Stay up to date
Stay up to date with the latest threat reports, articles & mistakes to avoid.
Simple, yet important content.
No salesy pitches and all that, promise!
Security issues in healthcare relate to the safety of hospitals and healthcare service providers’ clinical and administrative information systems. In the last few years, increasing healthcare cyber attacks have been faster than the improvements in IT security controls. This article discusses the security risks affecting hospitals and healthcare providers, followed by the best security practices aimed at improvements. Many of these issues we have observed during internal penetration testing work for our customers.
Cybercriminals quickly adapt to the world around them. For example, during 2020, cybercriminals targeted the healthcare sector with pandemic themed malicious campaigns. It resulted in data breaches and ransomware attacks disrupting business operations. This industry experiences one of the highest numbers of data breaches annually.
Watch this video to learn about the biggest cyber risks for healthcare providers
Watch this video to learn about security best practices for healthcare providers
Cyber security for healthcare – Complexities
Constant activity 24x7x365 within healthcare organisations is inherent to their operating procedures. This organisational complexity adds to the IT operations where devices, equipment and systems require communication with external systems. This extensive mesh of networks & systems, including medical equipment, adds to the complexity of securing the most prized catch for cybercriminals: clinical data.
Data sharing and digital health records sharing between the departments or other units such as surgery centres, facilities, labs, staff stations, patient rooms, pharmacies and external suppliers (third party) are at the core of organisations. Adding MedTech evolution and cloud connectivity to this mix further complicates matters in data collection for various purposes. It expands the boundary of trust by default, and the technical controls needing grip over logical boundaries in a network lack the validation exercise. A good cyber security strategy helps organisations define these boundaries between trusted and untrusted territories, including layered checks before deciding who can access what information.
Healthcare security is a vital component to keep businesses going.
How are attackers compromising hospitals and healthcare networks?
In the underground markets (sometimes referred to as darkweb), Public health Information (PHI) data sells at higher prices compared to PII (Personal Identifiable Information), making it a lucrative opportunity for Cybercriminals. It is one of the reasons the healthcare industry is now the biggest target for cyber attacks.
Apart from phishing campaigns, almost all the attack vectors utilised by cybercriminals target at internet-facing digital assets of an organisation. Attackers target vulnerable and unmonitored internet-facing assets to gain a foothold on the healthcare organisations’ network quickly.
In recent years, the following weaknesses have been exploited heavily by organised crime groups:
- Remote Desktop Protocol (RDP) or Virtual Desktop endpoints
- Insecure configuration of web servers, system management, Electronic Health Record (EHR) software
- Trivial or weak authentication mechanisms such as weak passwords, flawed authentication implementations
- Remote connectivity software product vulnerabilities
- Unsupported platforms such as Windows Server 2003, Windows Server 2008, with weakened security due to the wrong choice of passwords
- Other interesting avenues for attackers during 2020 are vulnerable Microsoft SharePoint servers (CVE-2019-0604), Microsoft Exchange servers (CVE-2020-0688) & Zoho ManageEngine (CVE-2020-10189).
Who poses the biggest threats to healthcare information systems?
- Foreign Intelligence Agencies have offensive security capabilities and may also seek to compromise healthcare information systems to exfiltrate research data, such as NCSC issued APT29 cybercrime group targeting COVID-19 vaccine development efforts globally.
- Insider threats come from employees who may be negligent, unintentional or problematic insiders.
- Phishing attacks utilising phishing and spam emails (unsolicited email with false and hidden information) aimed at stealing sensitive patient information and for monetary gains
- Cybercrime groups carrying out targeted campaigns using social engineering attack techniques to commit identity frauds
- Bot-network operators that control vulnerable system access and trade it illegally on the darkweb for monetary gains that in turn are used for Denial of Service (DoS) attacks, phishing or relaying spam emails.
- Espionage at the industrial, staff or nation-state level to gain a competitive edge.
Biggest healthcare security threats
The attack surface of healthcare organisations is beyond handling phishing or ransomware threats within their organisation. Healthcare security risks involve greater scope, including personnel, digital assets and technologies in use.
Pandemic themed attacks – rise in phishing and ransomware
It is amongst the emerging security threats in healthcare information systems, especially gaining momentum during 2020. There has been increased cybercrime activity across hospitals and the sector during the coronavirus crisis. Cybercriminals have been cashing in using phishing and ransomware attacks on hospitals leading to downtimes affecting patient care. At a higher level, the main subjects exploited are:
- Demand for good such as PPE, disinfectants, masks.
