European Agency for Cybersecurity finds that ransomware accounts for 54% of cybersecurity threats in the health sector.

July 7, 2023 |

The Health Sector in every jurisdiction is a high priority area of interest for hackers. Hospitals, health centres and other facilities in the sector are notorious for both troves of personal information and very poor privacy practices. Given the nature of the information is highly sensitive there is often the imperative to respond to demands by hackers. That is why it is not surprising that the the European Union Agency for Cyber Security found that ransomware accounts for 54% per of threats to the health sector.

The press release provides:

The European Union Agency for Cybersecurity (ENISA) releases today its first cyber threat landscape for the health sector. The report found that ransomware accounts for 54% of cybersecurity threats in the health sector.

 

The comprehensive analysis maps and studies cyberattacks, identifying prime threats, actors, impacts, and trends for a period of over 2 years, providing valuable insights for the healthcare community and policy makers. The analysis is based on a total of 215 publicly reported incidents in the EU and neighbouring countries.

Executive Director of the European Union Agency for Cybersecurity (ENISA),Juhan Lepassaar, said: “A high common level of cybersecurity for the healthcare sector in the EU is essential to ensure health organisations can operate in the safest way. The rise of the covid-19 pandemic showed us how we critically depend on health systems. What I consider as a wake-up call confirmed we need to get a clear view of the risks, the attack surface and the vulnerabilities specific to the sector. Access to incident reporting data must therefore be facilitated to better visualise and comprehend our cyber threat environment and identify the appropriate mitigation measures we need to implement.”

Thefindings

The report reveals a concerning reality of the challenges faced by the EU health sector during the reporting period.

    • Widespread incidents. The European health sector experienced a significant number of incidents, with healthcare providers accounting for 53% of the total incidents. Hospitals, in particular, bore the brunt, with 42% of incidents reported. Additionally, health authorities, bodies and agencies (14%), and the pharmaceutical industry (9%) were targeted.
    • Ransomware and data breaches. Ransomware emerged as one of the primary threats in the health sector (54% of incidents). This trend is seen as likely to continue. Only 27% of surveyed organisations in the health sector have a dedicated ransomware defence programme. Driven by financial gain, cybercriminals extort both health organisations and patients, threatening to disclose data, personal or sensitive in nature. Patient data, including electronic health records, were the most targeted assets (30%). Alarmingly, nearly half of all incidents (46%) aimed to steal or leak health organisations’ data.
    • Impact and lessons learned by the COVID-19 Pandemic. It is essential to note that the reporting period coincided with a significant portion of the COVID-19 pandemic era, during which the healthcare sector became a prime target for attackers. Financially motivated threat actors, driven by the value of patient data, were responsible for the majority of attacks (53%). The pandemic saw multiple instances of data leakage from COVID-19-related systems and testing laboratories in various EU countries. Insiders and poor security practices, including misconfigurations, were identified as primary causes of these leaks. The incidents serve as a stark reminder of the importance of robust cybersecurity practices, particularly in times of urgent operational needs.
    • Vulnerabilities in Healthcare Systems. Attacks on healthcare supply chains and service providers resulted in disruptions or losses to health organisations (7%). Such types of attacks are expected to remain significant in the future, given the risks posed by vulnerabilities in healthcare systems and medical devices. A recent study by ENISA revealed that healthcare organisations reported the highest number of security incidents related to vulnerabilities in software or hardware, with 80% of respondents citing vulnerabilities as the cause of more than 61% of their security incidents.
    • Geopolitical Developments and DDoS Attacks. Geopolitical developments and hacktivist activity led to a surge in Distributed Denial of Service (DDoS) attacks by pro-Russian hacktivist groups against hospitals and health authorities in early 2023, accounting for 9% of total incidents. While this trend is expected to continue, the actual impact of these attacks remains relatively low.
    • The incidents examined in the report had significant consequences for health organisations, primarily resulting in breaches or theft of data (43%) disrupted healthcare services (22%) and disrupted services not related to healthcare (26%). The report also highlights the financial losses incurred, with the median cost of a major security incident in the health sector estimated at €300,000 according to the ENISA NIS Investment 2022 study. 
    • Patient safety emerges as a paramount concern for the health community, given potential delays in triage and treatment caused by cyber incidents.

