cyber threat landscape: the healthcare industry
TRANSCRIPT
© 2018 Anomali, Inc. All rights reserved.1
Cyber Threat Landscape: The Healthcare IndustrySector: Healthcare
Global Oversight: The World Health Organisation (WHO), The European Medicines Agency (EMA), International Medical Device Regulators Forum (IMDRF), Global Harmonization Task Force on Medical Devices (GHTF)
Top Medical Device Suppliers: Baxter, Royal Philips, Siemens, Johnson & Johnson, Medtronic, Stryker, Danaher, Cardinal Health, Fresenius, GE Healthcare1
Top Pharmaceutical Suppliers: Johnson & Johnson, Novartis, Roche, Pfizer, Sanofi, Merck, GSK, AstraZeneca, Bayer, Gilead Sciences2
1 https://triteq.com/news/10-largest-medical-device-companies-world/2 https://www.pharmaceutical-tech.com/articles/top-10-pharmaceutical-companies-in-the-world3 http://fortune.com/global500/
Executive SummaryOrganizations in the healthcare industry have been in the news a number of times in recent years as a result of significant cyber attacks. In 2017, WannaCry made global headlines as its impact to the UK’s National Health Service (NHS) became known. Other attacks have seen health records stolen or ransoms paid to keep critical systems online at hospitals. Understand-ing the nature of the threats to the healthcare industry helps define effective ways to counter these threats and help to prevent them from making future headlines.
The Healthcare IndustryThe healthcare industry is worth $9.6 trillion. The latest fortune Global 500 lists 19 organizations under healthcare of which the highest grossing companies include: McKesson, UnitedHealth Group, CVS Health, AmerisourceBergen and Cardinal Health3. The sector encompasses a number of services including: drug and therapy production, medical equipment, distri-bution, hospitals, clinics and pharmacies, care plans, and insurance. All of which have their own unique risk profile and threat landscape. Like many other sectors
© 2018 Anomali, Inc. All rights reserved.2
healthcare is experiencing a transformation. This is due to innovation and disruptive technologies entering the market as well as changing consumer demand. PwC list three reasons why the healthcare sector is experiencing such change. First, virtual healthcare is emerging in contrast to standard diagnosis that takes place in per-son. Second, consumers have higher expectations and there is a gap between these expectations and current healthcare experiences. This has created opportunities for new companies to offer alternative services. Third, there is a growing “wellness and fitness market” related to an increasing consumer desire to prevent chronic conditions4.
Modernization of HealthcareThe healthcare sector is naturally a highly data depen-dent and connected industry. Merlin International and the Ponemon Institute produced a 2018 “Impact of Cyber Insecurity on Healthcare Organizations” study. This study showed that whilst the bulk of healthcare provid-ers have 100 to 500 patient beds, these organizations are using an estimated 10,000 to 100,000 network-con-nected devices5. New technologies like blockchain, artificial intelligence, genomics, and 3-D printing are pushing the frontier for both consumers and healthcare providers. Healthcare wearables, real time data analyt-ics, and predictive modeling are changing the paradigm of healthcare6. Providers such as Groves are even adopt-ing blockchain and accept crypto payments for medical services7. Developments such as these are widening the attack surface and consequently presenting both new opportunities and challenges for the industry at large.
4 https://www.pwc.com/gx/en/industries/healthcare/publications/new-entrants.html5 https://www.infosecurity-magazine.com/news/healthcare-orgs-under-escalating/6 http://www.marketexpress.in/2018/03/cybersecurity-for-connected-healthcare.html7 http://www.toinnov.com/news/uk-medical-group-entered-/8 https://www.scmagazineuk.com/vanderbilt-university-researchers-claim-breaches-linked-to-patient-deaths/article/753905/9 https://www.digitalhealth.net/2018/03/killer-medical-devices-not-just-hype-says-kaspersky/10 https://www.timesofisrael.com/medical-imaging-devices-are-vulnerable-to-cyber-attacks-israeli-teams-warns/11 https://arxiv.org/abs/1801.0558312 https://theconversation.com/why-has-healthcare-become-such-a-target-for-cyber-attackers-80656 13 http://www.zdnet.com/article/iot-security-warning-cyber-attacks-on-medical-devices-could-put-patients-at-risk/14 https://www.raeng.org.uk/publications/reports/cyber-safety-and-resilience 15 https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack 16 https://www.independent.co.uk/news/world/americas/petya-cyber-attack-us-pharma-merck-ukraine-ransomware-national-bank-
power-wpp-ad-agency-wannacry-nhs-a7810906.html 17 https://www.fiercepharma.com/manufacturing/merck-says-its-has-restored-most-its-manufacturing-hit-by-cyber-attack18 https://www.independent.co.uk/news/uk/home-news/cyber-attacks-uk-nhs-lanarkshire-scotland-hospitals-affected-patients-opera-
tions-ransomware-wannacry-a7913896.html
Past Attacks and CampaignsA researcher at Vanderbilt University is claiming more than 2,100 patient deaths are linked to hospital data breaches each year8. A leading cyber security analyst at Kaspersky Lab has warned there is a viable danger of hacked medical devices resulting in patient deaths9. Cybersecurity researchers at Ben-Gurion University of the Negev say that medical imaging devices, such as CT scanners, are vulnerable to cyber-threats10 11. More than 16m patient records were stolen from healthcare organisations in the US and related parties in 2016. That same year healthcare was the fifth most targeted indus-try when it came to cyber-attacks12. Connected and im-planted medical devices — including cardiac pacemak-ers, drug administration devices, monitoring devices, infusion pumps, defibrillators, glucometers, and blood pressure measurement devices — can improve patient care. The Cyber Safety and Resilience report highlights the connectivity inherent in these devices also brings risks13 14.