- Vaccine trials, medicine and related factors
- Increased reliance on internet-based connectivity such as teleworking, buying/selling goods
The underlying pattern of these campaigns remains exploitation of increased fear, uncertainty and doubt factor in the general population.
Ransomware attacks are paralysing hospital networks around the globe. These ransomware campaigns include RobbinHood, Maze, PonyFinal, REvil, NetWalker ransomware affecting organisations globally. Precisely, during the pandemic hit 2020, Cybercriminals have been trying to cash in on opportunities. Malicious behaviours detected by blue teams (internal security defence teams) keeping an eye for:
- Malicious PowerShell, Cobalt Strike, Metasploit, Meterpreter or other red teaming tools used.
- Credential theft activities such as suspicious registry modifications, domain controller files movements including NTDS.dit snapshots, access to LSASS (Local Security Authority Subsystem Service) are some of the indicators for internal network compromises.
- Look out for more Indicators of Compromise (IOC) such as unusual outbound internet traffic, privileged user account activities, and database read volumes, unusual DNS requests, web traffic with human behaviour, any device profile changes (mobile, security or network devices).
Implications of ransomware attacks meant decreased services in patient care and emergencies redirected to other hospitals. These consequences to patient safety and data loss threats are a big security concern. Ransomware attack mitigation is sometimes a costly affair, including the dilemmas of whether to pay the ransom or not.
Loss of such Intellectual Property, information exfiltration and loss of patient information or research data are the common threats to the healthcare industry.
The following image from Microsoft shows attack tactics & techniques used by Cybercriminals against healthcare organisations.
Discuss your concerns today
Remote access risks
Remote access is one of the critical IT components for healthcare organisations and hospitals. Increased use of home working led to an increased usage of potentially vulnerable services such as VPN (Virtual Private Networks), increasing threat exposure by many times to organisations and their staff. National agencies such as CISA (Cyber security & Infrastructure Security Agency), NCSC (National Cyber Security Centre) have been issuing joint advisories after observing cybercrime activity across the healthcare sector.
During the coronavirus crisis, significant flaws such as Citrix ADC (CVE-2019-19781), Pulse Secure VPN (CVE-2019-11510) were exploited by threat actors targeting the healthcare sector. Additionally, remote connectivity infrastructure products such as VPNs, load balancers, firewalls were also attacked due to high-risk vulnerabilities associated with the recent versions. Similarly, the lack of mobile device management leads to relaxed restrictions in healthcare, adding to privacy risks and data breach risks. It also means risks related to the use of smartphones to store images or data may lead to privacy breaches, failure of patient consent, lack of patient safety and associated security implications.
Shortcuts to security
- For so many years, it is a commonly misunderstood phenomenon that a quick audit shall help improve an organisations’ security posture. Healthcare organisations using checklist approaches that merely are tick-box exercises provides a false sense of securing hospitals and organisations.
- Inside security-aware organisations where vulnerability management and SIEM are actively in deployment, lack of visibility into clinical networks is another challenge often missing an essential segment of the organisation. It adds to blind faith in realising everything is running smoothly within IT security teams at hospitals.
- It is essential to understand that compliance always does not means secure. Implementing frameworks or regulation is not an incorrect way of deploying security measures; these should involve dimensional gaps covering modern threat landscapes. For example, PCI DSS certified companies got breached and compromised cardholder data.
Without exact alignment within IT security, senior management, and other stakeholders, a proactive approach to cyber security for healthcare is difficult.
Third-Party risk management
Many healthcare organisations have various types of specialised hospital computer systems such as EHR (Electronic Health Record) and EMR (Electronic Medical Record) systems, Practice Management Software used by surgeries to multi-centre hospitals and Master Patient Index (MPI) software. Manufacturers of these business-critical digital assets use different product development models, including third-party or outsourced development teams under pressure for a go-live date. Without much thought around secure coding practices, application security penetration testing or how to securely use legacy components such as vulnerable libraries adds to the risk exposure of underlying assets.
Internet of medical things or healthcare IoT
The Internet of things in the healthcare sector relates to collecting medical devices and applications linked to IT systems. These links are connectivity protocols such as sensor communications via mobile devices, Wi-Fi, Bluetooth and even external networks such as cloud connectivity for data storage and analysis. Examples include smart infusion pumps, smart insulin pens (Gocap, InPen and Esysta) and Continuous Glucose Monitor (CGM). CGMs have smart features to monitor blood glucose levels via wearable tech, mobile applications, and remote monitoring by caregivers. Similarly, connected inhalers and ingestible sensors are other examples of demonstrating how the Internet of Things is making medicine more capable.
