Recent industry reports highlight a staggering increase in the frequency and severity of these attacks, with healthcare data breach statistics showing that the sector remains one of the most targeted due to the critical nature of its operations.
The Evolution of Cyber Threats: From Data Locking to Patient Harassment
Ransomware in its original form led to an organization’s data being encrypted, and unless the affected organization paid a ransom, the data would be effectively put beyond reach.
Ransomware Cyber Criminal groups would often use phishing emails, stolen credentials, or weaknesses in internet-facing devices (insufficiently patched) to gain a foothold in the organization, and from there, the Ransomware payload could be uploaded and distributed to as many devices as possible (including backup servers) before being triggered.
IT Organizations changed process procedures and technologies to help mitigate this risk. Unfortunately, Cyber Criminals evolved, too. Once blanket encryption failed to continue to yield the financial rewards Cyber Criminals wanted, double extortion became the next iteration.
Before data was encrypted to bring IT operations to a standstill, it would first be exfiltrated (stolen) and stored by Cyber Criminals. The promise was made to delete the data if the ransom was paid (not that there was any way to prove that this was done, “Honor Amongst Thieves?”)
What is Triple Extortion? The New ASC Crisis
Well, the next iteration, known as SWATTING, has arrived. SWATTING was a term used to describe the making of calls to emergency services warning of an impending violent crime to trigger a SWAT Team response, usually targeted at a political figure with whom the caller disagreed.
So why am I discussing these details with ASCs?
This SWATTING attack methodology has been modified for the healthcare space. Instead of calling in the SWAT team, information found in exfiltrated data under the control of Cyber Criminal groups is being used to threaten patients unless the patient pays a ransom.
Healthcare providers are effectively being triple extorted. The options are to
1) Pay, or we will not decrypt your data.
2) We will publish the fact that your patient data has been stolen (including to regulatory bodies like HHS or the SEC), or
3) We will go after your customers and extort them.
This third pillar, direct patient extortion, is particularly devastating for Ambulatory Surgery Centers. When a patient receives a personal text message or email from a hacker threatening to release their surgical history or sensitive photos, the trust between the ASC and the patient is permanently severed. Unlike a typical business, an ASC handles Protected Health Information (PHI) that is uniquely intimate, making it high-value “Information Gain” for attackers.
To compound this, patients are filing class action privacy lawsuits for “negligence” against the healthcare providers whose IT systems were impacted due to the emotional and financial stress caused by the patient’s private healthcare information being stolen.
Protecting this information requires a multi-layered approach to defense. For a deeper dive into practical steps your facility can take today, review these ASC cybersecurity tips to harden your perimeter against these evolving threats.
Why ASCs are Primary Targets for Cyber-Extortionists
In the current threat landscape, smaller healthcare facilities like ASCs are often viewed as “soft targets” compared to large hospital systems. However, they hold the same high-value data. Attackers leverage “living-off-the-land” (LotL) techniques, using legitimate system tools to conduct attacks, which often bypass traditional antivirus software. This makes the “Information Gain” for the attacker high while keeping their “cost of attack” low.
As has been said many times, healthcare data is valuable in many ways, especially to Cyber Criminals.
Beyond just access, the accuracy and reliability of this data are paramount. Understanding what is data integrity in healthcare is essential, as triple extortion often involves threatening to alter or corrupt patient records, which can have life-threatening consequences in a surgical environment.
Proactive Defense: Implementing HPH-CPGs
How, as an ASC, can the risks of data extortion be reduced for the sake of the ASC and their patient’s physical, emotional, and financial well-being?
Recently, HHS (Department of Health and Human Services) published Cybersecurity Performance Goals (HPH CPGs) for healthcare providers. These goals are specifically designed to help facilities prioritize IT security investments. By aligning with these benchmarks, ASCs can demonstrate “due diligence,” which is a critical defense against the aforementioned negligence lawsuits.
For comprehensive guidance on these standards, the HHS Administration for Strategic Preparedness and Response (ASPR) provides essential resources for aligning with national healthcare security expectations.
Furthermore, it is critical to understand how ASCs can leverage Cybersecurity Performance Goals to create a roadmap for long-term resilience. Here is a summary of these essential goals:
- Mitigate Known Vulnerabilities (Operating Systems, Applications, Firmware)
- Email Security (Malware Detection and Quarantining, DMARC)
- Multifactor Authentication (MFA) — Specifically, phishing-resistant MFA is now the gold standard.
- Basic Cybersecurity Training (employees are often considered the weakest link in cybersecurity)
- Strong Encryption (makes stolen data harder to use)
- Revoke Credentials for Departing Workforce Members, Including Employees, Contractors, Affiliates, and Volunteers (in a timely manner)
- Basic Incident Planning and Preparedness (Plan for loss of service)
- Unique Credentials (every employee uses different credentials to compartmentalize the risk)
- Separate User and Privileged Accounts (reduce the number of employees with admin access as an everyday occurrence)
- Vendor/Supplier Cybersecurity Requirements (What are our I.T. vendors doing to protect our data?)
Strengthening the “Human Firewall” and System Architecture
Notice goal #7 mentions “Basic Incident Response Planning and Preparedness.” This should include clear, identified steps about what will be done, by whom, and when. This may involve using a third-party Managed Security Service Provider (MSSP) for ASCs without dedicated staff to fulfill these requirements.
Furthermore, ASCs should look into Zero Trust Architecture (ZTA). A “Never Trust, Always Verify” approach ensures that even if a hacker steals a staff member’s password, they cannot move laterally through the network to reach sensitive patient records.
Security as a Clinical Necessity
Ultimately, patient care must always be the primary motivation; how will this be achieved if IT systems are down?
As these threats become more sophisticated, federal agencies continue to issue warnings about the specific groups leading these campaigns. To stay ahead of the curve, ASC administrators should review the latest Cybersecurity Advisory on Play Ransomware, which provides an in-depth breakdown of the tactics, techniques, and procedures (TTPs) these actors use to infiltrate and exploit healthcare networks.
Stay vigilant.
Don’t miss out on the good stuff – Subscribe to HST’s Blog & Podcast!
Every month we’ll email you our newest podcast episodes and articles. No fluff – just helpful content delivered right to your inbox.