Read more on data breaches impacting US healthcare organizations in 2024:
- Millions of Americans' Data Potentially Exposed in Change Healthcare Hack
- MedStar Health and DocGo Reveal Data Breaches
- Los Angeles Public Health Department Discloses Large Data Breach
Over 14 million patients have been affected by data breaches caused by malware attacks on US healthcare organizations so far in 2024, according to a new analysis by SonicWall.
Most (91%) of these breaches have leveraged ransomware, with the report highlighting that attackers see the threat of exposing sensitive information held by healthcare organizations as an effective method for extorting ransom payments.
Read now: Ransomware Groups Prioritize Defense Evasion for Data Exfiltration
The researchers commented: “It’s no secret that healthcare is a data-driven business, storing a vast amount of sensitive personal and medical information, such as social security numbers, medical histories, and financial data, making them prime targets for exploitation. This information is extremely valuable on the black market.”
They also noted that disrupting access to medical systems can have life-threatening consequences, meaning healthcare organizations are more likely to pay ransoms to restore operations quickly.
The researchers added that the rapid adoption of digital tools, AI and platforms has expanded the attack surface of healthcare organizations, resulting in a significant increase in ransomware attacks targeting this sector.
Healthcare Attackers’ Focus on Critical Vulnerabilities
The SonicWall report found that ransomware groups have targeted the healthcare sector by exploiting several critical vulnerabilities in 2024, enabling them to infiltrate networks, escalate privileges and deploy ransomware.
The opportunity to exploit vulnerabilities has been facilitated by the increasing integration of digital systems, such as electronic health records, telemedicine platforms, and internet of medical things (IoMT) devices.
Around 60% of vulnerabilities leveraged against healthcare so far in 2024 targeted Microsoft Exchange, a widely used communication tool in this industry.
These include the ProxyShell exploit chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
Other significant vulnerabilities exploited by ransomware groups to target healthcare organizations include:
- PaperCut servers, used to compromise networked systems (CVE-2023-27350)
- Citrix Bleed, allowing attackers to gain remote access to organizations reliant on Citrix (CVE-2023-4966)
- Microsoft Windows vulnerability in the Web Proxy Auto-Discovery (WPAD) protocol, an older vulnerability allowing attackers to gain elevated privileges (CVE-2016-0099)
“Groups like BlackCat/ALPHV have particularly favored these vulnerabilities, and they often chain these flaws together to maintain persistence and maximize their impact on healthcare organizations,” the researchers said.