HC3 Sheds Light on Data Exfiltration Trends in Healthcare Cyberattacks
The Health Sector Cybersecurity Coordination Center has issued a security advisory warning about data exfiltration in healthcare cyberattacks, highlighting the extent of the practice and sharing several recommended mitigations. Data exfiltration typically occurs once a threat actor has gained access to a network, elevated privileges, and moved laterally. Data exfiltration is one of the last stages of the cyber kill-chain and the primary objective in many cyberattacks.
There are several reasons for data theft. Nation-state actors often steal data for espionage purposes, cybercriminal groups steal healthcare data as it can be easily monetized and as leverage for extortion, and insiders steal data for financial gain, competitive advantage, and blackmail. When ransomware first started to be used by cybercriminal groups, files were simply encrypted; however, data exfiltration is now common. Data theft allows ransomware actors to profit from attacks when ransoms are not paid, and oftentimes it is the threat of publication of stolen data that prompts victims to pay up. Such is the incentive to pay to prevent data exposure that ransomware gangs are even dispensing with file encryption and are conducting extortion-only attacks.
In the security advisory, HC3 draws attention to the extent to which data exfiltration is occurring. HC3 explains that breach notifications to the HHS show 28.5 million records were exposed in the second half of 2022, up 21.1 million records from 2019. Across all 588 reported data breaches in 2022, more than 44 million patient records were exposed. At least 24 healthcare ransomware attacks occurred in 2022 impacting operators of 289 U.S. hospitals, and sensitive data were exfiltrated in 70% of those attacks.
Data exfiltration is not limited to ransomware attacks. Data theft is common in attacks involving other types of malware, such as information stealers, and several cyber threat groups have emerged that concentrate on data exfiltration and extortion, including the Donut Leaks, Karakurt, and the Lapsus$ threat groups. Nation-state-sponsored Advanced Persistent Threat Actors often gain persistent access to networks and remain undetected for years in order to exfiltrate sensitive data over extended periods. One attack, identified by WithSecure, saw the Lazarus APT group steal more than 100GB of sensitive data from the medical research and technology sector before being detected. As more organizations move from on-premises to cloud storage, threat actors have also been increasingly targeting cloud resources to steal data, and often delete cloud backups to prevent recovery from ransomware attacks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Data exfiltration is often the most harmful aspect of a healthcare cyberattack. In addition to hardening defenses to prevent initial access to networks, network defenders should be monitoring for attempted data exfiltration and should take steps to prevent, block, and limit data exfiltration. HC3 has made several recommendations in the alert, including high-level mitigations such as integrating security awareness and security best practices, evaluating risks associated with every interaction with computers, applications, and data, and conducting periodic audits to verify that security best practices are being followed.
HC3 also recommends implementing monitoring systems that generate alerts about unusual data access, data movement, unsanctioned software and hardware (shadow IT), and unauthorized data access, and ensuring logs are generated by networks, workstations, servers, email, databases, web applications, firewalls, authentication services, and cloud resources. Those logs should be managed centrally and closely monitored. While data exfiltration by cyber actors is commonplace, employees should be monitored closely, especially departing employees. Access to resources should be promptly terminated and extra attention should be paid to the activities of those individuals in the lead-up to their departure.