New ENISA report says ransomware accounts for 54% of cybersecurity threats in health sector

Ransomware is one of the biggest hazards in the health industry, according to data reported by the European Union Agency for Cybersecurity (ENISA), ranking first in terms of both the number of occurrences and the consequences it has on healthcare organizations. Such attacks are a significant portion of the identified incidents (116 incidents, 54 percent), with several high-profile and highly publicized incidents during the reporting period. Patient safety emerges as a paramount concern for the health community, given the potential delays in triage and treatment caused by cyber incidents.

The report analyzes cyber incidents targeting health organizations from January 2021 to March 2023, revealing prime threats, actors, impacts, and trends. It also disclosed that the European health sector experienced significant incidents, with healthcare providers (53 percent), hospitals (42 percent), health authorities, bodies, agencies (14 percent), and pharmaceutical industry attacks (9 percent).

“Throughout the reporting period, we observed the following types of threats targeting the European health sector. An incident can be categorised into more than one threat category, meaning that the total percentage of the threats exceeds 100%,” ENISA disclosed in its latest report titled ‘ENISA Threat Landscape: Health Sector.’ The comprehensive analysis maps and studies cybersecurity attacks, identifying prime threats, actors, impacts, and trends for over two years, and delivers insights for the healthcare community and policymakers. 

The ENISA analysis is based on a total of 215 publicly reported incidents in the European Union (EU) and neighboring countries.

The report disclosed that the attack vector for initial access may include a health-themed phishing campaign (social engineering threats), followed by a compromise with ransomware, which may or may not result in patient data being leaked (data-related threats). “Likewise, incidents that included an attack on a supplier or provider were categorised both as supply-chain attacks and as the type of attack used for the compromise.” 

ENISA said that the health sector heavily relies on data that are of a personal and sensitive nature, hence their potential disclosure would have severe ramifications. This is an appealing target for cyber threat actors that would take advantage of the opportunity to monetize their activities based on extortion under the threat of disclosure. 

This is corroborated by the findings of the report, whereby ransomware and data-related threats rank the highest.

“A high common level of cybersecurity for the healthcare sector in the EU is essential to ensure health organisations can operate in the safest way. The rise of the COVID-19 pandemic showed us how we critically depend on health systems,” Juhan Lepassaar, executive director of the ENISA, said in a media statement. “What I consider as a wake-up call confirmed we need to get a clear view of the risks, the attack surface, and the vulnerabilities specific to the sector. Access to incident reporting data must therefore be facilitated to better visualise and comprehend our cyber threat environment and identify the appropriate mitigation measures we need to implement.”

The reporting period coincides largely with the COVID-19 pandemic era when the healthcare sector was one of the prime victims of cyber attackers. “During the reporting period, cybercriminals had the heaviest impact on the sector, in particular ransomware threat actors driven by financial gain (53%). This is linked to the increase in ransomware attacks in general but also to the value of patient data including electronic health records. In fact, patient data were the most targeted assets (30%) throughout the reporting period,” the report added 

The report observed that during the pandemic, data leakage of patient data from COVID-19-related systems or testing laboratories occurred on multiple occasions and in multiple countries. These leaks were either due to the collaboration of malicious insiders or, in most cases, accidental due to poor security practices and misconfigurations. These incidents offer lessons to be learned on poor cybersecurity practices when there are pressing operational needs, in this case even more pressing due to the pandemic.

Furthermore, the ENISA report confirmed attacks on the healthcare supply chain and service providers caused disruptions or losses to organizations in the health sector (7%). “We assess that these types of attacks will remain highly relevant for the sector in the future, especially in conjunction with the risks posed by vulnerabilities in healthcare systems and medical devices.” 

In a recent ENISA study, healthcare was the sector that declared the most security incidents related to vulnerabilities in software or hardware, the report said. “Indeed, 80% of the healthcare organisations interviewed declared that more than 61% of their security incidents were caused by vulnerabilities. Geopolitical developments and hacktivist activity increased the number of DDoS attacks against hospitals and health authorities in early 2023, reaching 9% of total incidents. This was due to a surge in DDoS attacks by pro-Russian hacktivist groups who aimed to disrupt healthcare providers and health authorities in the EU,” it added. 

ENISA expects this trend to continue; however, the actual impact of these attacks remains relatively low.

The report disclosed that in terms of impact, the incidents observed caused mainly breaches or theft of data at 43 percent, disrupted healthcare services at 22 percent, and other services not related to healthcare accounted for 26 percent. Data breaches affected healthcare entities in 40 percent of the total number of incidents, and, in particular, hospitals recorded 27 percent and primary care accounted for 8 percent. Disruption of healthcare services took place when healthcare entities stood at 82 percent, while health authorities disrupted stood at 12 percent. Other impacts include financial losses but this is an impact which is difficult to assess. 

