We instinctively grasp the ocean’s depth, and the difference between surfing waves, offshore snorkeling and deep diving. Most of us are hardly aware that the World Wide Web works in the same way. Though a random Google search can return seemingly endless results, surfing this vast accessible data is just scratching the surface. In fact, the visible online content is called the surface web, and it comprises just 0.03% to 10% of the internet. Beneath this surface lies the deep web, which contains “non-indexed” content, or content that is protected and cannot be accessed through search engines. The deep web, accounting for about 95% of the internet, includes mostly benign sites that require authentication, such as private email accounts or data from subscription services.
The dark web lies within the deep web, as a small and very different section. It is inaccessible through traditional browsers and search engines, often encrypted and designed to be anonymous, rendering it a perfect breeding ground for illegal activities. Marketplaces within the dark web offer stolen data, drugs and firearms, while terrorist communication has likewise benefited from going dark. Nonetheless, the dark web is not solely leveraged for illicit purposes, but has also been utilized by whistleblowers and investigative journalists in protecting confidential sources.
Health organization are a prime target
A recent cyberattack in the UK led to leaking of 400GB of private medical data across several NHS London hospitals. The attack on Synnovis, a pathology company that analyzes blood tests for the NHS, was reportedly carried out earlier this month by the Russian group Qilin, initially looking to extort money. Since the hacking, appointments have been cancelled, overall services interrupted and planned surgeries postponed. Yesterday (June 21), however, the BBC revealed that Qilin not only disrupted ongoing healthcare operations, but actually shared private patient data on their dark net site, possibly suggesting the demanded ransom has not been paid.
This latest UK attack is far from an isolated case. Andrew Witty, the CEO of UnitedHealth Group, a top-10 Fortune 500 company (operating Optum and ChangeHealthcare), confirmed last month that the company paid $22M ransom in an attempt to protect stolen patient data. Cyberattacks are particularly on the rise in the healthcare industry, with an 11% surge in 2023 compared to the previous year, whereas overall attacks have increased by 3%, according a Check Point report.
When a journalist asked Willie Sutton, the infamous American bank robber, why he targeted banks, he replied “because that’s where the money is.” Whether he actually said this or not, it later transformed into Sutton’s Law, a term used in medical schools to educate young physicians to first consider the most obvious diagnosis (rather than the rare one). Somewhat ironically, this seems to be the current answer to the healthcare-targeted cyberattacks as well. According to a CNBC source, medical records are priced at $60 on the dark web, whereas a social security number sells for $15 and a credit card for $3.
Patient data are used for general identity theft and medical identity theft, where expensive services are billed fraudulently. Ransomware attacks are also prevalent, as hackers steal and encrypt medical data, holding them hostage thus disrupting core operation–promising to decrypt the data and allow healthcare organizations to regain access to their system if ransom is paid. Alternatively (or in addition), hackers threaten to leak data (such as identifying details and sensitive medical information) if payment is not transferred.
Healthcare institutions, such as hospitals, are appealing to hackers as they hold diverse data (medical, personally identifiable and financial data), their ongoing operation is critical, so disrupting it causes mayhem and life-threatening consequences, and they often use a complex network of outdated legacy systems, more vulnerable to attacks, while dealing with limited financial resources to upgrade security.
Given these vulnerabilities, health-oriented cybersecurity solutions are crucially required, should be regulatory enforced and financially encouraged. Healthcare organizations are generally known to be late tech adaptors, with innovative solutions generally taking time to implement in everyday clinical practice. Innovative cybersecurity solutions cannot fall into the same category, as there is no acceptable status quo to maintain, but only an hourglass until the next attack.