Mitigating and avoiding extortion attacks in healthcare

Cyber extortion includes any kind of cyberattack in which a hacker demands money to stop an assault, relinquish control of a computer and/or network, or return stolen information. Attackers use extortion against the healthcare industry because of the worth of protected health information (PHI) to healthcare organizations, their patients, and other cybercriminals. Not surprisingly, financial gain accounts for 90% of cyberattacks in healthcare.

Further reading: What is cyber extortion in healthcare?

Cybersecurity threats to healthcare

HIPAA compliance promotes strong security, especially as data breaches in the healthcare industry increase. According to reports, the total number of individuals affected by healthcare data breaches from 2005 to 2019 was 249.09 million. Of these, 157.4 million individuals were impacted in the last five years alone. New accounts also show that healthcare data breaches exposed 275 million records in 2024.

Common examples of breaches that result in exposed PHI include accidental disclosure, theft, lost, or stolen devices, hacking incidents, and phishing/ransomware attacks. The two most widespread types of healthcare breaches are hacking/IT incidents and unauthorized internal disclosures or insider threats. No matter the type, a data breach can have far-reaching consequences and can cause serious accountability and responsibility issues for an organization.

Extortion attacks and healthcare

Cyber extortion occurs when a hacker gains access to a computer system, network, or data within. Once they have control, these criminals try to extort money and demand a ransom payment.

If an individual or organization decides not to pay the ransom, a cybercriminal may keep the data stolen or release it to the public. They can also sell the information to another cybercriminal or keep a system/data encrypted and locked. At the same time, they could still decide to do any of these things even after a victim pays a ransom.

Healthcare organizations are vulnerable to extortion and ransom demands for a variety of reasons and not only because of the value and significance of PHI. The use of fear and urgency is central to the effectiveness of extortion attacks, as victims are pressured to act quickly to avoid consequences. In healthcare, this could mean interrupted services, closed hospitals, and even patient death.

See also: Patient dies due to a ransomware attack

Common attack methods used for extortion

Extortion entails threats and blackmail until a cyberattacker achieves what they want, that is, money. Attackers are even moving to adopt double and triple extortion tactics, exfiltrating and then encrypting data before demanding a ransom and sometimes adding a third layer of pressure.

There are numerous methods attackers can use to get into a system to extort an individual or business. The top methods include:

• Phishing (e.g., spear phishing or clone phishing)
• Business email compromise
• Malware attachments
• Distributed denial of service (DDoS)
• Ransomware

All utilized methods of attack employ coercion and manipulation. Such attacks do not have to be sophisticated and can instead rely on social engineering to convince someone to make a ransom payment. Social engineering plays with people’s emotions and instincts to take actions not in their best interests.

Extortion attacks occur frequently through email, a simple and largely anonymous attack vector, or through an exposed vulnerability or outdated software. Sometimes the threat is real, while other times it’s a bluff. That doesn’t matter, as either can succeed depending on the person who receives the threat and what they do with it.

Reasons for extortion attacks in healthcare

First and foremost, cyberattackers target healthcare organizations to gain access to and steal sensitive patient data, such as personally identifiable information (PII), medical records, and financial details. Cybercriminals can then hold the information for blackmail and ransom or sell it to someone else. PHI is among the most valuable type of data on the black market, with records fetching anywhere from $10 to $1,000 per record. This value is driven even higher by the potential for identity theft, insurance fraud, and other forms of financial crime.

Furthermore, healthcare organizations are considered easy targets given their tired, stressed, and overworked staff. At least 85% of data breaches are attributed to individual mistakes. Moreover, providers tend to employ minimal cybersecurity features given their small budgets and focus on patients’ lives rather than information technology. Finally, the healthcare industry has seen an increase in vulnerable medical devices and connected infrastructures, creating more attack surfaces.

Given all this, healthcare providers may be more likely to pay quickly, which hackers understand and focus on. Hospitals typically can’t afford lengthy disruptions and find that there is an urgent need to restore services and mitigate patient risks by paying a ransom price.

Real-world example: Freedman HealthCare

Freedman HealthCare is a data and analytics firm serving state agencies, health providers, and insurance companies to build databases. These databases collect PII, including insurance statuses, healthcare claims, and payment data. Earlier this year, the extortion gang World Leaks, formerly known as Hunters International, claimed to have stolen 52.4 GB of data (42,204 files) from the company.

