Photo: Weiquan Lin/Getty Images
A vulnerability in ChatGPT that was identified last year is being used by would-be cyberattackers to target security flaws in artificial intelligence systems, with the healthcare industry one of the top targets, according to a report from Veriti.
Of the organizations analyzed, 35% are unprotected due to misconfigurations in intrusion prevention system (IPS), Web application firewall (WAF), and firewall settings. This vulnerability, despite being classified as medium severity, has already been weaponized in real-world attacks, the report found.
“No vulnerability is too small to matter,” the authors wrote. “Attackers will exploit any weakness they can find.”
WHAT’S THE IMPACT?
The investigation found that in one week, multiple parties attempted more than 10,000 cyberattack attempts.
Medium-severity vulnerabilities still pose a risk, said Veriti, because security teams often prioritize patching only critical and high-severity vulnerabilities. But attackers exploit whatever works, regardless of ranking, and a once-ignored vulnerability can quickly become a favorite avenue of attack.
The issue has captured the attention of the American Hospital Association, which said that such cyberattacks could lead to data breaches, unauthorized transactions, regulatory penalties and reputational damage for healthcare institutions.
“This could allow an attacker to steal sensitive data or impact the availability of the AI tool,” Scott Gee, AHA deputy national advisor for cybersecurity and risk, said in a statement. “This highlights the importance of integrating patch management into a comprehensive governance plan for AI when it is implemented in a hospital environment. The fact that the vulnerability is a year old and a proof of concept for exploitation has been published for some time is also a good reminder of the importance of timely patching of software.”
Veriti said the next steps for security teams are to check their IPS, WAF, and Firewall configurations for protection against CVE-2024-27564, monitor logs for attack attempts from known attacker IPs, and prioritize AI-related security gaps in risk assessments.
THE LARGER TREND
A number of cyberattacks have affected healthcare organizations in recent years. The most notable cyberattack of 2024 was the one that targeted Change Healthcare, which. according to the HIPAA Journal, compromised the protected health information of at least 100 million people.
This represents a third of the population in the United States and makes the data breach the largest known breach at a HIPAA-regulated entity. The previous record was set by Anthem in 2015 in an attack affecting 78.8 million individuals, the report said.
A June 2024 KnowBe4 report showed the global healthcare sector experienced 1,613 cyberattacks per week in the first three quarters of 2023, nearly four times the global average, and a significant increase from the same period the previous year. This surge has contributed to a steep rise in cyberattack costs for healthcare organizations, with the average breach cost nearing $11 million – more than three times the global average – making healthcare the costliest sector for cyberattacks.
Ransomware attacks have dominated, accounting for over 70% of successful cyberattacks on healthcare organizations in the past two years.
Jeff Lagasse is editor of Healthcare Finance News.
Email: [email protected]
Healthcare Finance News is a HIMSS Media publication.
link