Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
Security threats in healthcare relate to safety of the clinical and administrative information systems of hospitals and healthcare service providers. Increasing cyber attacks on healthcare organisations in the last few years have been faster than the improvements in healthcare cybersecurity practices. In this article, we discuss the cyber security threats and vulnerabilities of hospitals and healthcare providers, followed by best security practices aimed at improving security posture.
Cybercriminals quickly adapt to the world around them. For example, during 2020, cybercriminals targeted healthcare sector with pandemic themed malicious campaigns. It resulted in healthcare data breaches and ransomware attacks disrupting business operations. Healthcare industry experiences one of the highest numbers of data breaches annually.
Healthcare Sector Complexities
Constant activity 24x7x365 within healthcare organisations is inherent to their operating procedures. This organisational complexity adds to the IT operations where devices, equipment and systems require communication with external systems. This extensive mesh of networks & systems, including medical equipment, adds to the complexity of securing the most prized catch for cybercriminals: clinical data.
Data sharing and digital health records sharing between the departments or other units such as surgery centres, facilities, labs, staff stations, patient rooms, pharmacies and external suppliers (third party) are at the core of healthcare organisations. Adding MedTech evolution and cloud connectivity to this mix further complicates matters in data collection for various purposes. It expands the boundary of trust by default and the technical controls needing grip over logical boundaries in a network lack the validation exercise. A good cybersecurity strategy helps healthcare organisations define these boundaries between trusted and untrusted territories including layered checks before deciding who can access what information.
Healthcare security is a vital component to keep businesses going.
How are attackers compromising hospitals and healthcare networks?
In the underground markets (sometimes referred to as darkweb), Public health Information (PHI) data sells at higher prices compared to PII (Personal Identifiable Information) making it a lucrative opportunity for Cybercriminals. It is one of the reasons healthcare is now the biggest target for cyber attacks.
Apart from phishing campaigns, almost all the attack vectors utilised by cybercriminals target at internet-facing digital assets of an organisation. Attackers target vulnerable and unmonitored internet-facing assets to gain a foothold on the healthcare organisations’ network quickly.
In recent years, the following weaknesses have been exploited heavily by organised crime groups:
- Remote Desktop Protocol (RDP) or Virtual Desktop endpoints
- Insecure configuration of web servers, system management, Electronic Health Record (EHR) software
- Trivial or weak authentication mechanisms such as weak passwords, flawed authentication implementations
- Remote connectivity software product vulnerabilities
- Unsupported platforms such as Windows Server 2003, Windows Server 2008, with weakened security due to the wrong choice of passwords
- Other interesting avenues for attackers during 2020 are vulnerable Microsoft SharePoint servers (CVE-2019-0604), Microsoft Exchange servers (CVE-2020-0688) & Zoho ManageEngine (CVE-2020-10189).
Who poses the biggest threats to healthcare data?
- Foreign Intelligence Agencies have offensive security capabilities and may also seek to compromise healthcare information systems to exfiltrate research data such as NCSC issued APT29 cybercrime group targeting COVID-19 vaccine development efforts globally.
- Insider threats come from employees who may be negligent, unintentional or problematic insiders.
- Phishing attacks utilising phishing and spam emails (unsolicited email with false and hidden information) aimed at stealing sensitive information and for monetary gains
- Cybercrime groups carrying out targeted campaigns using social engineering attack techniques to commit identity frauds
- Bot-network operators that control vulnerable system access and trade it illegally on darkweb for monetary gains that in turn are used for Denial of Service (DoS) attacks, phishing or relaying spam emails.
- Espionage at industrial, staff or nation-state level to gain competitive edge.
Biggest healthcare security threats
Attack surface of healthcare organisations is beyond handling phishing or ransomware threats within their organisation. Cybersecurity risks to healthcare organisations involve greater scope including personnel, digital assets and technologies in use.
Pandemic Themed Attacks – Rise in Phishing and Ransomware
It is amongst the emerging threats in healthcare, especially gaining momentum during 2020. There has been increased cybercrime activity across hospitals and healthcare sector during the coronavirus crisis. Cybercriminals have been cashing in using phishing and ransomware attacks on hospitals. At higher level, the main subjects exploited are:
- Demand for good such as PPE, disinfectants, masks.
