Why health care has become a top target for cybercriminals

SEATTLE — When a cyberattack hit Fred Hutchinson Cancer Center late last year and exposed the personal data of nearly a million patients, many were caught off guard, stunned a breach could infiltrate such a large and highly resourced health care organization.

But those working in computer security weren’t surprised. In recent years, they’ve watched other hospitals and health care facilities across the country get hit by similar attacks, some that have crashed systemwide operations and caused delays in patient procedures or tests, or rerouted ambulances to other emergency rooms.

Cyberattacks of all sorts have plagued large corporations, small businesses and individuals for decades now, but in the past several years, health care has become a top target, according to federal and local cybersecurity experts. These organizations hold a massive amount of patient data — including medical records, financial information, Social Security numbers, names and addresses. They’re also among the few businesses that stay open 24/7, meaning they might be more likely to prioritize avoiding disruptions and, therefore, more likely to pay a hacker’s ransom.

“They’re basically a one-stop shop for an adversary,” said Chris Callahan, chief of cybersecurity for the Northwest region of the federal Cybersecurity and Infrastructure Security Agency, or CISA. The agency, housed in the U.S. Department of Homeland Security, also works to defend against government and election hacking, but recently health care — along with K-12 education and the water supply — has emerged as one of its most urgent priorities, Callahan said.

In December, the U.S. Department of Health and Human Services reported that the medical data of more than 88 million people was exposed in the first 10 months of 2023. The department also saw a 93% increase in large, health care-related breaches reported to the agency between 2018 and 2022.

While fewer data breaches in Washington were reported to the state Attorney General’s Office last year compared with 2021 and 2022, which both saw a record number of cases, experts say cyberattack numbers are still much higher than they were before the pandemic.

In the past three months, 13 health care-related businesses have detailed large breaches to state Attorney General Bob Ferguson, as is required by Washington law when more than 500 residents have been impacted by a cyberattack.

Attacks against computer systems at Proliance Surgeons and Western Washington Medical Group last February and July, respectively, allowed unauthorized access to the data of hundreds of thousands of patients, the medical groups wrote to Ferguson’s office. Dental insurer Delta Dental of California and affiliates, Vancouver-based Hi-School Pharmacy, and California-based vision care provider Medical Eye Services (known as MESVision) were also hit last year, impacting thousands more.

Patients’ health information is worth a lot of money to hackers, said Geetha Thamilarasu, an associate professor of computing and software systems at the University of Washington, Bothell. Once someone gets hold of a stolen medical record, they can buy fake prescriptions, file bogus insurance claims, participate in identity theft and sell it online, among other things, she said.

“There is a huge underground market on the dark web,” said Thamilarasu, who specializes in health care security. “Research shows that if a compromised credit card sells for about $1 to $5 each, a compromised medical record can sell anywhere from $400 to $500 — sometimes even $1,000.”

Once a hacker obtains someone’s personal information, they’ll often try to use it as leverage to extort an organization or victim for money, Callahan said. If that fails, they’ll try to sell it to other organized crime groups that generally have “one objective — to make as much money on your information as fast as possible,” he said.

Risk of being doxxed — when someone, usually with ill intent, posts a victim’s personal information online — has become more common, too, he added. After the Fred Hutch breach, many patients whose data was leaked also received a barrage of email threats and spam messages.

Health care organizations, like many others, have spent the last decade moving toward total digitization, creating some new risks.

“Health records are no longer paper,” Thamilarasu said. “While having digital technologies is often great and provides more convenience, it also opens them up to these security vulnerabilities.”

This not only includes patient records, but also medical devices like X-ray and CT scanning machines, which are now often connected to a network or the internet, Thamilarasu said.

“And if you are connected to the internet, you can be hacked,” she said.

While an X-ray machine itself might not carry any patient data, it can act as an entry point for attackers trying to break into an organization’s broader network. In a health care facility, there could be hundreds of Internet-connected devices, which require different types of security measures not always prioritized, she said.

One cyberattack on health care giant Ardent Health Services last year forced hospitals in New Jersey, Oklahoma, Texas, New Mexico and other states to divert ambulances to other emergency rooms and reschedule some nonemergency procedures while systems were offline.

“I think this is becoming more of a problem in health care than any other institution,” Thamilarasu said. “And with health care, you’re no longer just talking about money and loss of data … This could potentially endanger human lives.”

Anatomy of a cyberattack

It often starts with a simple email.

Maybe an employee gets a message from a familiar name. They don’t notice the name is slightly misspelled, or recognize it could be a phishing attempt. They open it and click the link.

And just like that, a hacker can gain access to the employee’s credentials and the organization’s entire network system.

“The biggest risk sector is employees,” said Callahan of CISA. “If you don’t have the defenses or the user education and awareness, then it’s a super easy way to get into a system.”

Ransomware threats — when a specific malicious software blocks a victim’s personal data until a ransom is paid — are also on the rise, Callahan said.

In 2022, the Federal Bureau of Investigation recorded about 870 ransomware incidents that hit “critical infrastructure” businesses, like transportation, health care, energy, government and food and agriculture. Of those, almost 25% were attacks against health care and public health organizations, compared with about 22% in 2021.

AI technology has played a “huge role” in more sophisticated hacking attempts, Thamilarasu said.

“Attackers are able to generate all these emails, which no longer appear as [obvious] phishing emails,” she said. “Nowadays, they look so genuine and authentic.”

Cybersecurity can be an afterthought for many health care systems because they’re primarily focused on patient care, Callahan said.

Those who manufacture medical devices should also make sure their products are secure, Thamilarasu added.

