Cybercriminals use a two-step approach to attacking healthcare organizations: gaining initial access and then deploying ransomware. The most common method for gaining access is phishing.
Jack Mott, enterprise email threat intelligence and detection engineer at Microsoft explains, “Email remains one of the largest vectors for delivering malware and phishing attacks for ransomware attacks.”
A Microsoft Threat Intelligence analysis of 13 hospital systems found that “93% of the malicious cyber activity observed was related to phishing campaigns and ransomware, with most activity represented by email-based threats.”
Attackers exploit the healthcare industry through creative emails that use industry-specific language, such as references to autopsy reports, to trick staff into clicking malicious links.
Mott also warns that cybercriminals are using sophisticated tactics to evade detection. “Attackers are becoming increasingly sophisticated in their methods, often using ‘real names, legitimate services, and tools commonly used in IT departments (e.g., remote management tools)’ to evade detection.”
Once inside a hospital's network, attackers often take time to study its infrastructure before deploying ransomware. “These actions help threat actors map out the network, identify critical systems, and prepare for the next phase of the attack: the deployment of ransomware.”
Ransomware-as-a-Service (RaaS)
One reason for the increasing frequency of ransomware attacks in healthcare is the rise of Ransomware-as-a-Service (RaaS). According to Mott, "RaaS platforms have democratized access to sophisticated ransomware tools, allowing even those with minimal technical skills to launch highly effective attacks."
RaaS gives cybercriminals access to encryption software and payment processing, making it easy to execute ransomware campaigns.
Mott further explains that "once ransomware is deployed, attackers typically move quickly to encrypt critical systems and data, often within a matter of hours." They target "essential infrastructure, such as patient records, diagnostic systems, and even billing operations," to pressure hospitals into paying the ransom.
Nation-state threats and organized cybercrime
State-sponsored hackers are also targeting healthcare organizations, using ransomware “as a cover for espionage activity.”
For example, in August 2024, the U.S. government issued a warning about an Iranian threat actor known as Lemon Sandstorm, gaining unauthorized network access to US organizations, including healthcare organizations, “to facilitate, execute and profit from future ransomware attacks by apparently Russian-affiliated ransomware gangs.”
Why we need better cybersecurity
The healthcare sector is facing a cybersecurity crisis that cannot be ignored. With cybercriminals becoming more sophisticated and ransomware attacks growing more frequent, healthcare organizations must invest in more advanced cybersecurity measures.
Strengthening cybersecurity defenses, investing in training, and implementing proactive security measures can help mitigate the risks. Without urgent action, the healthcare industry will remain a prime target for cybercriminals, putting patient care and lives at risk.
Inbound email security tools like Paubox ExecProtect can help healthcare organizations harden their attack surfaces. ExecProtect reduces the likelihood of successful phishing attempts and minimizes the need for constant vigilance by individual employees.
ExecProtect scans every inbound email display name for any of the protected names or name variations. If the system finds a match, then ExecProtect checks to see if the email address is an approved sending address. If the email address is an approved address, then ExecProtect allows the email in. If the email address isn't listed as an approved email address, then ExecProtect quarantines the email.
Read also: How cyberattacks threaten patient outcomes
FAQs
What is a ransomware attack?
Ransomware attacks are a type of cyberattack where hackers gain unauthorized access to a computer, encrypt its data, and demand the return of this data upon payment.
Hackers often target sensitive information like personal, financial, or healthcare data, crippling their operations until the ransom is paid or recovered by other means.
Ransomware typically spreads through phishing emails, malicious links, or software vulnerabilities, exploiting weak cybersecurity defenses. Even after paying the ransom, victims are not guaranteed data recovery.
Does HIPAA apply to phishing attacks in healthcare?
Yes, phishing attacks in healthcare fall under Health Insurance Portability and Accountability Act (HIPAA) regulations. Phishing attacks compromise the privacy and security of protected health information (PHI), and lead to severe penalties, including fines and reputational damage.
Why is email a major risk for healthcare cybersecurity?
The ubiquity of emails in healthcare organizations makes it an easy target for cybercriminals using phishing campaigns.
Learn more: Tips to spot phishing emails disguised as healthcare communication
