Guest Column | May 18, 2016

Cybercrime Is Bad For Your Health

Healthcare Cybercrime

By Greg Mancusi-Ungaro, BrandProtect

Hardly a week goes by without a hospital, healthcare provider or health insurer falling prey to some form of ransomware — a big problem that is only getting bigger. Leading hospitals such as Hollywood Presbyterian Medical Center, MedStar Health’s Union Memorial Hospital in Baltimore, MD, and Methodist Hospital in Henderson, KY have fallen victim to these attacks. The recent Verizon Data Breach Investigations Report (DBIR) saw ransomware attacks rise 16 percent overall this year and, according to Brookings Center for Technology Innovation study, 23 percent of all data breaches occurred in healthcare, tripling over the last two years alone.

What Makes Healthcare A Prime Target?
Healthcare organizations are a large target for many reasons. First and foremost, they possess extremely valuable assets including the personal, family, and billing information of their patients. EHRs contain virtually complete personal identity portfolios including social security numbers linked to names and birthdates, parent’s names, maiden names, physical and email addresses, children’s names, and, in some cases, complete information of close friends. They are the holy grail of the identity theft world. With this personal information, criminals can apply for credit cards or mortgages, submit state and local tax returns, and more.

Second, the available attack surface in the healthcare industry is very complex. The healthcare industry contains many different organizations that have, over the past few years, moved to electronic systems. Today’s healthcare network — phones, tablets, laptops, desktops, networks, data formats, communications protocols, and access points — are connected together in a complicated, semi-integrated way. Not only is this amalgamated network challenging to maintain, it creates massive opportunities for compromise. Cybercriminals know this, and routinely try to exploit it.

Finally, hospitals and regional medical centers are critical resources. When their operations are interrupted, it may truly be a matter of life and death. This built in-urgency makes them a prime target for sophisticated ransomware attacks.

Socially Engineered Attacks More Sophisticated Than Ever
Faced with a rapid increase in the number and sophistication of the cyber criminal’s exploits, healthcare security leaders have raised cyber protection to the top of their lists. At last year’s BlackHat conference — a gathering of security experts and leaders from across all industries — CISOs ranked social engineering and phishing exploits just behind direct attacks and breaches as their highest ranked pain point. Internal initiatives, including better educational programs, more timely backup, and aggressive cyber threat monitoring can blunt the impact of these external attacks.  

The technology behind the actual malware is evolving rapidly. At the same time, the criminals seem to be price-testing the market to find the ransom sweet spot that enterprises are willing to pay. The original ransom demand at Hollywood Hospital was $3 million, but it was negotiated down to $17K, payable in bitcoin. It’s a dirty, ugly business.

Truth be told, ransomware is not really that sophisticated. It is just very effective. Where criminals have upped their game is effectively delivering ransomware into their targeted organizations. How do they do it? Social engineering.

The criminals target their attacks carefully, using publicly available data about professional networks such as LinkedIn, Spokeo, Hoovers,, and other publicly available resources to create plausible emails. These emails are designed to come from executives who are known to the recipients and sometimes cover current business or industry issues, with an eerie familiarity. This greatly raises the likelihood that recipients of these emails click on the link, or open the attachment, springing the trap. According to the latest Verizon DBIR, 30 percent of all phishing emails are opened by their targets and 12 percent actually click on the dangerous link or attachment.

3 Tips For Preventing Modern-Day Spear Phishing Attacks
It is clear criminals are improving their technique, so it is essential healthcare CISOs up their game, too. How to do this effectively?

  1. Search Out Cyber Threats Beyond The Perimeter
    While network and endpoint monitoring should never be neglected, there is an opportunity for CISOs to get ahead of many cyberattacks by proactively searching for and mitigating online activity that targets the institution. The list of malevolent activities is a long one; for example, the criminals may be impersonating hospital or insurance executives through duplicate online profiles at LinkedIn, Facebook or Twitter. These masquerading profiles are used to gather links and connect to real people within the institution allowing the criminals to not only build a database of internal contacts, but also give them a “legitimate” means to reach out. There may be unauthorized user groups that falsely appear to represent the institution. There may be domains that mimic the actual domain of the hospital or institution. Complete external cyber monitoring will also provide you with evidence that you have (or have not) been breached — by monitoring black market activity, you will be able to see if your patient records are being offered for sale.
  2. Monitor Domain Registrations And MX Records
    By monitoring not only copycat and similar domains, but by also tracking the MX record status of those domains, CISOs can proactively block potential spear phishing or BEC attacks. Cyber criminals play a cat and mouse game with domains — they register or activate an email-capable domain just before they launch their attack and take the domain down after they strike. In the most sophisticated cases, these attack domains are only online for 24 to 72 hours. To email-enable a domain, the criminals must activate the domain’s MX record which identifies that domain as email capable. When the MX-record of a copycat or similar domain is activated, that domain becomes a potential launch platform for a BEC or targeted email attack. To stop an attack before it begins, CISOs should implement full-scale domain monitoring with integrated MX-record monitoring. When a potential attacking domain comes online, CISOs can block emails from that IP address or place that domain on their list of untrusted domains.
  3. Educate Employees And Members
    CISOs should take steps to make sure cyber threat awareness and security best practices are top of mind for all employees, doctors, and network members. An informed user is much less likely to be victimized by a rogue message. Quarterly reminders, or better, monthly, about phishing and spear phishing dangers, or the perils of downloading mobile apps, can go a long way to providing one last line of defense for organizations. Some of the most popular ways CISOs try to help their constituencies become threat-hardened include newsletters, webinars, lunch time sessions, and actual inbound phishing tests. In addition, new employee onboarding programs should include a module on cyber threat awareness. In the best cases, these educational programs become an institutional priority, with executive suite sponsorship and participation.

Cyberattacks against the healthcare industry are on the rise. The urgency around the operational integrity of healthcare infrastructure, plus the unique value of EHRs and other health data means there is no end in sight for these attacks. Ransomware is gaining notorious headlines, but malware attacks and other incursions that lead to breaches are also increasing in frequency. CISOs have opportunities to stay a step ahead. Educational programs for doctors and for staff members are critical, but they are not enough. Proactive cyber monitoring, particularly around MX-record activation, can help to slow the most dangerous socially engineered attacks from ever reaching their intended target.

About The Author
Greg Mancusi-Ungaro is the chief marketing officer for BrandProtect, a leader in cyber threat monitoring, intelligence and mitigation services. He is a frequent author and speaker, and a constant evangelist on cyber security issues, the changing nature of the modern threat landscape, and the emerging technologies that look beyond the perimeter to drive enterprise defenses against cyberattack. He blogs regularly on cyber threat and cyber security at For more information, .