The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HC3 Sheds Light on Data Exfiltration Trends in Healthcare Cyberattacks

Posted By on Mar 10, 2023

The Health Sector Cybersecurity Coordination Center has issued a security advisory warning about data exfiltration in healthcare cyberattacks, highlighting the extent of the practice and sharing several recommended mitigations. Data exfiltration typically occurs once a threat actor has gained access to a network, elevated privileges, and moved laterally. Data exfiltration is one of the last stages of the cyber kill-chain and the primary objective in many cyberattacks.

There are several reasons for data theft. Nation-state actors often steal data for espionage purposes, cybercriminal groups steal healthcare data as it can be easily monetized and as leverage for extortion, and insiders steal data for financial gain, competitive advantage, and blackmail. When ransomware first started to be used by cybercriminal groups, files were simply encrypted; however, data exfiltration is now common. Data theft allows ransomware actors to profit from attacks when ransoms are not paid, and oftentimes it is the threat of publication of stolen data that prompts victims to pay up. Such is the incentive to pay to prevent data exposure that ransomware gangs are even dispensing with file encryption and are conducting extortion-only attacks.

In the security advisory, HC3 draws attention to the extent to which data exfiltration is occurring. HC3 explains that breach notifications to the HHS show 28.5 million records were exposed in the second half of 2022, up 21.1 million records from 2019. Across all 588 reported data breaches in 2022, more than 44 million patient records were exposed. At least 24 healthcare ransomware attacks occurred in 2022 impacting operators of 289 U.S. hospitals, and sensitive data were exfiltrated in 70% of those attacks.

Data exfiltration is not limited to ransomware attacks. Data theft is common in attacks involving other types of malware, such as information stealers, and several cyber threat groups have emerged that concentrate on data exfiltration and extortion, including the Donut Leaks, Karakurt, and the Lapsus$ threat groups. Nation-state-sponsored Advanced Persistent Threat Actors often gain persistent access to networks and remain undetected for years in order to exfiltrate sensitive data over extended periods. One attack, identified by WithSecure, saw the Lazarus APT group steal more than 100GB of sensitive data from the medical research and technology sector before being detected. As more organizations move from on-premises to cloud storage, threat actors have also been increasingly targeting cloud resources to steal data, and often delete cloud backups to prevent recovery from ransomware attacks.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Data exfiltration is often the most harmful aspect of a healthcare cyberattack. In addition to hardening defenses to prevent initial access to networks, network defenders should be monitoring for attempted data exfiltration and should take steps to prevent, block, and limit data exfiltration. HC3 has made several recommendations in the alert, including high-level mitigations such as integrating security awareness and security best practices, evaluating risks associated with every interaction with computers, applications, and data, and conducting periodic audits to verify that security best practices are being followed.

HC3 also recommends implementing monitoring systems that generate alerts about unusual data access, data movement, unsanctioned software and hardware (shadow IT), and unauthorized data access, and ensuring logs are generated by networks, workstations, servers, email, databases, web applications, firewalls, authentication services, and cloud resources. Those logs should be managed centrally and closely monitored. While data exfiltration by cyber actors is commonplace, employees should be monitored closely, especially departing employees. Access to resources should be promptly terminated and extra attention should be paid to the activities of those individuals in the lead-up to their departure.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist