Cybercriminals Targeting Plastic Surgery Offices: A Broader Problem in Healthcare Cybersecurity
Rising Threat of Cyberattacks on Plastic Surgery Providers
Cybercriminals have recently been focusing their efforts on stealing medical records from plastic surgery offices in order to extort doctors and patients. This alarming trend was addressed by the FBI in a public service announcement released on October 17th. Hackers specifically target the plastic surgery industry due to the sensitive nature of the procedures involved, threatening to publish personal information and explicit photographs unless the victims pay a ransom. The issue is not limited to the United States but has also affected plastic surgeons in countries like Brazil and the UK, indicating a global concern for healthcare cybersecurity.
The Financial Incentive
According to Shawn Surber, senior director of technical account management at Tanium, targeting plastic surgeons and their patients makes financial sense. Plastic surgery is a lucrative industry where payments are typically made upfront. Both the surgeons and the patients usually have significant disposable income and place a high value on their privacy to avoid any embarrassment, as opposed to concerns about identity theft. Hackers recognize this and exploit the vulnerability in the industry.
Security Shortcomings
Another factor contributing to the targeting of plastic surgery offices is the inherent security shortcomings in many independent practices. These small offices often have limited IT support and may communicate outside of traditionally secure channels. For instance, practitioners may use personal or web-based email, creating further opportunities for hackers to intercept data and credentials. Additionally, partnerships with private surgery centers, which may also have limited IT support, further expose these practices to cyber threats.
Strategy of Attack
The FBI characterizes these attacks as three-phase processes. First, hackers deploy phishing attacks and malware to collect sensitive patient information and photos. They then “enhance” this data by gathering additional information from social media or through social engineering techniques. Once they have all the necessary information, the attackers contact both patients and providers, demanding payment in exchange for not exposing the harvested data. To further pressure victims, the hackers may publish data on public-facing websites or share it with the victims’ family, friends, and colleagues, promising to stop only after receiving payment.
Defensive Measures for Doctors and Patients
The FBI advises patients to practice good password hygiene, monitor suspicious bank account activity, and apply strict privacy settings on social media accounts. These measures aim to prevent unknown individuals from accessing personal information or posting on their pages. However, for providers, such advice is insufficient.
Weak Infrastructure and the Need for Collaboration
Shawn Surber laments the weaker and less cohesive infrastructure of healthcare providers compared to other industries. Given the increasing number of mergers and acquisitions, healthcare systems are becoming more vulnerable to malicious attacks. Cybercriminals with access to health systems can potentially do much worse than extort money, putting lives at risk by infecting critical devices or shutting down entire systems.
In light of the current challenges, Surber suggests that healthcare providers should organize into a critical infrastructure working group. Such a group would focus on establishing security standards and negotiated pricing for managed services. While this solution would require significant investment due to the large number of providers, it would offer a more proactive approach to cybersecurity. With continuous maintenance, updates, and real-time alerts, healthcare providers could create a future where they are not alone and vulnerable.
The Urgency for Change
The recent cyberattacks targeting plastic surgery offices serve as a glaring example of the broader issue facing healthcare cybersecurity. It is crucial that the industry takes immediate action. Without better protective measures, more stringent regulations, or increased funding, the risk to patient privacy and patient safety remains significant. The threat of cyberattacks on healthcare systems poses a danger beyond financial losses and demands attention from policymakers, healthcare providers, and the public at large.
<< photo by Pixabay >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- The Evolving Role of CISOs in SEC Cybersecurity Filings: What to Exclude
- Standardizing Firmware Audits: OCP Launches SAFE Initiative
- Finland’s Fight Against Cyber Criminals: Psychotherapy Hacker Charged With Extortion
- The Rising Threat of Cyber Extortion Attacks: Navigating the Evolution Beyond Ransomware
- ‘Cuba’ Ransomware Group: Mastering the Art of Cyber Extortion
- “Balancing Cybersecurity and Investor Protection: The SEC’s Call for Timely Disclosure”
- The Atlassian Confluence Vulnerability: Assessing the Impending Wave of Exploitation
- Uncovering the Underbelly: Unveiling the ‘EtherHiding’ Malware Campaign on Binance’s Smart Chain
- Critical Infrastructure at Risk: AvosLocker Ransomware Threatens National Security
- Navigating the Wilderness: Unveiling the Satnav Test on a Remote Island Lab
- The Rising Threat: Tens of Thousands of Cisco Devices Hacked via Zero-Day Vulnerability
- The Cybersecurity Challenges Posed by Pro-Iranian Hacktivists Targeting Israeli Industrial Control Systems
- Decoding Cyberattacks: Essential Insights and Lessons
