure.
• Similar to operational technology networks within critical infrastructure, security organizations within healthcare providers face difficulties in maintaining visibility of threats targeting these systems.
Looking forward, the increasing number of biomedical devices used for critical functions within hospitals and healthcare providers presents a growing security challenge. Furthermore—given their importance and value—a growing willingness by cybercrime, or, in a period of heightened geopolitical tensions, nation state actors—to deploy disruptive and destructive tools may significantly increase the impact from these threats we have observed to date.
