Administrator access to backend systems is becoming the holy grail for attackers.
When people think about hackers and their targets, most assume cybercriminals are after bank account numbers or financial institutions. But a new study from cybersecurity firm IntSights shows hackers are now honing in on healthcare institutions for lucrative information to steal.
IntSight’s new research report “Chronic [Cyber] Pain: Exposed & Misconfigured Databases in the Healthcare Industry” looks at what methods cybercriminals are using and what healthcare organizations can do to protect themselves.
“But today, I go online, and there are websites and free software which will map it out and give you an organizational chart from CEO to the secretary, all based on Linkedin information and other things. Working out spearfishing attacks then becomes easy at that point,” Maor continued.
Honing in on healthcare
In an interview with TechRepublic, Maor explained the fears some security experts have about a new wave of cybercriminals who are focusing their efforts on healthcare institutions with lax security measures.
“Historically speaking,” Maor said. “The healthcare industry has not had as robust security as the financial industry, which is usually targeted. Once cybercriminals started realizing that financial institutions are harder targets, they saw that healthcare is extremely useful for all kinds of attacks.”
Oftentimes hospitals and clinics have systems which are harder to maintain because many rely on legacy software with little security protections. Unlike financial institutions, which have rapidly evolved to mitigate efforts by hackers to steal money and information, healthcare organizations still use old browsers and generally do not update both software or hardware.
Many hospital systems force their employees to use older versions of browsers, which makes entire networks vulnerable to cybercriminals. Hackers have realized troves of valuable data exist locked behind these weak security systems.
The study shows that hackers look for SSNs, addresses, and phone numbers to create fake accounts with and gain access into systems. Healthcare entities maintain millions of profiles containing this kind of data.
“The infrastructure is not as advanced as other places, and healthcare data is extremely valuable. There’s so much info that can be used for all kinds of things,” Maor said. “If I’m a cybercriminal, and I steal a credit card, great, maybe I can use it or not. If I steal a patient’s data? I can do insurance fraud, I can do account takeover or financial fraud. I can create static IDs or order drugs. That’s why credit cards on the dark web go for $1, and healthcare information or patient data goes for $50.”
The study said patient records are popular with individuals or groups that steal data and sell it online because of the wide variety of ways to use the information. According to Maor, one of the most concerning trends is that cybercriminals are selling administrative access to healthcare systems.
“Administrator access to backend systems is the holy grail for attackers. It provides access to different assets, databases, and information – allowing the attacker to easily steal, alter, or corrupt the data. The ramifications are potentially devastating for those afflicted, from both an organizational and individualistic perspective,” the report said.
This makes it even more difficult for security systems to stop attacks because administrators have control over the entire system and can give system-wide access to other users.
“They are selling the keys to the kingdom,” Maor said. “These types of credentials are extremely useful for attackers. It not only gives them access to everything. The likelihood of somebody detecting fraudulent activity on an admin account is pretty low. If you think about it, administrators, that’s their job, that’s why they have access to everything. They control the database and do updates,”
He added that if someone were to steal the login information of a doctor or a secretary, a properly functioning security system would send out alarms because those accounts should not be accessing certain parts of the system. But no red flags are raised for administrative accounts.
Administrative credentials are now extremely valuable to cybercriminals looking for widespread system access. According to the IntSight’s report, can buy admin access to healthcare portals on the dark web for at least $400.
Taking a holistic approach to security
To protect themselves, Maor said, healthcare facilities had to take a holistic approach to security. Maor once spoke at a security seminar where he asked members of the audience, which included nurses, doctors and administrators, what their jobs were. Whenever someone answered with “nurse” or “doctor,” Maor cut them off and said, “No you are a nurse and a member of the security team.”
“Don’t assume you’re not a target just because you’re not a bank or don’t hold financial data. It’s not only about financial data,” he said.
After all, “If one of you gets breached then the company is exposed.”
The report and Maor stressed that a culture focused on security had to be built from the ground up at healthcare institutions. All employees needed to understand that there was a shared responsibility in keeping the entire system safe from cybercriminals.
This, of course, goes hand in hand with basic security measures like strong passwords and updated security systems.
Unfortunately, Maor said, attacks on healthcare institutions will only increase as ransomware attacks become easier to execute, and hackers get more access to stronger tools.
“The people buying [these credentials], if they give positive feedback in these criminal forums, or if they say they were successful, we’ll see more of this. Unfortunately, these are not difficult attacks for criminals,” he said. “Continued investment in and development of sophisticated security initiatives is crucial to protect the extremely sensitive data healthcare organizations oversee.”