ENISA reported that ransomware attacks were on the rise in 2022 and early 2023. “If we compare 2021 and 2022, we see an increase in ransomware incidents. This trend has been observed in other sectors, as well as in the 2022 ENISA Threat Landscape report, and it continues steadily in 2023.”

It also disclosed DDoS attacks were on the rise in early 2023 due to pro-Russian hacktivism. During the reporting period, geopolitical developments and hacktivist activity increased the number of DDoS attacks against health organizations, reaching 9 percent of total incidents (20 incidents). The majority, 15 of these incidents, occurred in 2023. In particular, European hospitals and health authorities were targeted by pro-Russian hacktivist groups in early 2023 (Netherlands, Denmark, Sweden, Spain). 

“In 2021 and 2022, we observed 9 cases (4%) of confirmed and potential data thefts and leaks which were caused either by an unpatched vulnerability or due to bad configuration of systems,” ENISA reported. “These were primarily applications or websites related to COVID-19 vaccinations or testing, which left patient data and credentials exposed. They were systems used by the public authorities and laboratories. Similarly, a bug on a hospital website exposed the passwords and email addresses of at least 134,004 users.” 

In 2022 a vulnerability in the system of a healthcare software vendor was exploited by an individual who stole data that contained sensitive personal and medical data of patients of healthcare providers that were using the company’s systems (supply chain attack). 

Also, in 2022, software bugs were reported under NIS as the cause of 8% of system failures, ENISA reported. “These, combined with 13% of ‘faulty software changes/updates’, 8% of ‘hardware failures’, and 2% of ‘faulty hardware changes/updates’, amount to around 30% of the officially reported system failures. Similar trends are identified by the 2022 NIS Investment study, which also focuses on the EU, but is based on a different data sample. 

The report also identifies healthcare as the sector that declared the most security incidents related to vulnerabilities in software or hardware. “Eighty percent (80%) of the healthcare organisations interviewed declared that more than 61% of their security incidents were caused by vulnerabilities,” it added.

When analyzing the most prominent actors impacting the European healthcare landscape and their motivation, two primary categories of actors emerge, ENISA reported. “The first and predominant group consists of cybercriminals, particularly those involved in ransomware activities, who are primarily motivated by financial gain (53%). The second group comprises hacktivist organisations motivated by ideological reasons, aiming to carry out denial-of-service (DoS) attacks on healthcare organisations and health authorities (7%),” it added. 

The ENISA report assessed that attacks on healthcare supply chains and service providers resulted in disruptions or losses to health organizations. Such types of attacks are expected to remain significant in the future, given the risks posed by vulnerabilities in healthcare systems and medical devices. It also recognized geopolitical developments and hacktivist activity led to a surge in distributed denial of service (DDoS) attacks by pro-Russian hacktivist groups against hospitals and health authorities in early 2023, accounting for 9 percent of total incidents. 

Looking ahead to the challenges the sector is facing, ENISA said that a main area of concern is vulnerabilities in medical devices and their potential effect on patient safety and privacy. Vulnerabilities in medical devices, including emergency buttons, remote monitoring technologies, wearables, and home-based sensors, can impact patient safety and healthcare professionals’ safety. Unsupported devices pose challenges for healthcare professionals, who may have no replacement options.

During the COVID-19 pandemic, rapid development and deployment of vaccination and testing applications exposed patient data. The rapid evolution of healthcare systems and medical devices, which are becoming increasingly connected to the internet, must be accompanied by putting cybersecurity measures in place. This is an area where the sector and its supply chain are lacking, as vulnerabilities have been recognized as the primary cause of incidents by health organizations. 

“As ransomware groups are advancing their tactics, patients whose sensitive health data have been stolen may face extortion after a data breach (triple extortion). We have seen such cases in the EU and in the US already,” the report added. “The experience of extortion or having sensitive medical information leaked can cause harm to patients. Healthcare organisations are reluctant to publicly admit impacts on patient safety. However, some studies show that delays in treatment, operations cancelled or diversion to other facilities can have an impact both on patients and also on healthcare professionals.”

Last week, the EU-NATO Task Force presented a final assessment report that maps out the current security challenges and identifies four key sectors of importance, including energy, transport, digital infrastructure, and space. The report recommends strengthening critical infrastructure resilience and deepening EU-NATO cooperation through information exchanges, alternative transport routes, and security research ties.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.