Symantec’s 2018 Internet Security Threat Report (ISTR), which highlights an array of new and emerging threats across all sectors, takes on even greater urgency for organizations in the healthcare industry.
The rapid adoption of digital systems—everything from electronic health records and tablet computers to interconnected medical devices and industrial control systems (ICS)—has created a broad attack surface with countless opportunities for adversaries.
At the same time, health-related data—which includes not just patient data but also financial data, clinical research and intellectual property—is an appealing target for malicious actors.
Unfortunately, the growing complexity of the health IT environment dovetails with the growing sophistication of today’s cyber threats. For this reason, we have leveraged Symantec’s 2018 ISTR and other third-party data to develop a document that highlights four threat trends that will put healthcare organizations at increasing risk in the year ahead, including:
Software Supply Chain Attacks
A supply chain attack exploits the network of an organization’s suppliers. With its high degree of reliance on business associates and partners, this is especially concerning to healthcare providers. Rather than going after a provider directly, a hacker looks for a backdoor—a vulnerability in the systems of a partner that is either connected with or supplies software to that organization.
These attacks work by exploiting the assumption of trust on which supply chains are built, with little defense provided against threats emitting from organizations working within the chain. For example, in January 2018, Hancock Health, in Greenfield, Ind., was hit by the SamSam ransomware. The attacker used compromised credentials of a backup system hardware vendor, infiltrating the backup site first, then penetrating the hospital’s main data center.
In other cases, a hacker implants a piece of malware into an otherwise legitimate software package at its usual distribution location—an effective method for distributing malware into an otherwise well-guarded network.
Supply chain attacks are not new in healthcare. In 2012, the web server of a medical device maker was infected with dozens of viruses, which healthcare providers would download along with device software updates. But these attacks are now happening with increasing frequency, with the 2018 ISTR reporting a 200 percent increase across all sectors for the calendar year 2017.
Internet of Things (IoT) and ICS Attacks
Recent years have brought a convergence of IT and physical environments, with a growing range of non-traditional endpoint devices being connected to the network. Those endpoints—whether medical devices or HVAC systems—often lack mature security measures, leaving them vulnerable to attacks.
These vulnerabilities are of concern to hospitals, where service disruptions can have a direct impact on patients. While losing water service might be an inconvenience in many work environments, it can be deadly in a hospital. Likewise, network connectivity is essential to various devices used to manage and deliver patient care.
Protecting medical devices is especially challenging, given the wide-range of technology involved, from bedside monitors and wearable devices to portable or even room-filling diagnostic equipment, as well as homecare systems. The response to an incident involving medical devices—especially those used at the point of care—must be carefully orchestrated out of concerns for patient care, and that gives any malware more time to proliferate.
As convergence continues to accelerate, these systems and devices are becoming attractive targets for hackers and cyber adversaries. We saw a 600 percent increase in attacks on IoT and a 29 percent in ICS attacks. And in June 2018, the FBI issued a private industry notification about recently attempted cyber attacks on networked ICS/supervisory control and data acquisition (SCADA) systems.
Ransomware was a major issue in 2017 across the public and private sectors, with several high-profile, high-impact attacks involving WannaCry and Petya/NotPetya.
Hospitals take different paths on how they’ve responded to these attacks. For example, Hancock Health was hit by SamSam, and ended up meeting the ransom demand, which was approximately $55,000. While Erie County Medical Center (Buffalo, N.Y.), which was hit by SamSam in April 2017, decided not to meet the demand. It would take 12 days to restore limited system access and six weeks to restore full access.
In general, the news was not all bad. Excluding WannaCry and Petya/NotPetya, ransomware detections remained consistent with the previous year at 1,242 a day. And while WannaCry managed to create great havoc, it was not unstoppable: Symantec blocked more than 5.4 billion WannaCry attacks globally…proof that with appropriate processes and technologies in place even new attack vectors can be prevented.
While the average ransomware cost has been dropping due to an overcrowded market, the dynamics might be a little different in healthcare. The life-and-death nature of hospital operations keep ransoms higher than in other sectors, according to the Center for Internet Security. Not only that, but hospitals might find themselves targeted specifically by ransomware attacks, rather than just caught up in the more scattershot attacks seen in other industries, as the attacker may want to benefit from a hospital’s need to restore care delivery as soon as possible.
Crypto-Mining and Crypto-Jacking Malware
Crypto-mining and crypto-jacking attacks are an emerging threat that saw a surge late last year and that bears watching. The threat is more subtle than with other forms of malware, but no less real—especially for healthcare providers.
Rather than seeking to disrupt or destroy systems, as other malicious actors might do, so-called “miners” simply want to hijack an organization’s processing power to support the computing effort required to verify transactions of Bitcoin or other cryptocurrencies. Practically speaking, however, mining activity can create a drag on performance on systems or networks or may even lead to system failure.
As noted earlier, medical systems and devices require high availability. For example, in the case of a medical device or other devices with low security maturity, a momentary glitch in performance could disrupt transmission of vital data or disrupt a critical device function.
Privacy concerns around patient data add another layer of complexity to the risk posed by miners. Late last year, Decatur County General Hospital discovered that a miner was using its electronic health record system. Because the adversary gained access to a system that managed patient health data, the hospital had to notify 24,000 current and former patients of the breach.
While still a nascent field, crypto-mining and crypto-jacking are growing rapidly and seem to be overtaking ransomware as the favored money-making scheme of cyber criminals.
These four threats, analyzed in greater depth in the 2018 ISTR, represent just a few of the challenges facing the healthcare industry. Given the complexity of today’s healthcare environment, and the increasing sophistication of our cyber adversaries, we are likely to see new, even more insidious threats emerge in the coming months and years. We are planning to focus on these areas during a three-part blog series geared towards the healthcare market. If this is of interest to you, check back often.