Publically Reported Incidents/Attacks
Advanced Persistent Threat (APT)• NHS Wannacry Attack.15
• American pharmaceutical company Merck & Co hit with Petya ransomware. 16 17
• Scotland’s third-largest NHS trust is appealing for patients not to attend hospital unless it is “essential” amid an ongoing cyber-attack.18
© 2018 Anomali, Inc. All rights reserved.3
• British surgeon supporting doctors in Syria was hacked, the hack may be linked to the attack on the Syrian doctors.19 20
• Norway’s specialist Police Security Service (PST) is reported to be investigating intelligence activities against state secrets — following an “advanced and persistent” attack on Health South East RHF on 8 January. The attack appears to have been a concert-ed and highly professional effort to target electronic patient data, connected to a NATO exercise scheduled for later this year.21
• UK Anti-Doping (Ukad) confirmed it was the target of a cyber attack.22
• A Chinese advanced persistent threat (APT) actor was spotted using the infamous PlugX malware to target pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business infor-mation23. The RAT was used by a number of Chi-nese-speaking cyber-threat actors, including Deep Panda, NetTraveler and Winnti.
• UK Firm Hacked Buhari’s Medical Records for Jona-than’s Campaign.24
• According to federal officials, Iranian hackers used stolen account credentials to access university professors’ accounts and allegedly stole journals, dissertations and electronic books in science and technology, engineering, medical and other fields.25
• Iowa-based Primary Health Care notified an undis-closed number of patients that four of its employees’
19 https://www.independent.co.uk/news/world/middle-east/syria-surgeon-david-knott-skype-whatsapp-help-russia-aleppo-m10-bun-ker-buster-bomb-a8267071.html
20 https://www.hackread.com/british-doctor-aptop-was-hacked-aleppo-hospital-airstrike/21 https://www.digitalhealth.net/2018/01/norway-healthcare-cyber-attack-could-be-biggest/22 http://www.bbc.com/sport/4354965223 https://www.infosecurity-magazine.com/news/chinese-apt-takes-aim-at-pharma/24 https://www.pmnewsnigeria.com/2018/03/22/how-uk-firm-hacked-buharis-medical-records-for-jonathans-campaign/25 http://www.staradvertiser.com/2018/03/23/breaking-news/fbi-iranian-hacked-computers-nationwide-including-hawaii/26 https://www.beckershospitalreview.com/cybersecurity/hacked-email-accounts-at-primary-health-care-exposes-some-patients-phi.
html27 http://www.hcanews.com/news/after-failing-to-fight-data-breach-lawsuit-carefirst-gets-hacked-again 28 https://www.beckershospitalreview.com/cybersecurity/12-healthcare-privacy-incidents-in-march.html 29 http://www.healthcareitnews.com/news/email-hack-ati-physical-therapy-breaches-data-35000-patients 30 http://www.fltimes.com/news/finger-lakes-health-minimal-patient-impact-from-cyber-attack/article_ccad5160-e128-5405-90ea-
be84f5545804.htm 31 https://www.digitalhealth.net/2018/01/hancock-regional-hospital-back-online/ 32 http://www.healthcareglobal.com/technology/cyber-attack-leads-hancock-health-pay-hackers-50000 33 https://www.beckershospitalreview.com/cybersecurity/12-healthcare-privacy-incidents-in-march.html 34 ibid.
