The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are warning health care providers about the Daixin Team. It is a ransomware and data extortion group that is actively targeting US businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.
The new advisory was issued because the FBI Internet Crime Complaint Center (IC3) reported victims were being targeted by the Daixin Team with malware across all 16 critical infrastructure sectors. However, the HPH Sector accounted for 25% of ransomware attacks. According to an IC3 annual report in 2021, 649 ransomware reports were made across 14 critical infrastructure sectors and the HPH Sector accounted for the most reports at 148.
The Daixin Team has been targeting the HPH Sector with ransomware and data extortion operations since at least June 2022. Since then, the Daixin Team cybercrime actors have caused ransomware incidents at multiple HPH sector organizations where they deployed ransomware to encrypt servers responsible for health care services, including electronic health records, diagnostics, imaging, and intranet services, personal identifiable information (PII), and protected health information (PHI). The group also threatened to release the information if a ransom was not paid.
Daixin actors gain initial access to victims through virtual private network (VPN) servers. In one confirmed compromise, Daixon exploited an unpatched vulnerability in the organization’s VPN server, and in another, the group used previously compromised credentials to access a legacy VPN server that did not have multifactor authentication (MFA) enabled. The group is believed to have acquired the VPN credentials using a phishing email with a malicious attachment.
On October 17, 2022, Common Spirit Health, which operates 140 hospitals and more than 1,000 care sites across 21 states, announced it was managing a response to a cyberattack that impacted some of its facilities. On discovering the ransomware attack, the company said, it took immediate steps to protect its systems and contain the incident. It began an investigation and is conducting a thorough forensics investigation and review to determine if there are any data impacts as part of that process, according to the company.
Angie Raymond, JD, LLM, of Associate Professor of Business Law and Ethics at Indiana University’s Kelley School of Business in Bloomington, said it may be time to regulate health entities and the manner in which they store vital health data. The current escalation of cyberattacks suggests that new laws need to be enacted. “Health care organizations tend to store everything in the cloud. It is convenient, but a huge vulnerability. No one is surprised health care is a target,” Raymond said.
HIPAA rules were written many years ago, and they may need to be updated to address new technologies and platforms. Separate from updating HIPAA, new federal legislation may be required. “We certainly need to be doing a lot more,” said Raymond, Adjunct Associate Professor of Law at Maurer Law School in Bloomington, also part of Indiana University. “Merely requiring notice of a breach is not enough in my opinion. We also likely need to encourage less to be stored online, less to be accessible for huge periods of time, and better, more robust security.”
Andrew Tomlinson, Director of Regulatory Affairs at the American Health Information Management Association (AHIMA), said his organization supports the use of new policies to address existing privacy, confidentiality, and security gaps in the protection of health information held by HIPAA non-covered entities. However, he said federal privacy and security baseline standards should be developed for the protection of health information held by data holders outside of the scope of HIPAA.
“Today, health information has never been more valuable to hackers and those looking to profit from its theft,” Tomlinson said. “Throughout the COVID-19 pandemic, we saw exponential increases in attempts to infiltrate and compromise patient health data. The cyber threat landscape continues to evolve daily, with the health care sector facing threats not just from individual hackers but groups like Daixin Team and even foreign governments.”
“Cybersecurity today is more than just ensuring what you are doing is working but also maintaining constant vigilance to anticipate, react, and respond to new threats and vulnerabilities as quickly as possible,” Tomlinson said. It is now recommended that all medical facilities diligently install updates for operating systems, software, and firmware as soon as they are released. The current standard calls for requiring phishing-resistant MFA for as many services as possible.
It is also recommended that employees on a regular basis are updated on how best to recognize and report phishing attempts. “Proactive cybersecurity activities cannot guarantee an organization will not be hacked, but it does help an organization better prepare to provide a rapid response, if it is compromised,” said Tomlinson.
Paul Redding, Vice President of Partner Engagement & Cybersecurity for Compliancy Group, which has corporate headquarters in Greenlawn, New York, said there is an urgent need for a consensus on privacy and security standards in the United States. “The fragmented nature of our security and compliance standards result in confusion and, ultimately, inaction across health care and other critical sectors of our society,” Redding said. “In the absence of a federal framework, we see almost every state in the country voting on legislation to impose cybersecurity and privacy laws locally.” Once these laws are adopted in various states, it may only further complicate the environment. “We have to come together to fight this fight at a national level if we are going to win this war,” Redding said. “Health care data makes up the lion’s share of all data breaches in the United States today. In 2021 alone we saw 314,063,186 personal medical records stolen.”
Most medical providers drastically underestimate the risk they face on a daily basis, making them easy targets for bad actors, according to Redding. In the case of the Daixin Team, he said clinicians are seeing an incredibly sophisticated attack against a sector that is frighteningly unprepared to defend against it. “This one needs to be taken extremely seriously by IT and security teams all across the health care sector,” Redding said.