Varonis says that from hospitals triaging patients around the clock to pharmaceutical companies developing advanced vaccines, cybercriminal groups have targeted entities and systems under massive stress.
According to a research report from Varonis, the recent attacks against the healthcare and biotech sector demonstrate maliciousness on an unprecedented scale and while their methods vary, the attackers’ is the same - to grab sensitive data to steal, sell, or extort.
According to Varonis, in 2020, cybercriminals unleashed potent variants of ransomware like Maze and Ryuk on hundreds of hospitals and state-sponsored actors zeroed in on pharma and biotech companies to harvest COVID-19 research.
“Insider threats continued to tax the healthcare sector, while simple human errors left vulnerable information exposed — posing additional risk in a year like no other. 2020 also marked the first year that a patient’s death has been directly linked to a cyberattack,” the Varonis reort notes.
“Hospitals, biotech firms and pharma companies are entrusted to protect sensitive information — from personal patient data to valuable proprietary research– which makes them a prized target for skilled adversaries looking to steal, sell, or extort sensitive data.
“As the saying goes, hackers only need to be right once. One successful phishing email can set off a ransomware chain reaction that encrypts every file it touches. A single insider with unrestricted access to file shares can copy, change, or delete thousands or even millions of documents.”
Varonis says that to “shine a light on data security in the life sciences space”, Varonis developed the 2021 Healthcare Data Risk Report.
The research examines the state of data security – on-premises, cloud, and hybrid environments – for healthcare organisations including hospitals, biotech and pharmaceutical firms, and Varonis analysed a random sample of 3 billion files across 58 healthcare organisations – to determine how data in the industry is exposed and at risk.
Varonis says the report aims to help healthcare and biotech organisations better understand their cybersecurity vulnerabilities in the face of increasing threats and provides insight into how healthcare companies can mitigate future risk.
Varonis says healthcare sectors have their work cut out for them and its research found that on average, every employee within an organisation can access one out of every five files - and this overexposed data, in tandem with an increased number of attacks exhibiting new levels of sophistication, makes healthcare one of the most at-risk sectors in 2021.
Key findings of the Varonis research include:
- 1 in 5 files are open to every employee in healthcare organisations, on average. This increases to 1 in 4 when examining small and mid-sized organisations.
- 31,000 sensitive files (HIPAA + financial + proprietary research) are open to everyone, on average.
- Over 50% of organisations have more than 1,000 sensitive files open to every employee, on average
- 77% of organisations have 500+ accounts with passwords that never expire
- Every healthcare employee has access to over 11 million files overall — all it takes it one account to be compromised to let a hacker in
Varonis says that organisation-wide exposure of personal health information (PHI) and intellectual property represents an existential risk.
“Compared to financial services companies, the average healthcare and biotech organisation has about 75% less data. While healthcare entities have fewer files, they have a greater number of files open to every employee. Attackers that successfully compromise one authorised device could land and expand throughout the organisation or encrypt massive amounts of data with ransomware,” Varonis said.
“More than half of hospitals, pharmaceutical companies, and biotech firms have over 1,000 sensitive files exposed to every employee. One-third of the organisations evaluated have over 10,000 files open to every employee. Enforcing least privilege is a basic step every organisation can take to protect data from theft and misuse while ensuring compliance with regulations.”
“Ghost users — user and service accounts that are inactive but still enabled — give hackers an easy way to move through an organisations’ file structures undetected. Hackers often exploit this weakness to steal data or disrupt critical systems," notes Varonis.
“Varonis data analysis reveals that the healthcare sector falls well below average when finding and fixing this vulnerability.
"Seventy seven (77%) of the companies we surveyed have 501 or more accounts with passwords that never expire, while 79% have more than 1,000 ghost users still enabled.”
Varonis says it discovered that smaller organisations in particular have a “shocking amount” of exposed data, including sensitive files, intellectual property and patient records.
“On their first day, new employees at small companies have instant access to over 11,000 exposed files, and nearly half of them contain sensitive data. This creates a massive attack surface and increases the risk of noncompliance in the event of a data breach,” Varonis says.
“Larger organisations tended to have the most problems in their permissions structures, increasing the risk of data breaches stemming from cyberattacks.
“When data is overexposed and underprotected, organisations can quickly lose control as employees copy, share, delete or change even the most sensitive information. Unprotected information is an easy target for cybercriminals who only need to compromise one end user to gain a foothold into healthcare environments.”
According to Varonis, if 2020 portends what the future holds, cyberattacks targeting the healthcare sector will only worsen.
“While medical professionals made COVID-19 vaccination breakthroughs at an astounding rate, confirmed data breaches also increased by a staggering 58% as bad actors targeted vaccine research and high-priority intellectual property,” Varonis notes.
“The industry was woefully underprepared for these attacks. A mere 23% of healthcare organisations have fully deployed security automation. The result of this is an average breach lifecycle of 329 days — the highest of any industry — and an average data breach cost of $7.13 million in 2020 — a 10.5% increase over 2019.
“Cyberattacks were also more sophisticated than anything in years prior. Examples include a global intrusion campaign that trojanised SolarWinds Orion business software updates to distribute a new type of malware called SUNBURST. This attack still has wide-ranging consequences and continues to affect government, consulting, technology, telecom entities.
“To get in front of increasingly malicious and sophisticated cyberattacks, hospitals, pharmaceutical companies, and biotechs need to double down on maturing incident response procedures and mitigation efforts.
“Enforcing least privilege, locking down sensitive data, and restricting lateral movement in their environments are the absolute bare minimum precautionary measures that healthcare organisations need to take,” Varonis concluded.