From Ethical Boundaries to Big Payouts: Addressing the Lure of Hacking Healthcare

The following is a guest article by Roei Sherman, Field CTO at Mitiga

In an ideal world, healthcare systems would be fortified against cyberattacks, safeguarding patient data and protecting critical, life-saving operations. Yet, the reality is far from ideal. The healthcare sector has become a prime target for cybercriminals, drawn by the lucrative nature of sensitive medical data, outdated technologies, and stretched budgets. 

Healthcare is a Goldmine for Attackers

Healthcare organizations store vast amounts of sensitive information, from patient records to insurance details, that have long-term value. Unlike credit card numbers, which can be quickly canceled, medical information remains useful for years, offering opportunities for identity theft, fraud, and even blackmail. This “data longevity” makes healthcare more valuable than typical financial data.

Moreover, healthcare providers are considered to be critical infrastructure, which includes systems and assets vital to national security, economic stability, public health, and safety. Cyberattacks in the healthcare sector can cause widespread disruption, attracting both criminal groups and state-sponsored attackers. The high-pressure environment in hospitals and clinics, where delays can impact life-saving operations, increases the likelihood of paying ransom to quickly restore operations, further encouraging threat actors.

The Rise of Attacks and Erosion of Ethical Boundaries

The healthcare industry has faced a significant surge in cyberattacks in recent years. According to the U.S. Department of Health and Human Services, ransomware attacks in the healthcare sector have risen by a staggering 264%. A notable incident was the Change Healthcare ransomware attack, which caused widespread disruption across U.S. healthcare services. Many hospitals, reliant on Change Healthcare, were unable to process patient payments, provide medical care authorizations, or issue prescriptions. The attack exploited vulnerabilities in both their cloud and on-premises systems, resulting in chaos across the healthcare industry and inspiring subsequent attacks by criminal groups seeking similar success. 

Different Segments, Different Threats

The healthcare industry consists of diverse segments, each facing distinct cybersecurity challenges. Hospitals and clinics often operate with legacy systems and a broad attack surface due to the high number of connected devices. For example, mid-sized hospitals may allocate only a few hundred thousand dollars annually for cybersecurity, while large pharmaceutical companies can dedicate millions to protect their intellectual property. This disparity leaves hospitals at a distinct disadvantage in implementing advanced security measures.

Pharmaceutical companies hold valuable intellectual property and operational environments, making them prime targets for nation-state actors. Health insurance companies, with vast stores of personal data, are highly attractive to cybercriminals. Even medical device vendors are vulnerable—their products often contain software that is difficult to patch or update, presenting long-term security risks.

The Role of Behavioral Analytics in Healthcare Security

As healthcare organizations increasingly adopt cloud and SaaS technologies, traditional threat detection methods are proving less effective. Attackers evolve their tactics too quickly for traditional indicator-based detection methods to keep pace. This is where behavioral detections come into play.

Behavioral detections can help by establishing baselines of normal operational activity—such as patterns of data access, time of usage, and types of interactions with cloud and on-premises systems. By identifying deviations from these baselines, healthcare organizations can detect sophisticated threats that might otherwise go unnoticed. For instance, sudden large-scale data downloads by a researcher could signal a potential breach, allowing for real-time detection and response.

These advanced detection methods shine in hybrid environments, where cloud services, on-premises systems, and IoT devices are interconnected. Cross-correlating signals from these disparate systems helps trace attacks from their entry point to subsequent activity, providing a more complete security picture.

Unique Vulnerabilities Exposed

A major cybersecurity issue for healthcare is its reliance on legacy systems, which create security gaps that are difficult to bridge. 

Additionally, IoT devices in healthcare, such as MRI machines or ultrasound devices connected to hospital networks, often lack built-in security features. For instance, a U.S. hospital could face a major vulnerability if its MRI machine, connected to the network, became an entry point for cyberattackers. These devices are difficult to monitor because they prioritize functionality over security and may not support regular updates or patches, leaving them exposed.

The adoption of cloud technologies has introduced significant challenges, as many healthcare providers struggle to secure these environments. Attacks often begin by compromising cloud accounts or exploiting insider access, such as credentials of a doctor stolen using information stealer, then move laterally across networks, as seen in multiple cloud cyber attacks

Combating Healthcare Cybersecurity Threats

 To combat the growing threat landscape, healthcare professionals can adopt a multi-faceted, proactive approach by implementing effective and manageable steps to enhance cybersecurity.

1. Enhancing Visibility: Without comprehensive visibility and proper telemetry into cloud and SaaS environments, detecting threats becomes nearly impossible; healthcare providers should invest in solutions that enable full visibility and tracking of data movement and system activity
2. Training and Skills Development: Addressing the skills gap is critical as many healthcare organizations lack the cybersecurity expertise needed to protect their systems effectively; trained staff are essential, particularly for responding to threats in cloud environments
3. Advanced Behavioral Threat Detection: Implementing behavioral analytics systems that establish baselines for normal activity is vital; detecting deviations allows for quick action to mitigate potential threats, which is especially useful in healthcare environments, where activity is unpredictable due to staff working irregular hours and accessing systems from various locations
4. Incident Response Readiness: Healthcare providers need well-developed incident response plans that are regularly tested to ensure swift reactions to a cyberattack; a timely response is crucial to minimizing damage

Healthcare remains a prime target for cyberattacks due to its wealth of sensitive data, reliance on legacy systems, and financial constraints. However, by taking a proactive approach and investing in advanced cybersecurity measures—such as behavioral analytics—healthcare organizations can better protect their critical infrastructure and patient data. The stakes are high, but with the right strategies in place and a commitment to ongoing learning, the sector can improve its defenses against the growing wave of cyber threats.

About Roei Sherman

Roei Sherman, Field CTO at Mitiga, is a seasoned expert in Cloud Incident Response and adversarial cybersecurity. His career, spanning over ten years in adversarial cybersecurity roles, showcases a deep specialization in Red Team operations.

Roei’s approach is marked by an adversarial mindset and the application of guerrilla tactics, aiming for a proactive defense in a variety of security engagements that encompass training, lectures, and consulting. His expertise is rooted in a distinguished background, including roles in a Field Intelligence unit of the IDF, where he continues to serve in the Reserve. Roei has also played key roles at AB InBev as Global Director of Offensive Services and led significant projects as an information security consultant and Red Team leader for EY Israel. His technical breadth covers a wide range of areas including Red Team engagements, social engineering, physical security, and incident response across diverse platforms.

Roei’s academic foundation enhances his professional endeavors, holding a B.A. degree in Business Administration with a major in Cyber Security and an M.A. in Criminology. Beyond his primary role, he contributes as a co-organizer of BSidesTLV and serves on the CFP team for Diana’s Initiative, demonstrating his commitment to advancing the cybersecurity community.