- Vaccine trials, medicine and related factors
- Increased reliance on internet-based connectivity such as teleworking, buying/selling goods
The underlying pattern of these campaigns remains exploitation of increased fear, uncertainty and doubt factor in the general population.
Ransomware attacks are paralysing hospital networks around the globe. These ransomware campaigns include RobbinHood, Maze, PonyFinal, REvil, NetWalker ransomware affecting organisations globally. Precisely, during the pandemic hit 2020, Cybercriminals have been trying to cash in on opportunities. Malicious behaviours detected by blue teams (internal security defence teams) keeping an eye for:
- Malicious PowerShell, Cobalt Strike, Metasploit, Meterpreter or other red teaming tools used.
- Credential theft activities such as suspicious registry modifications, domain controller files movements including NTDS.dit snapshots, access to LSASS (Local Security Authority Subsystem Service) are some of the indicators for internal network compromises.
- Look out for more Indicators of Compromise (IOC) such as unusual outbound internet traffic, privileged user account activities, and database read volumes, unusual DNS requests, web traffic with human behaviour, any device profile changes (mobile, security or network devices).
Implications of ransomware attacks meant that some patients had been turned away and emergencies redirected to other hospitals. Ransomware attack mitigation is sometimes a costly affair, including the dilemmas whether to pay the ransom or not.
Loss of such Intellectual Property, information exfiltration, loss of patient information or research data are common threats to healthcare.
The following image from Microsoft shows attack tactics & techniques used by Cybercriminals against healthcare organisations.
Discuss your concerns today
Remote Access Risks
Remote access is one of the critical IT components for healthcare organisations and hospitals. Increased use of home working led to an increase in usage of potentially vulnerable services such as VPN (Virtual Private Networks), increasing threat exposure by many times to organisations and their staff. National agencies such as CISA (Cybersecurity & Infrastructure Security Agency), NCSC (National Cybersecurity Centre) have been issuing joint advisories after observing cybercrime activity across the healthcare sector.
During the coronavirus crisis, significant flaws such as Citrix ADC (CVE-2019-19781), Pulse Secure VPN (CVE-2019-11510) were exploited by threat actors targeting the healthcare sector. Additionally, remote connectivity infrastructure products such as VPNs, load balancers, firewalls were also attacked due to high-risk vulnerabilities associated with the recent versions. Similarly, the lack of mobile device management leads to relaxed restrictions in healthcare, adding to privacy risks and data breach risks. It also means risks related to the use of smartphones to store images or data may lead to privacy breaches, failure of customer (patient) consent or other security implications.
Shortcuts to Security
- For so many years, it is a commonly misunderstood phenomenon that a quick audit shall help improve an organisations’ security posture. Healthcare organisations using checklist approaches that merely are tick-box exercises provides a false sense of securing hospitals and healthcare organisations.
- Inside security-aware organisations where vulnerability management and SIEM are actively in deployment, lack of visibility into clinical networks is another challenge often missing an essential segment of the organisation. It adds to blind faith in realising everything is running smoothly within IT security teams at hospitals.
- It is essential to understand that compliance always does not means secure. Implementing frameworks or regulation is not an incorrect way of deploying security measures; these should involve dimensional gaps covering consider modern threat landscapes. For example, PCI DSS certified companies got breached and compromised cardholder data.
Without exact alignment within IT security, senior management and other stakeholders, a proactive approach to cybersecurity is a difficult challenge.
Third-Party Risk Management
Many healthcare organisations have various types of specialised hospital information systems such as EHR (Electronic Health Record) and EMR (Electronic Medical Record) systems, Practice Management Software used by surgeries to multi-centre hospitals and Master Patient Index (MPI) software. Manufacturers of these business-critical digital assets use different product development models including third party or outsourced development teams under pressure for a go-live date. Without much thought around secure coding practices, application security penetration testing or how to securely use legacy components such as vulnerable libraries adds to the risk exposure of underlying assets.
Internet of Medical Things or Healthcare IoT
Internet of things in healthcare sector relates to the collection of medical devices and applications linked to healthcare IT systems. These links are connectivity protocols such as sensor communications via mobile devices, Wi-Fi, Bluetooth and even external networks such as cloud connectivity for data storage and analysis. Examples include devices such as smart infusion pumps, smart insulin pens (Gocap, InPen and Esysta) and Continuous Glucose Monitor (CGM). CGMs have smart features to monitor blood glucose levels via wearable tech, mobile applications and allowing remote monitoring by caregivers. Similarly, connected inhalers and ingestible sensors are other examples of demonstrating how the Internet of Things is making medicine more capable.