The Executive Summary provides:

This is the first analysis conducted by the European Union Agency for Cybersecurity (ENISA) of the cyber threat landscape of the health sector in the EU. The report aims to bring new insights into the reality of the health sector by mapping and studying cyber incidents from January 2021 to March 2023. It identifies prime threats, actors, impacts and trends based on the analysis of cyberattacks targeting health organisations over a period of more than 2 years.
During this period, the European health sector faced a significant number of incidents. EU healthcare providers (53% of the total incidents), and especially hospitals (42%) were particularly affected. We also observed incidents targeting health authorities, bodies and agencies (14%) and attacks to the pharmaceutical industry (9%).
Ransomware is one of the prime threats in the health sector (54%), both in the number of incidents but also in its impact on health organisations. We expect this trend to continue. In fact, 43% of ransomware incidents are coupled with a data breach or data theft, while disruptions are the other common effect of the attack. Almost half of total incidents (99 incidents, 46%) are a form of threat against the data of health organisations (data breaches, data leaks). Data related threats continue to be one of the main threats in the sector, not only for Europe but also globally.
It is important to note that the reporting period covers a large part of the Covid-19 pandemic era, when the healthcare sector was one of the prime victims of cyber attackers. During the reporting period, cybercriminals had the heaviest impact on the sector, in particular ransomware threat actors driven by financial gain (53%). This is linked to the increase in ransomware attacks in general but also to the value of patient data including electronic health records. In fact, patient data were the most targeted assets (30%) throughout the reporting period.
The pandemic caused data leakage of patient data from Covid-19 related systems or from testing laboratories on multiple occasions and in multiple countries. These leaks were either due to the collaboration of malicious insiders or, in most cases, accidental due to poor security practices and misconfigurations. These incidents offer lessons to be learned on poor cybersecurity practises when there are pressing operational needs, in this case even more pressing due to the pandemic.
Attacks on healthcare supply chain and service providers caused disruptions or losses to organisations in the health sector (7%). We assess that these types of attacks will remain highly relevant for the sector in the future, especially in conjunction with the risks posed by vulnerabilities in healthcare systems and medical devices. In a recent ENISA study, healthcare was the sector that declared the most security incidents related to vulnerabilities in software or hardware. Indeed, 80% of the healthcare organisations interviewed declared that more than 61% of their security incidents were caused by vulnerabilities.
Geopolitical developments and hacktivist activity increased the number of DDoS attacks against hospitals and health authorities in early 2023, reaching 9% of total incidents. This was due to a surge in DDoS attacks by pro-Russian hacktivist groups who aimed to disrupt healthcare providers and health authorities in the EU. We expect this trend to continue; however the actual impact of these attacks remains relatively low.
In terms of impact, the incidents observed caused mainly breaches or theft of data (43%), disrupted healthcare services (22%) and other services not related to healthcare (26%). Data breaches affected healthcare entities in 40% of the total number of incidents, and, in particular, hospitals (27%) and primary care (8%). Disruption of healthcare services took place when healthcare entities (82%) and health authorities (12%) were disrupted.
Other impacts include financial losses but this is an impact which is difficult to assess. The ENISA NIS Investment 2022 study indicates that the median cost of a major security incident in the health sector is 300 000 Euro. We also observed sanctions imposed by data protection authorities as well as reputational harm to healthcare providers after major data breaches.

Patient safety remains a top concern for the health community due to potential delays in the triage and treatment of patients, or due to potential effects on the well-being of patients whose sensitive information is being revealed or who are being subjected to extortion.
According to a recent study by ENISA, only 27% of organisations surveyed in the health sector have a dedicated ransomware defence programme and 40% of the original equipment suppliers (OES) surveyed have no security awareness programme for non-IT staff. In another recent survey by the NIS cooperation group, 95% of the health organisations surveys face challenges when performing risk assessments, while 46% have never performed a risk analysis. These findings highlight the pressing need for health organisations to apply cyber hygiene practices. These may include offline encrypted backups of critical data, awareness raising and training programmes for healthcare professionals, vulnerability handling and patching, stronger authentication methods, cyber incident response plans and contingency plans, and more. The commitment of senior management is key, especially now that the NIS2 directive introduces liabilities for top management.

Leave a Reply





Verified by MonsterInsights