6 Easy Ways to Detect Healthcare Data Breaches

Cyber-attacks on healthcare dominate recent news, and ransomware attacks are among the most troubling.¹ Recent numbers from the U.S. Department of Health and Human Services show that 2022 has been rife with hacking incidents,² with hundreds of providers and thousands of individuals affected.

“Over the past decade, there have been more than 2,500 data breaches in the healthcare industry affecting nearly 190 million medical records.”³

The impact of these breaches can be staggering. One recently reported breach affected 657 providers and compromised more than 1.9 million patient records.⁴ This breach of a financial services company serving the healthcare industry has been attributed to quantum ransomware, one of the latest approaches to ransomware. 

Similar to other ransomware attacks, Quantum Locker Ransomware — so named because of the extension it adds to the data it encrypts — uses malware to gain a foothold, but then a human hacker navigates the organization’s defenses. (For tips on how to combat this insidious attack type, check out our blog on how to disrupt Quantum Locker Ransomware tactics, techniques and procedures.)

Healthcare Data: A Lucrative Target for Threat Actors

The reason the industry is so heavily under attack is simple: healthcare organizations — and the valuable data they host — are lucrative targets for criminals. Patient data includes a litany of personally identifiable information. Where a single stolen credit card number is bad, electronic health records have “the fullz,” everything an identity thief could want.

What’s more, it tends to take healthcare organizations significantly longer to contain breaches. According to The Ponemon Institute, it takes healthcare organizations an average of 1,037 days to contain a data breach, compared with 69 days for organizations generally. 

So, with that in mind, how can you tell if you’ve been compromised?

Clues that you’ve already been breached

Hackers don’t announce their presence. The longer they can remain hidden on your network, spreading and reconnoitering as they go, the more sensitive data they can scoop up, or damage they can do when they release their payload. 

They naturally try to cover their tracks, but there are a few telltale signs you can look for:

1. Sudden file changes — Software you haven’t heard of unexpectedly installing, file name changes or other file tampering are pretty sure signs you’ve been breached.
   
   
2. Locked user accounts — Users locked out of their accounts, and not because they’ve tried their password too many times, can mean others have been trying to access them or, worse, that a hacker already has access to their credentials.
   
   
3. Slow device and network performance — Systems compromised by botnet attacks or which have had processing power being harnessed for illicit purposes will slow down.
   
   
4. Antivirus “alerts” — You may receive fake pop-up notifications that are hard (at least, for end users) to distinguish from the real system alerts.
   
   
5. External sources — Partners or outside organizations may have discovered and informed you of a breach. Unfortunately, by the time this happens you’ve usually been breached for many months.
   
   
6. System alerts — Of course, your existing security solutions may be providing you with alerts. It’s important to pay attention to these real alerts, although it can be difficult to separate what’s real from the noise.

Getting help identifying patient data compromises (#7)

Managed Detection and Response (MDR) can help your clinic or hospital wade through the noise and home in on real threats, while hardening your defenses against them. MDR combines machine learning with human threat hunters to find evidence of suspicious behaviors on your network and operating systems, including telltale signs like those above, as well as not-so-obvious ones.

For instance, ActZero’s threat hunters investigate what might otherwise be considered ‘normal’ traffic with an eye for the breadcrumbs left by hackers, such as:

• Registry or system file changes
• Anomalous DNS requests
• Quantity of requests for file
• And numerous other critical areas as surfaced by models they routinely review.

Threat hunters then validate whether an attack is taking place. By monitoring for and detecting this suspicious activity, they can respond appropriately, thwarting attacks like ransomware in real-time or quarantining systems that are compromised until the risk can be mitigated. In this way, we have you covered.

ActZero uses a range of dashboards to share information about your security posture. Incident dashboards inform you of any security-related events, and the responsive action that was taken. Vulnerability, patching and endpoint-hygiene dashboards provide a detailed understanding of the current state of your security, while an executive summary dashboard brings them all together in one view. All these dashboards are offered as part of ActZero’s customer portal, helping you more easily and confidently protect your vital systems and sensitive patient data.

Or, to actively explore whether your accounts have been compromised, whether passwords are stored in clear-text, and any Dark Web attack intent targeting your organization, schedule a complimentary Ransomware Readiness Assessment; in less than an hour, with no service interruption, we will determine your healthcare organization’s vulnerability to ransomware - both with, and without, our MDR service defending your patient data.