Excellent research by ForeScout demonstrates the possibilities of exploiting weaknesses in the healthcare organisations where it was possible to dump patient test results, change the test results and vital readings, even disconnecting device access such as patient monitors.
Although cybersecurity and data privacy is considered as a barrier to cloud connectivity adoption, security threats are a valid concern for connected devices. Device manufacturers ignoring security by design principles or failing to address such issues after product releases is a useful security concern for device customers (healthcare organisations). The implication of these risks relates to unauthorised access by third-parties and potential data breaches.
Loss of compliance
Lack of cybersecurity hygiene may lead to a breach of compliance and regulatory requirements. These requirements vary as per the geographic location and standard applicable to the organisations. The primary standards and frameworks known in the healthcare sector are:
- NHS Data Security and Protection Toolkit (DSPT) – An online self-assessment tool by NHS Digital that allows healthcare organisations to measure their progress against 10 data security standards. DSPT is a must for any health and care organisation that shares access to patient data, organisations such as NHSmail, the NHS central ‘Spine’ and service providers to NHS. It is leading the change in NHS cybersecurity posture demonstrating data security commitments.
- GDPR Article 9 (GDPR superseded Data Protection Act 1998 in May 2018) that relates to the rights of persons concerned by the processing of their data, including health data by health and social care organisations.
- Network and Information Systems (NIS) directive is aimed at establishing a common baseline across the EU. It includes security measures and incident reporting guidelines for OES (operators of essential services) in CNI (critical national infrastructure) including healthcare providers and digital service providers (DSP).
- France has approved a list of certified hosting providers (Hébergeur De Santé) that offer a certain level of protection for critical healthcare data.
- HIPAA (Health Insurance Portability and Accountability Act) provides a framework for the protection of personally identifiable health data.
- ISO 27001 or PCI DSS penetration testing results not complying to standards can add to losing or failure in achieving certification for a healthcare service provider.
A few risks that commonly found in the past are now decreasing from the healthcare sector threat landscape. These include the use of unsupported operating systems, especially Windows 7 and Windows XP Extended Security Update (ESU) programs and updates around third-party supply chain applications and devices. This change had a rippled effect on the third-party supply chain forced to ensure the compatibility of their applications and devices. Although there are a lot of challenges ahead in the healthcare sector, this is a positive change showing a shift in security maturity for the healthcare sector.
Discuss your concerns today
Good security practices – A prescription for healthcare
Reduce the attack likelihood
- Improve security measures around insecure communications and asset exposures. For instance, the use of Health Level 7 (HL7) for transfer of clinical and administrative data between various applications by healthcare organisations should not be using clear-text transport channels. Similarly, a thorough review should be conducted around the use of healthcare information systems protocols such as DICOM, POCT01, LIS02. Any applications with electronic health records should not be exposed to the internet without security reviews.
- Untrusted services should not be allowed to query your internal assets and vice versa. Prevent outbound and inbound permitted access on a need-to-know basis. Perform external and internal network security assessments to find gaps.
- Restricting Removable Media usage adds to limit the malware delivery and infection. These restrictions help against the use of SD card readers, USB drives and other removable media that can be used to transfer data or to launch attacks such as bootable disks.
- Segmentation at user, data and network levels would offer classification, control and safeguarding of sensitive data. With network segmentation, network traffic can be restricted and filtered between different network zones.
- Ensure secure remote connectivity and perimeter security by patching the exposed systems, utilising multi-factor authentication, employing the least privilege principle and ensuring the use of separate accounts for privileged tasks.
- Strict user management based on change and approval management processes would ensure accountability for all users. Timely account suspension, deletion or modifications demonstrate good security practices reducing the likelihood of account misuse.
- Randomise local administrator passwords using LAPS (Local Administrator Password Solution) by Microsoft, review high privilege active directory group memberships such as Domain Admins, Enterprise Admins, Built-in Administrator groups.
All the issues mentioned above and additional checks are covered under healthcare security services such as penetration testing, vulnerability scanning and application security assessments. Sometimes in-depth penetration testing exercises are also aligned with regulatory requirements as part of compliance security assessments.
