The European Union Agency for Cybersecurity (ENISA) has published the results of its first-ever analysis of the cyber threat landscape of the health sector in the European Union (EU). ENISA mapped healthcare cyber incidents between January 2021 and March 2023 and identified the key targets of attacks, the threat actors behind them, attack trends, and the impact that cyberattacks have on the health sector.
A range of healthcare entities experienced cyberattacks over the two-year study period, including health authorities, bodies and agencies, and pharma firms; however, the majority of attacks targeted healthcare providers (53%), especially hospitals (42%). Over the two years, ENISA analyzed 215 publicly reported cyber incidents in the EU and neighboring countries, 208 of which were cyberattacks on the health sector, and the analysis included 5 reports of identified vulnerabilities (not necessarily exploited), and two warnings of potential cyber activity affecting the health sector. ENISA notes that cyber incidents have remained stable but there appears to have been an increase in attacks in 2023, with 40 incidents analyzed from January to March, compared to 91 incidents in the whole of 2021 and 84 in all of 2022.
46% of total incidents targeted healthcare data and 83% of attacks were financially motivated, driven by the high value of healthcare data. 10% of attacks had an ideological motivation. The most common impact of attacks was data breaches or data theft (43%), followed by disruption of non-healthcare services (26%) and disrupted healthcare services (22%). Throughout the study period, ransomware posed the biggest threat. Ransomware attacks accounted for 53% of incidents and 43% of ransomware attacks included data theft or data breaches. In addition to ransomware being the most common type of incident, the attacks also had the biggest impact on healthcare organizations. Ransomware attacks increased between 2021 and 2022, and look like they have continued to increase in 2023, with the LockBit 3.0, Vice Society, and the BlackCat groups behind the majority of the attacks.
A significant percentage of the study period covered the COVID-19 pandemic era, during which the healthcare sector was one of the prime targets for malicious actors. The pandemic was linked to the increase in ransomware attacks; however, there was also an increase in data leak incidents. While data leak incidents did occur due to malicious activity, they were also commonly caused by poor security practices and misconfigurations. Healthcare organizations struggled to adapt to a new way of working during the pandemic and cybersecurity was often neglected due to pressing operational needs.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Toward the end of the study, geopolitical developments triggered an increase in hacktivist incidents, most commonly DDoS attacks on healthcare providers by pro-Russian hacktivist groups such as KillNet that aimed to disrupt healthcare services in retaliation for support for Ukraine. These attacks are expected to continue for at least as long as the Russia-Ukraine war continues, although the impact of these attacks is relatively low.
Cyberattacks on the healthcare sector have a financial cost; however, it is difficult to accurately assess the cost of attacks. A 2022 ENISA NIS Investment study suggests the median cost of a major security incident is €300,000 ($328,870); however, the biggest concern is patient safety, as the attacks often result in a delay to triage and treatment, and data breaches have the potential to affect the well-being of patients.
Despite the extent to which ransomware was used in attacks, 27% of healthcare organizations did not have a dedicated ransomware defense program. The study also revealed a lack of security awareness training for non-IT staff, with only 40% of original equipment suppliers providing security awareness training to non-IT staff. As is the case on the opposite side of the Atlantic, risk analysis failures were common. A separate survey conducted by the NIS cooperation group found virtually all healthcare organizations (95%) found risk analyses a challenge, with 46% admitting to never having performed one.
Poor patch management practices are being increasingly exploited in healthcare cyberattacks. 4% of confirmed data leaks/data breaches in 2021 and 2022 exploited vulnerabilities to gain access to healthcare networks or took advantage of system misconfigurations, and 80% of healthcare organizations that were interviewed said more than 61% of their security incidents were due to vulnerabilities.
The high percentage of organizations experiencing challenges with risk analyses and the high number never having conducted one make this one of the key areas to address to improve resilience to cyberattacks. ENISA also says key priorities should be creating offline encrypted backups of mission-critical data, providing security awareness training for all staff, conducting regular vulnerability scans and promptly patching vulnerabilities, improving authentication practices, ensuring basic cyber incident response plans are created, maintained, and exercised, and getting senior management to commit to improving cybersecurity.
Click Here For The Original Source.