The World Leaks gang set a deadline for Freedman Healthcare to send a ransom, or they would release some of the stolen information. Freedman HealthCare dismissed the claims of PHI theft even though they discovered that they had a security incident in late April; the company did not pay World Leaks anything. While the group released some information, observers noted that no PII was included.

No other information has been released since then, and the investigation is ongoing. Freedman HealthCare is facing a class-action lawsuit, and while the company has decided not to pay, this isn’t a decision every organization can easily make.

Another extortion attack: Clop extortion emails target Oracle E-Business Suite users

Consequences of extortion attacks

The impact of cyber extortion on the healthcare industry can be devastating, from loss of data to loss of patients, which is why many organizations choose to pay. Substantial costs after a data breach and ransom demand include:

• Financial losses from the ransom payment and cyberattack recovery
• Loss of confidence from patients and stakeholders
• Compromised healthcare data
• The possibility of not getting access to the stolen data
• Patients being hit by identity theft or blackmail themselves
• Disruption of services
• Repeated attacks after being considered an easy target
  
  

The aftermath: Mitigating an extortion attack

If an organization suspects a breach, it should identify and confirm the issue, then take steps to stop the leak of PHI. Healthcare providers need to continuously monitor their systems after a breach for any anomalies and/or strange behavior.

If approached with a ransom demand, healthcare organizations shouldn’t pay. For one thing, it will give a cyberattacker a chance to learn more about an organization and possibly consider striking again. Payment can also encourage a cybercriminal and other cybercriminals to continue to use cyberattacks for extortion.

Healthcare organizations can reduce the impact of extortion breaches by updating and implementing rigorous security measures and conducting thorough security audits and compliance reviews to identify other vulnerabilities. Proper mitigation after a breach can keep patient data from exposure and protect a healthcare organization from committing a HIPAA violation.

After detection and investigation, organizations must also follow the Breach Notification Rule and notify affected individuals, the government, and the media. Swift and transparent communication helps lessen the fallout and indicates an organization’s commitment to repairing a breach and ensuring it does not occur again.

Avoiding extortion attacks in healthcare with HIPAA compliance

HIPAA compliance involves continuously updating security measures to protect sensitive health information and to avoid breaches. One of the first steps toward HIPAA compliance is conducting a risk assessment. This assessment helps identify vulnerabilities and develop strategies to address them. Other steps to avoid extortion include:

1. Establishing up-to-date policies and procedures
2. Using business associate agreements (BAAs) when working with third parties
3. Implementing a program to identify vulnerabilities
4. Employing HIPAA compliant email
5. Using continuous employee awareness training, focusing on human error
6. Ensuring proper technological safeguards, such as data encryption
7. Utilizing strong access controls
8. Maintaining all systems and software with the latest security patches and updates
9. Keeping communication channels secure
10. Creating data backup and disaster recovery plans in case of an incident
11. Regularly auditing and monitoring systems
12. Having an incident response plan ready in case it is needed

HIPAA compliance regulations aim to protect patient and employee health information. Adhering to HIPAA standards helps providers protect patient privacy, leading to strengthened relationships and better patient outcomes.

FAQs

How do cyber extortionists typically gain initial access to healthcare systems?

Cyber extortionists often exploit vulnerabilities in outdated software, phishing emails targeting employees, or weakly secured remote access points to gain initial access to healthcare networks.

What should organizations do if they receive an extortion email?

Organizations should avoid engaging directly with the attackers, notify internal security teams, investigate for signs of unauthorized access, and report the incident to appropriate authorities or security vendors.

How can healthcare organizations effectively communicate with patients and stakeholders during a cyber extortion incident?

Clear communication channels should be established in advance to inform patients, staff, and stakeholders about the incident, steps being taken to mitigate it, and any potential impact on services or data.

What legal and ethical considerations should healthcare organizations keep in mind when responding to cyber extortion demands?

Organizations must balance legal obligations to protect patient information with ethical considerations regarding the payment of ransoms, seeking legal counsel to work through compliance and confidentiality concerns.