Research on EU Health Sector Cyber Attacks Reveals That Ransomware is the Top Threat

The European Union Agency for Cybersecurity (ENISA) has released the outcome of its first evaluation of the cyber threat landscape of the health industry in the European Union (EU). ENISA noted healthcare cyber cases from January 2021 to March 2023 and determined the major targets of the cyberattacks, the threat actors responsible, cyberattack trends, and the effect that cyberattacks have on the healthcare industry.

A variety of healthcare entities encountered cyberattacks in the period of two years, which include health authorities, organizations and institutions, and pharma companies; nevertheless, most attacks focused on healthcare providers (53%), particularly hospitals (42%). In two years, ENISA reviewed 215 publicly announced cyber attacks in the EU and closeby countries. 208 cyberattacks were on the health industry. The analysis contained 5 reports of discovered vulnerabilities (not specifically exploited), and two warnings of prospective cyber activity impacting the health industry. ENISA states that cyber incidents have continued to be steady although there seems to have been a rise in cyberattacks in 2023, with 40 incidents examined between January and March, in contrast to 91 incidents in 2021 and 84 in 2022.

46% of all attacks involved healthcare information and 83% of attacks were financially driven considering the high cost of healthcare information. 10% of attacks were motivated by ideology. The most typical result of attacks was data breaches or stolen data (43%), then problems with non-healthcare services (26%) and interrupted healthcare services (22%). Throughout the research period, ransomware presented the greatest threat. 53% of incidents were ransomware attacks and 43% of ransomware attacks involved stolen data or data breaches. The ransomware attacks also had the greatest impact on healthcare companies. Ransomware attacks grew from 2021 to 2022, and seem like they have kept on increasing in 2023. LockBit 3.0, the BlackCat and Vice Society groups were responsible for most of the attacks.

A considerable percentage of the analysis period happened during the COVID-19 pandemic era. At this time, the healthcare industry had been a major target for malicious actors. The pandemic was connected to the rising ransomware attacks as well as the rising data leak incidents. Although data leak incidents happened because of malicious activity, they were likewise normally brought on by bad security tactics and wrong configurations. Healthcare companies had trouble establishing a new way of working at the time of the pandemic and cybersecurity was usually overlooked because of demanding operational requirements.

Near the end of the study, geopolitical movements brought on a rise in hacktivist occurrences. Pro-Russian hacktivist groups like KillNet conducted DDoS attacks on healthcare providers to disrupt healthcare services to retaliate against supporters of Ukraine. It is expected for these attacks to go on while the Russia-Ukraine war goes on, though the effect of these attacks is fairly low.

Cyberattacks on the health industry come with a financial expense; nevertheless, it is hard to precisely measure the cost. A 2022 ENISA NIS Investment research indicates the median cost of a big security incident to be €300,000 ($328,870); nonetheless, the major problem is patient security, since the attacks frequently create a delay to triage and patient treatment. Also, data breaches can potentially impact the health and safety of patients.

In spite of the magnitude to which ransomware was employed in attacks, 27% of healthcare companies didn’t have a focused ransomware defense plan. The research likewise showed insufficient security awareness training for non-IT employees, with just 40% of primary equipment suppliers offering security awareness instruction to non-IT employees. Being the case on the other side of the Atlantic, it is common to have risk analysis failures. Another survey done by the NIS cooperation group observed almost all healthcare companies (95%) consider risk analyses difficult, with 46% confessing to never doing it.

More and more healthcare cyberattacks take advantage of poor patch management practices. 4% of verified data exposure/data breaches in 2021 and 2022 took advantage of vulnerabilities to acquire access to healthcare systems or exploited system misconfigurations. 80% of healthcare companies that were questioned stated over 61% of their security cases were because of unpatched vulnerabilities.

The fact that a lot of companies encounter challenges with risk analyses and that most have never done one indicates that this is a key area to deal with to enhance toughness against cyberattacks. ENISA additionally states important priorities should be making offline encrypted backup copies of mission-critical information, giving security awareness instruction for all employees, performing routine vulnerability scans and immediately patching vulnerabilities, enhancing authentication procedures, making sure to create, maintain and practice basic cyber incident response plans, and making senior management to invest in enhancing cybersecurity.