Healthcare organisations face a barrage of online threats from a range of different sources, says Josh Lefkowitz, CEO, Flashpoint. He writes: “There is no doubt that the industry is a desirable target for cybercriminals. Indeed, the WannaCry ransomware attack, which severely affected the NHS, unfortunately illustrated this point all too clearly.  As such, healthcare organisations should prioritise cyber defence and implement effective cybersecurity processes, technology, and people.

And given that most breaches and compromised healthcare information are in many ways intertwined within the deep and dark web, it is crucial for healthcare organisations to both understand and gain visibility into these regions of the Internet.

What is the deep and dark web?

The dark web refers specifically to a collection of websites that exist on an encrypted network; they cannot be found via traditional search engines or visited using traditional browsers. The deep web meanwhile refers to all web pages that search engines cannot find. It is on the deep and dark web that cybercriminals have been known to develop and discuss many cyberattacks before they occur.

The role of the deep and dark web in attacking healthcare organisations

The threats posed by the deep and dark web can be broken down into three principal concerns:

It allows the sharing of best practices
Wherever people congregate, they talk. Although cyber-criminals like to compete, they also often share best practices. This information-sharing is why the deep and dark web facilitates so many of the dangerous threats targeting businesses. There is an interconnected, agile nature to the cyber-criminal ecosystem, and regardless of their language, skills, location or affiliation, cyber-criminal groups tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing, and even mentorship.

• It provides a way to sell and monetise criminal gains
The deep and dark web provides a way for cyber-criminals to monetise the crimes they commit. Often the exchange is data for Bitcoins but it can take a variety of forms. At its simplest, however, the deep and dark web and its many illicit marketplaces serve as an underground economy for cyber-criminals.

• It acts as a network and communications portal
The deep and dark web provides a relatively anonymous and safe place in which cyber-criminals, terrorists, and other threat actors can communicate. Cybercriminals communicate and collaborate through illicit forums on the deep and dark web. As new forums and marketplaces emerge, some may decline whereas others continue to attract new members.

What types of threats do healthcare organisations face?

Healthcare organisations face several threats, some of which include: ransomware, third-party vendor risks, fraud, and insider threats. All are underpinned by the underlying economic value of the data they hold and the criminal schemes that data facilitates.

While cybercriminals have been stealing and selling healthcare data for years, many have realised that healthcare organisations—eager to regain access to critical data—may pay ransoms worth more than the data’s black-market value. Ransomware attacks can ultimately yield sizable financial losses and result in a crucial loss of confidence in the compromised institution. Unfortunately, many organisations lack the tools, expertise, and people required to mitigate these attacks.

The healthcare industry’s rapid adoption of emerging medical technologies has rendered many organisations more susceptible to cyber threats posed by the vendors of these technologies. This is because many vendors face intense competition and pressure to produce more goods faster than ever before, often leaving security as an afterthought. As healthcare organisations typically do not have visibility into vendors’ supply chain security practices, dangerous vulnerabilities may go undetected until after a compromise has occurred.

While threats posed by malicious insiders raise concerns across industries, those in healthcare can be especially detrimental. This is due to the high black-market value of stolen personal health information (PHI) and serious consequences for victims. PHI abuse can include identity theft, insurance fraud and tax fraud, which often goes undetected for years. For malicious insiders with access to valuable PHI databases, selling such access can make a fast and profitable return.

How can these threats be countered?

The number one way to mitigate the risk emanating from adversaries who are utilising the deep and dark web is to understand and effectively monitor their activity in that space. If you know what your adversary will do before he or she does, then you can act to mitigate the threat and implement the defences needed to guard against an attack.
Language expertise is also vital to using the deep and dark web for defensive purposes. Understanding how criminals speak and the true meaning behind their interactions is vital. The most successful analysts come with a huge depth of understanding that takes years of specialised work to acquire and build.

Outside of the deep and dark web there are several actions healthcare organisations can take to address threats proactively and bolster their security. I would advise strongly that CISO and CIOs put in place robust systems to ensure that people, processes, and technology all are up to date and aligned. Defence requires constant vigilance and agility. Practically speaking, using two-factor authentication, patching and updating software, maintaining firewalls, changing default passwords, raising employee awareness of cybersecurity best practices and creating off-the-grid-backups will all help in protecting an organisation.

We know that cyber attackers are using the deep and dark web to coordinate attacks on healthcare organisations. For them, the rewards following a successful breach can be significant. On the flip side, the damages incurred by the breached institution could be catastrophic. It is therefore critical that cybersecurity, including effective monitoring of the deep and dark web, remains a priority.