Excellent research by ForeScout demonstrates the possibilities of exploiting weaknesses in the healthcare organisations where it was possible to dump patient test results, change the test results and vital readings, even disconnecting device access such as patient monitors.
Although cyber security and data privacy are considered barriers to cloud connectivity adoption, security issues are a valid concern for connected devices. Device manufacturers ignoring security by design principles or failing to address such issues after product releases are valid security concerns for medical device customers. The implication of these risks relates to unauthorised access by third parties and potential data breaches.
Loss of compliance
Lack of cyber security hygiene may lead to a breach of compliance and regulatory requirements. These requirements vary as per the geographic location and standard applicable to the organisations. The primary standards and frameworks known in the healthcare sector are:
- NHS Data Security and Protection Toolkit (DSPT) – An online self-assessment tool by NHS Digital that allows organisations to measure their progress against 10 data security standards. DSPT is a must for any health and care organisation that shares access to patient data, such as NHSmail, the NHS central ‘Spine’ and service providers to NHS. It is leading the change in NHS computer systems security posture, demonstrating data security commitments.
- GDPR Article 9 (GDPR superseded Data Protection Act 1998 in May 2018) relates to the rights of persons concerned by the processing of their data, including health data by health and social care organisations.
- The network and Information Systems (NIS) directive aims to establish a common baseline across the EU. It includes network security measures and incident reporting guidelines for OES (operators of essential services) in CNI (critical national infrastructure), including healthcare providers and digital service providers (DSP).
- France has approved a list of certified hosting providers (Hébergeur De Santé) that offer a certain level of protection for critical data.
- HIPAA (Health Insurance Portability and Accountability Act) provides a framework for protecting personally identifiable health data.
- ISO 27001 or PCI DSS penetration testing results not complying with standards can add to losing or failure in achieving certification for a service provider.
A few risks that commonly found in the past are now decreasing from the healthcare sector threat landscape. These include the use of unsupported operating systems, especially Windows 7 and Windows XP Extended Security Update (ESU) programs and updates around third-party supply chain applications and devices. This change had a rippled effect on the third-party supply chain forced to ensure the compatibility of their applications and devices. Although there are many challenges ahead in the sector, this positive change shows a shift in security maturity for the healthcare sector.
Discuss your concerns today
How to prevent Healthcare cyber attacks?
- To prevent attacks among healthcare organisations, it is important to stress on solid security strategy composed of security by design principles such as the principle of least privilege, defence in depth and zero trust models. Such practices help organisations to ensure that security controls are in place after considering the attack chain and its different phases. When it comes to mitigating risks, different phases involved in a security strategy include:
- Reduce the likelihood with preventive controls
- Reduce the attack impact in case a vulnerability is exploited (such as phishing or unpatched vulnerability on external systems)
- Tactical patching in line with risk-focused approach
- Protecting interconnected systems such as IoT
- Third party risk management such as vendors, suppliers, partners and wider ecosystems
Good security practices – A prescription for healthcare
Reduce the attack likelihood
- Improve security measures around insecure communications and asset exposures. For instance, Health Level 7 (HL7) for transferring clinical and administrative data between various applications by healthcare organisations should not be using clear-text transport channels. Similarly, a thorough review should be conducted around using healthcare information systems protocols such as DICOM, POCT01, LIS02. Any applications with electronic health records should not be exposed to the internet without security reviews.
- Untrusted services should not be allowed to query your internal assets and vice versa. Prevent outbound and inbound permitted access on a need-to-know basis. Perform external and internal network security assessments to find gaps.
- Restricting Removable Media usage adds to limit malware delivery and infection. These restrictions help against SD card readers, USB drives and other removable media that can be used to transfer data or to launch attacks such as bootable disks.
- Segmentation at user, data and network levels would offer classification, control and safeguarding of sensitive patient data. With network segmentation, network traffic can be restricted and filtered between different network zones.
- Ensure secure remote connectivity and perimeter security by patching the exposed systems, utilising multi-factor authentication, employing the least privilege principle, and ensuring separate accounts for privileged tasks.
- Strict user management based on change and approval management processes would ensure accountability for all users. Timely account suspension, deletion or modifications demonstrate good security practices reducing the likelihood of account misuse.
- Randomise local administrator passwords using LAPS (Local Administrator Password Solution) by Microsoft, review high privilege active directory group memberships such as Domain Admins, Enterprise Admins, Built-in Administrator groups.
