HHS warns healthcare about Hive ransomware group

Healthcare organizations are being warned to guard against a ransomware group known as Hive.

The Department of Health and Human Services sent a note to analysts this week. The advisory said that Hive is a relatively new organization, only operating since June 2021.

However, Hive “has been very aggressive in targeting the US health sector,” the HHS Cybersecurity Program advisory said.

Hospitals and healthcare organizations have become frequent targets of cyberattacks in recent years. Already in 2022, more than 100 breaches involving patient records have been reported to the health department.

• Related stories from our recent series on cybersecurity
• Cybersecurity and patient safety: Why it needs more attention
• Not if, but when: Cyberattacks threaten hospital systems
• How hospitals can improve cybersecurity: Tips, training and tough love

Ransomware attacks in particular pose serious danger to healthcare organizations, both due to the threat to patient care, the disruption of services and the costs.

The HHS alert notes that Hive engages in “double extortion,” where attackers breach a healthcare system, steal data and then threaten to release it unless they are paid. Hive also has a data leak site accessible on the dark web, HHS says.

Srinivas Loke, the senior director, product management at Ordr, a cybersecurity company in California, discussed double extortion at the HIMSS Global Health conference last month. “The double extortion technique has become very common when it comes to ransomware,” Loke said.

An FBI alert about Hive issued last August said the group uses tactics that are difficult to combat.

“Hive ransomware uses multiple mechanisms to compromise business networks, including phishing emails with malicious attachments to gain access and Remote Desktop Protocol (RDP) to move laterally once on the network,” the FBI said.

Hive operates “via the ransomware as a service (RaaS) model, which involves them focusing on development and operations of the ransomware and other partners/affiliates to obtain initial access to the victim infrastructure,” the HHS advisory said.

The group often uses phishing to gain access to systems. Some victims get phone calls from Hive to pressure them to pay.

“Like some other ransomware variants, Hive searches victim systems for applications and processes which backup data and terminates or disrupts them,” the HHS alert said.

In a recent interview with Chief Healthcare Executive, Crane Hassold, director of threat intelligence for Abnormal Security, said healthcare groups are especially vulnerable to ransomware attacks for a host of reasons.

“The biggest challenge with healthcare is not just that you have a large number of employees that are doing more important jobs, you also have specialized equipment that is more difficult to keep up with,” he said.

Earlier this year, the HHS and FBI also warned healthcare organizations about another ransomware group known as LockBit.

Cybersecurity experts urge healthcare leaders to do whatever is possible to shore up their defenses. They stress the importance of training employees to be wary of emails from unfamiliar sources and to avoid clicking on links that could be suspicious. Other steps include multi-factor authentication - such as using a password and another code - to access systems.

Experts also stress healthcare leaders must invest more in cybersecurity or to partner with companies that can help improve their defenses.

Federal authorities have also urged healthcare organizations to fortify their security programs in light of Russia’s war with Ukraine, which could lead to other cyberattacks or malware aimed at the health sector.

More from Chief Healthcare Executive on cybersecurity

Cybersecurity and patient safety: Why it needs more attention

Why small hospitals are targets for cyberattacks

How a rural health system improved its cybersecurity