email and Google Drive accounts had been accessed by an unauthorized individual Feb. 28. 26
• A phishing attack might have exposed the informa-tion of roughly 6800 CareFirst members.27
• Hackers broke into Baltimore’s computer-assisted dispatch system, which supports the city’s 911 and other emergency calls, causing city officials to revert to manual processes.28
• Illinois-based ATI Physical Therapy notified 35,136 patients after several employee email accounts were breached by a hacker.29
Cyber Crime• Finger Lakes Health.30
• Hancock Regional Hospital in Indiana infected with SamSam.31 32
Insider• BJC HealthCare in St. Louis notified 33,420 patients a
data server configuration error exposed stored scans of certain documents on the internet without the appropriate security controls from May 9, 2017, to Jan. 23, 2018.33
• The Kansas Department for Aging and Disability Services notified 11,000 of its consumers that an employee sent an unauthorized email containing their protected health information to a group of KDADS business associates.34
• Danville, Pa.-based Geisinger inadvertently exposed
© 2018 Anomali, Inc. All rights reserved.4
the email addresses of nearly 2,000 respondents who completed a customer insights panel survey.35
• Memorial Hospital at Gulfport (Miss.) notified 1,500 patients after learning some of their Protected Health Information (PHI) was inadvertently sent, via email, to an outside email address.36
• The Mississippi State Department of Health sent letters March 26 to an undisclosed number of Mississippi residents after it learned an employee mistakenly emailed an Excel spreadsheet containing patients’ PHI to J Michael Consulting, a CDC contrac-tor in January.37
• Officials from QuadMed, an occupational health and primary care services provider that operates within its clients’ workplaces, confirmed three separate in-cidents that may have compromised clients’ employ-ees’ PHI.38
35 https://www.beckershospitalreview.com/cybersecurity/12-healthcare-privacy-incidents-in-march.html 36 ibid. 37 ibid. 38 ibid. 39 ibid. 40 ibid.
• Two former employees at Orlando-based Florida Hospital, who were tasked with releasing patients’ personal information for medical and business needs, allegedly stole and sold an undisclosed number of patient records between January 2012 and May 2014.39
• CareMeridian, which operates subacute care facilities in California, Arizona, Nevada and Colorado, mailed letters to 1,922 individuals after it discovered an unencrypted disk sent by a third-party associate was lost in the mail.40
HacktivismThe image above shows a number of defacements that took place on domains containing the word “hospital” as of 25 June 2018.
Source: Zone-h.org
© 2018 Anomali, Inc. All rights reserved.5
Threats to HealthcarePatient data can sell for more money in underground forums because it allows attackers to be more flexible than pure financial or card information. If reported, banks can act immediately to rectify stolen credit card information. Criminals can carefully plan fraud with healthcare information as victims are less likely to be aware that their data was stolen. Fake identification can be generated allowing them to purchase medical equip-ment, drugs, or make insurance claims41. Ransom-ware, which encrypts the target files, holds information hostage usually until the requested ransom payment is made. The nature of this attack within the healthcare industry can be potently dangerous as it could put lives at risk if operations are postponed or critical equipment is no longer usable. In these situations, the healthcare provider is under enormous pressure to pay the ran-som; a strong motivator for the criminal to pursue this type of attack.
Conclusions & RecommendationsTargeting healthcare organizations has proven to be a lucrative endeavor for cyber attackers regardless of their means or goals. The private, and usually quite sensitive, data on individuals normally present in healthcare organizations presents opportunities for attackers looking to obtain the data itself and attackers looking to leverage its value to the organization through ransomware and data wiping malware.
System availability for patient process and care is another angle for attackers to target. Knowing that pa-tients’ lives are potentially on the line creates a timing pressure that isn’t necessarily present in other verticals.
There are also natural challenges in the healthcare ecosystem that create opportunities for adversaries. Legacy equipment, use of old operating systems, and obsolete software often present in healthcare organizations exacerbate the already tough job of securing modern enterprises. Some healthcare equipment in use was not designed with security foremost in mind. Basic controls like support for strong passwords and multifactor authentication, ability to
41 https://www.independent.co.uk/life-style/gadgets-and-tech/news/nhs-cyber-attack-medical-data-records-stolen-why-so-valuable-to-sell-financial-a7733171.html
apply up-to-date patches, and closing unnecessary networking ports were not taken into consideration when some of these systems were designed and deployed. The challenge then for healthcare organizations is to find ways to protect these systems while allowing them to perform their role in the environment.
Mitigations for legacy and out-of-support hardware/software situations can include:
• Network isolation Allow access in/out only to specified hosts on speci-fied ports via an internal firewall. This can be done via a segregated VLAN designed for such purposes or by direct isolation with a firewall.
• Network Intrusion Detection/Prevention (NIDS/NIPS) If traffic cannot be adequately restricted, consider in-specting traffic into and out of these devices for signs of malicious activity.
• VPN/IPSEC If the host can be configured with IPSEC rules or forced to only communicate via host to host VPNs, this option may be an isolation alternative where network-based firewalls and other solutions aren’t possible or ideal. This solution would have a resource impact on the hosts involved if the VPN is terminat-ed directly on the protected host. Other VPN-based scenarios for isolation are possible to avoid impact to the protected host by leveraging off-host VPN termination coupled with physical or logical isolation behind the VPN termination point.