All the issues mentioned above and additional checks are covered under security services such as healthcare penetration testing, vulnerability scanning and application security assessments. Sometimes in-depth penetration testing exercises are also aligned with regulatory requirements as part of compliance security assessments.
Reduce the attack impact
- Isolate compromised endpoints in your network where command and control beacons or other lateral movements have taken place. These endpoints can be detected using IOCs or hunting queries through SIEM or other data flow sources. Understandably not all healthcare IT teams have this level of security expertise. Take action on the following items and prioritise investigation and remediation without changing the system state.
- Restrict access to only those functions that are critical for devices to connect to the primary environment. Removing access to services is pivotal to avoid the impact and improve detection chances.
- Network zoning to help reduce the malware infection across the entire estate. It is also the answer to why different segments are essential for easy flow control of sensitive data and infections.
- Anti-malware Capabilities in place offer early warning signs of endpoint infection. It is not a catch-all solution; this is one of the most preventative approaches in line with defence depth.
- A handy incident response plan would help with a timely response to security events. It would help limit the cyber attack damage in the event of a breach to decide on the next steps quickly than without a plan.
Tactical patch management
Often called ‘basics’ of a proactive approach towards cyber security, patching is one of the most important priorities for any IT security team. Yet we see so many organisations falling victim to remote exploits or privilege escalation issues paving the way for compromises.
Vulnerability management solutions or any patch auditing software may come up with hundreds of vulnerabilities that can be an overwhelming task. In an ideal world full of best security practices, or at the least in the articles, we often read about patching automation and patching everything! However, in practice, it isn’t always that easy. Patching should involve assessing and prioritising vulnerabilities and using defence-in-depth tactics to manage your operational risks, reduce ways to exploit attacks with secure architecture and configuration, backup your business-critical data along with logging and monitoring processes in place.
Medical devices security best practices
A medical device could be a network-connected MRI scanner, handheld monitoring and syringe drivers and other smart devices connected to the network. Since the massive increase in NHS cyber security improvement efforts (2017/2018), NHS digital have issued base guidance on protecting medical devices that include mobile devices, scanners, imaging equipment and any other devices utilising network connectivity. It applies to any network connected device. Broadly, this guidance involves the medical device security best practices irrespective of the connected device’s operating system.
- Identify all the devices across the estate that should act as inventory with device information, operating system, IP, location, etc. This network topology shall form the base for all discussions in the future.
- Create a risk mitigation plan based on reducing the likelihood of an attack and reducing the compromise in case of an attack
- Apply mitigations to reduce the attack likelihood and impact of an attack
- Understand third party connections that are utilising untrusted devices within the network or utilising trusted (organisation owned) assets within your network and perform security validation exercises
- Review your estate periodically or upon changes (new suppliers, new technology, asset changes or infrastructure upgrades) whichever sooner
- Perform independent medical device pen testing and security assessments to identify weaknesses before threat actors leverage such vulnerabilities.
Third-Party risk management
Like an internal network, there is always room for improvement, and you can never put a marker on perfection.
- It’s essential to consider overall changes to the current IT estate how new products or the introduction of services will affect the organisation. This evaluation exercise should help make informed decisions around whether you are taking on undue risk or a right partner with plans in mind.
- Introducing security and privacy risk assessments as part of the procurement process for a new information system would offer a holistic view of the situation early in the asset lifecycle process.
- Third-party security validations provide cyber security assurance against your third-party approach. As a base, standard data protection and risk assessment frameworks such as SOC compliance audits are a good start.
For a moment, keeping information security aside, 2020 has shown us the importance of health and health care systems in our society. With the technical advancements, we realise this importance in the digital world and add trust based on verification for healthcare providers to operate safely and securely.
Like we discussed above, it is important to understand your attack surface exposure before applying the bandage. Just deploying a few devices here and there would only exacerbate the problem.
Know your data, Hack yourself, Train yourself, Secure your partners and vendors.
And rinse and repeat.
Improvements in the security posture have been on the rise since WannaCry, NotPetya and other global ransomware incidents; however, these incidents are not needed as a wakeup call and can be avoided. Cyber security is an ongoing improvement, and healthcare organisations should ensure a risk focussed prioritised approach to increase the cyber security maturity of their estate. A holistic approach involves people, process and technology to work in a layered manner. Aligning cyber security to act as an enabler for business growth is less costly in the long term. It starts with identifying gaps, analysing the risks and remediating those risks to provide a safe and secure environment for users. Get in touch for a non-salesy chat for your primary security concerns.