Reduce the attack impact
- Isolate compromised endpoints in your network where command and control beacons or other lateral movements have taken place. These endpoints can be detected using IOCs or hunting queries through SIEM, or other data flow sources. Understandably not all healthcare IT teams have this level of security expertise. Take action on the following items and prioritise investigation and remediation without changing system state.
- Restrict access to only those functions that are critical for devices to connect to the primary environment. Removing access to services is pivotal to avoid the impact and improve detection chances.
- Network zoning to help reduce the malware infection across the entire estate. It is also the answer to why different segments are essential for easy flow control of sensitive data and infections.
- Anti-malware Capabilities in place offer early warning signs of endpoint infection. It is not a catch-all solution; this is one of the most preventative approaches in line with defence in depth principle.
- A handy incident response plan would help with a timely response to security events. It would help limit the cyber attack damage in the event of a breach to decide on the next steps quickly than without a plan.
Tactical Patch Management
Often called ‘basics’ of a proactive approach towards cybersecurity, patching is one of the most important priorities for any IT security team. Yet we see so many organisations falling victim to remote exploits or privilege escalation issues paving the way for compromises.
Vulnerability management solutions or any patch auditing software may come up with hundreds of vulnerabilities that can be an overwhelming task. In an ideal world full of best security practices or at the least in the articles, we often read about patching automation and patching everything! However, in practice, it isn’t always that easy. Patching should involve assessing and prioritising vulnerabilities and using defence in-depth tactics to manage your operational risks, reduce ways to exploit attacks with secure architecture and configuration, backup of your business-critical data along with logging and monitoring processes in place.
Protecting Medical Devices
A medical device could be network-connected MRI scanner, handheld monitoring and syringe drivers and other smart devices connected to the network. Since the massive increase in NHS cybersecurity improvement efforts (2017/2018), NHS digital have issued base guidance on the protection of medical devices that also includes mobile devices, scanners, imaging equipment and any other devices utilising network connectivity. It applies to any network connected medical device. Broadly, this guidance involves the following steps irrespective of the connected device’s operating system.
- Identify all the devices across the estate that should act as inventory with device information, operating system, IP, location, etc. This network topology shall form the base for all discussions in the future.
- Create a risk mitigation plan based on reducing the likelihood of an attack and reducing the compromise in case of an attack
- Apply mitigations to reduce the attack likelihood and impact of an attack
- Understand third party connections that are utilising untrusted devices within the network or utilising trusted (organisation owned) assets within your network and perform security validation exercises
- Review your estate periodically or upon changes (new suppliers, new technology, asset changes or infrastructure upgrades) whichever sooner.
Third-Party Risk Management
Just like an internal network, there is always a room for improvement, and you can never put a marker on perfection.
- It’s essential to consider overall changes to the current IT estate how new products or the introduction of services will affect the organisation. This evaluation exercise should help make informed decisions around whether you are taking on undue risk or a right partner with plans in mind.
- Introducing security and privacy risk assessments as part of the procurement process for a new information system would offer a holistic view of the situation early in the asset lifecycle process.
- Third-party security validations provide cybersecurity assurance against your third-party approach. As a base, standard data protection and risk assessment frameworks such as SOC compliance audits are a good start.
For a moment, keeping cybersecurity aside, 2020 has shown us the importance of health and health care systems in our society. With the technical advancements, we realise this importance in the digital world and add trust based on verification for healthcare providers to operate safely and securely.
Like we discussed above, it is important to understand your attack surface exposure before applying the bandage. Just deploying a few devices here and there would only exacerbate the problem.
Know your data, Hack yourself, Train yourself, Secure your partners and vendors.
And, rinse and repeat.
Improvements in the security posture have been on the rise since WannaCry, NotPetya and other global ransomware incidents; however, these incidents are not needed as a wakeup call and can be avoided. Cybersecurity is an ongoing improvement, and healthcare organisations should ensure a risk focussed prioritised approach to increase the cybersecurity maturity of their estate. A holistic approach involves people, process and technology to work in a layered manner. Aligning cybersecurity to act as an enabler for business growth is less costly in the long term. It starts with identifying gaps, analysing the risks and remediating those risks to provide a safe and secure environment for users. Get in touch for a non-salesy chat for your primary security concerns.