• Patches/Firmware updates When possible, work with the manufacturer to obtain updates and/or approval to apply patches to legacy systems. While not always possible, especially if the original manufacturer is now defunct or the product is no longer supported, any vulnerabilities that can be closed by applying updates reduces the attack surface on these systems.
• Backup/response plans Should something happen to these systems, hav-ing a plan in place to quickly respond and/or shift to
© 2018 Anomali, Inc. All rights reserved.6
alternative means of providing service can limit the impact of attacks on these systems.
The basic idea is to accept that these legacy systems are vulnerable and seek to limit the possible ways open vulnerabilities can be exploited. At a minimum, detect attacks and have a plan to respond.
Broader recommendations for securing normal re-sources include the following basic security best practices. These would mitigate, hinder, or provide rapid recovery from most recent attacks in the healthcare sector.
• Patch Keeping systems patched is perhaps the primary effective defense against most recent attacks. Having a solid plan for efficiently getting patches tested and deployed across the environment can save organiza-tions from a lot of response headaches.
• Multi-Factor Authentication From a security perspective, having multi-factor authentication everywhere would be ideal. From a practical perspective, this is an unlikely scenario in a typical healthcare setting. Some systems need to be accessible for emergencies or isolated in ways that prevent use of multi-factor solutions. Regardless, broad access accounts (administrative accounts) should always be protected with multi-factor authen-tication of some sort. This helps to prevent worm-like malware such as WannaCry from spreading throughout the entire organization from a single host infection. It also makes it harder for adversaries to gain access to large parts of the organization through a single compromised system or account.
• Least Privilege Access Controls Related to the multi-factor suggestion above, en-suring that standard users aren’t logging in with administrative credentials hinders the effectiveness of malware and helps prevent rapid spreading. Ad-ditionally, it can force adversaries to have to employ additional steps to gain access to critical systems and data. Ideally, these extra steps make them more discoverable.
• Network Segmentation Another way to help prevent rapid spreading and
42 https://nhisac.org/43 https://www.anomali.com/platform/threatstream
impede lateral movement is to split the internal network into logical and/or physical segments and put controls on the traffic that flows between them. Firewalls and/or intrusion detection or prevention systems can provide controls and visibility between different segments inside the network. Some net-works can be isolated altogether from the rest of the internal network where deemed necessary for safety or other reasons.
• Threat Intelligence Keeping up with the latest threats to the healthcare industry as well as sharing and collaborating ob-served attacks is a great way to stay situationally aware and know where to focus defensive efforts. This can take the form of joining a healthcare indus-try ISAC (Information Sharing and Analysis Center) such as NH-ISAC42 or simply sharing observed threats over email with peers in the industry. Threat intelligence platforms such as Anomali Threat-Stream43 can also help curate intelligence and facili-tate sharing with other organizations.
• Antivirus & IDS/IPS Having a respectable antivirus client on all endpoints does have its benefits and can save the organization from known attacks and some unknown attacks. Intrusion detection/prevention systems can provide similar protection from a network perspective. Hav-ing these two systems gives a fair amount of visibility into events happening on endpoints and across the network depending how widespread they are de-ployed in the organization.
• Egress Filtering Egress filtering, or controlling the types of traffic allowed to communicate outside of the organization, is another way to potentially prevent and/or detect malicious activity from inside the organization. Many servers have no reason to initiate outbound connec-tions to the Internet or partner networks. Using fire-walls or other controls to prevent and possibly alert on attempted outbound communications from these servers is a good deterrent and detection mechanism. Other types of egress filters are also possible such as preventing communication to certain services or ports such as those used for Microsoft file sharing.
© 2018 Anomali, Inc. All rights reserved.7
• Backups Having good backups, particularly offline backups, is essential to being able to recover data from destruc-tive or ransomware attacks. Online backups, such as backups to network shares, are good for quick recov-ery but can also be wiped out during ransomware or destructive attacks.
• Incident Response Plans Planning ahead for disruptions due to different types of attacks (DDoS, ransomware, destructive attacks, data theft, etc.) helps reduce the time needed to recover from attacks and reduces the uncertainty in-volved in responding to the attacks. Developing good incident response plans for these and other scenarios is always a good idea. Plans should be tested occa-sionally to ensure their efficacy and effectiveness as well as train team members on their responsibilities during such events.
• Third-Party Testing Having an outside team perform adversarial sim-ulations against the organization will help to show what holes exist in current defenses, problems with detection and response procedures, and show what adversaries might truly be capable of against the organization.
Information security threats against healthcare have ramped up considerably in recent years. While the im-pacts of these attacks can be significant in some cases, basic security measures and good cyber hygiene can go a long way to helping prevent successful attacks in the future. Understanding what attackers are after and taking steps to protect those assets is the best place to start.