Alert essentials:
Blackmail is rapidly evolving into one of the most pressing cybersecurity threats facing healthcare organizations. This article explores how attackers exploit legacy systems to gain access to sensitive patient data and demand ransom. Key recommendations are included to support strategic defenses.
Detailed threat description:
Some threat actors are bypassing traditional encryption in favor of extortion tactics to maximize their leverage against victims and increase their chances of receiving payment. In a digital extortion campaign, attackers steal sensitive files and threaten to release them unless a ransom is paid. The intimidation puts pressure on victims by creating public embarrassment and customer panic, as well as potential legal consequences.
Hospitals, clinics, and health systems are prime targets because they hold high-value data, and downtime can pose a significant risk to patient safety, endangering lives. In an era where adversaries are increasingly sophisticated and persistent, healthcare organizations must evolve from reactive postures to informed, anticipatory defense strategies.
One critical evolution in this shift is the proper control of assets, such as overlooked file storage systems. Without unified asset visibility, organizations are prone to missed threats that could otherwise be contained through robust cybersecurity measures.
Hospitals often have older systems or forgotten databases still connected to their networks. These can be easy prey if they lack current security controls. Legacy third-party systems and forgotten cloud buckets are especially problematic, as network defenders often have fragmented observability into these systems.
Fortunately, healthcare IT and security teams can take concrete steps to fortify their defenses. The following best practices focus on protecting company files and sensitive data. These measures help reduce the risk of ransomware infiltration and minimize the potential damage if attackers do strike.
Foremost, maintain rigorous asset management and properly decommission legacy systems. Keep an up-to-date inventory of all data repositories, servers, devices, and cloud services in use. Then, if a system is no longer needed, fully retire it instead of leaving an abandoned file share or cloud bucket as a potential target.
Apply security updates to operating systems, applications, and firmware (including medical devices and IoT) as soon as feasible, especially for any internet-facing systems. Many extortion attacks exploit known vulnerabilities that organizations hadn’t patched in time.
Since stolen passwords and phishing remain the leading causes of breaches in healthcare, it is crucial to enhance systems to detect and challenge attackers who attempt to use stolen credentials. Implement Multi-Factor Authentication (MFA) on all remote access and any sensitive systems and accounts.
Healthcare organizations should maintain comprehensive, encrypted backups of patient records, operational databases, and essential files, storing a copy offline or in secure, separate networks. Equally important is to test backups and recovery processes regularly. This will ensure the organization can respond to extortion attempts by wiping and restoring systems rather than negotiating with criminals.
The threat landscape is constantly evolving, and ransomware techniques are continually adapting to new challenges. Healthcare security teams should regularly revisit and update their risk tolerance and defenses. By taking a proactive, layered security approach, healthcare organizations can significantly reduce the likelihood of falling victim to digital extortion and safeguard patient information from cybercriminals.
Impacts on healthcare organizations:
Asset management remains a universal and foundational challenge across the healthcare sector. Without a complete and up-to-date inventory, organizations lack a clear understanding of what they protect, making effective risk management nearly impossible. Verify that patient data stores or research servers are patched, access-restricted, or taken offline if possible. An asset you don’t actively maintain can become an open door for attackers.
Recommendations
- Maintain rigorous asset management and decommission legacy systems
- Apply security updates to all systems, applications, and firmware
- Develop a comprehensive system backup plan to include encryption and periodic restoration attempts
- Use strong, unique passwords and multi-factor authentication (MFA) on all accounts, especially for email, banking, and social media
- Deploy and maintain security software, including firewalls, antivirus, and anti-malware programs
- Encrypt sensitive data both at rest and in transit
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Cyber Extortion: https://www.fortinet.com/resources/cyberglossary/cyber-extortion
- AWS: https://docs.aws.amazon.com/AmazonS3/latest/userguide/security-best-practices.html
- AS: https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-retiring-applications/best-practice-6.html
- Google: https://cloud.google.com/storage/docs/deleting-buckets
- Google: https://cloud.google.com/storage/docs/access-control/using-iam-permissions