“We all get that health care systems are one of the most overworked organizations,” she said. “And security is not the priority. Patients are the priority. So I think a lot of these staff and health care providers do not understand the level of damage somebody can cause.”

Push toward cyber safety

Recent cyberattacks have sparked a renewed push among many health care organizations to bolster protections.

Moses Lake Community Health Center, which was targeted last year, is in the middle of several cybersecurity improvements.

“We believe [cybersecurity] is not a destination, but a continuous improvement process,” said Mark Lauteren, the health center’s chief information officer, who joined after the breach. “The bad actors are always changing their environment and their attack methods, so if we put something up and say ‘Done,’ guaranteed, they’ll find a way around it within a few weeks.”

Lauteren declined to discuss the breach, which leaked data of about 1,200 people, but noted that cybersecurity is “not a new priority.” The Moses Lake center has since teamed up with CISA, which offers free, weekly cybersecurity scans to organizations that look for potential vulnerabilities in their system and offer recommendations. CISA officers also run through “tabletop” exercises that mimic real cyberattacks, hoping to prepare organizations in case one occurs.

During these exercises, experts walk organization leadership and IT teams through a dry run of a breach, prompting them with questions. How might they respond? Are they going to pay the ransom? How are they going to start rebuilding their systems afterward?

“We [all] need to be better at protecting ourselves,” Lauteren said.

Since the Fred Hutch breach last fall, an organization spokesperson said it has implemented “additional defensive tools and increased monitoring,” but declined to elaborate on what those entail.

At UW Medicine, whose data was also impacted during the Fred Hutch cyberattack, “we continuously strengthen our cybersecurity measures and actively adapt our strategies to address evolving cyber threats,” hospital spokesperson Susan Gregg said in a statement.

The Washington State Hospital Association has started to hold regular cybersafety sessions for its members, though organization spokesperson Beth Zborowski said she was hesitant to describe specifics to avoid sharing strategies with hackers and prevent any individual hospitals from becoming a target.

“We are paying attention to this. We take people’s health information seriously,” Zborowski said. “If you ask hospital CEOs what keeps them up at night, this would be one of the things.”

Catching a cybercriminal

Falling for a cyber scam can happen in seconds. But it sometimes takes years for an investigation to unfold.

Fred Hutch, for example, is still working on confirming details around its recent breach, though the organization believes hackers overseas “exploited a vulnerability” in a workspace software called Citrix that allowed them to gain access to its clinical network.

The weakness, known as the “Citrix Bleed,” has gained attention from federal cybersecurity teams, who say it allows attackers to bypass password requirements and multifactor authentication measures.

In several other cyberattacks in Washington and throughout the country, investigators found hackers targeted a file-transfer tool called MOVEit, a software application used to exchange data. According to TechCrunch, a group of hackers found a weakness in the software that allowed them to install a backdoor and steal data.

Cybercrime investigations can be complicated, especially if hackers are working from a different country that may not want to work with the U.S., said Kevin Brennan, a supervisory special agent with FBI Seattle’s cyber task force.

“Some of it is going to be through more traditional investigative techniques,” Brennan said. “You know, follow the money — or in this case, cryptocurrency.”

The FBI encourages against paying ransoms because it doesn’t guarantee hackers will delete or stop sharing people’s data, but if companies choose to, the agency also tracks online communications between victims and hackers, searching for small details that might illuminate where a suspect is. It’s becoming much less common for victims to pay ransoms, Brennan said, but the practice still happens; the FBI doesn’t collect data on how frequently ransoms are paid.

Once officers identify a suspect overseas, they have a couple of options, Brennan said. If the FBI is working with a country whose laws don’t require them to arrest someone based on an alleged crime they committed in the U.S., agents might look for potential crimes the suspect committed in that country, he said.

In other cases, agents might have to wait for the suspect to travel somewhere that will extradite them to the U.S.

FBI Seattle doesn’t generally track “success” rates for closing cybercrime cases, but Brennan noted various challenges involved when working with international law enforcement. It can also be hard to report an accurate number of closed cases because sometimes cybercriminals are only charged with one breach when law enforcement officials might know or suspect they’re involved with many more, he added.

“It can be a waiting game at times,” Brennan said. “It can be frustrating, both for us and the victims. But it’s not something we’re going to give up on just because they’re hiding in a country that might not cooperate with the U.S.”

Staying safer online

As our collective reliance on technology grows, it can be easy to panic about further opening ourselves up to hacking and data leaks, experts said. But they noted there’s also a lot we can do to limit risk.

Cybersecurity experts have a list of tips about how to stay safe online, which can be found at CISA website StopRansomware.gov. HHS has also created a health care-specific tool kit, which includes information about how health care systems can mitigate known vulnerabilities, bolster email security, enable multifactor authentication, deploy strong encryption, and roll out basic cybersecurity training.

“You don’t want to call us in your darkest hour,” Callahan said. Institutions “want to make sure you know who your local FBI or CISA contact is. There’s all kinds of things we can do to help protect yourselves before an attack.”

According to CISA, some of the most simple changes to boost individual cybersecurity include:

• Recognizing and reporting phishing
• Using strong passwords
• Turning on multifactor authentication
• Updating software

If you think you’ve been targeted by a hacker, you can also report the incident to the FBI website ic3.gov, which is open to the public.

“I take some comfort in knowing that, as sad as it sounds, so much personally identifiable information has been stolen, the odds of any individual person being a victim is not very high,” said Brennan of FBI Seattle. “We all drive down the highway at 70 miles an hour and think, ‘I’m not going to be the one that gets into an accident.’ And odds are we’re not.”