Cybersecurity in Healthcare Sector: How to Tackle the Evolving Threat Landscape

Healthcare is the most targeted sector for cyber crimes due to the presence of abundant sensitive information. With digitization and increase in automation, protecting the privacy of patients, ensuring information security and securing IT infrastructure is becoming a daunting task. Hence, in order to proactively mitigate cyber risks, it’s paramount to understand key assets to be defended, healthcare system vulnerabilities and possible impacts. Along with these, capabilities of potential adversaries also need to be identified to better evaluate threats.

This report aims to provide an overview of important assets of medical facilities, threats provided by the healthcare sector and possible mitigation steps.

Types of adversaries who target healthcare sector

Hacktivists

They are politically motivated and only target systems belonging to organizations that either are opposed to their hacktivist agenda or are popular enough to gain media attention to propagate their propaganda.

For instance, in March 20, 2014, the Anonymous hacker group threatened Boston Children’s Hospital in response to the diagnosis and treatment of a 15-year-old girl who had been removed from her parent’s care. In the following weeks, multiple attacks have been repealed to prevent data theft.

Common attack technique: Hacktivists predominantly launch DDoS attacks to overload the server with fake traffic and halt an organization’s operations. The most common tools used to launch such attacks are Low-Orbit-Ion-Cannon (LOIC) and High-Orbit-Ion-Cannon (HOIC). These tools simulate fake visitor traffic on a website until it crashes and prevents it from recovering from the crash until the attack is halted.

Mitigation: Many commercial firewalls have the ability to block LOIC, but more advanced tools are needed to detect HOIC.

Cybercriminals

Cyber criminals, also known as hackers, often use computer systems to gain access to business trade secrets and personal information for malicious and exploitive purposes. Hackers are extremely difficult to identify on both an individual and group level due to their various security measures--such as proxies and anonymity networks--which distort and protect their identity. Cyber criminals use more ruthless methods to achieve their objectives and their proficiency of attacks is expected to advance as they continue to develop new methods for cyber attacks.

Common attack technique: DDoS attacks and ransomware attacks are used to threaten healthcare organizations and extort money. Cybercriminals are also capable of designing and deploying custom malware against specific targets.

Mitigation: To thwart ransomware attacks, organizations need to keep creating regular backups of sensitive data.

Cyber terrorists

They target systems in order to disrupt or destroy a service that is critical to the activities of an organization. The main cyber terrorist group currently impacting organizations is the cyber division of ISIS, Cyber Caliphate.

Nation State actors

These groups launch extensive cyberwarfare campaigns against organizations belonging to foreign governments. When it comes to healthcare sector, the Chinese nation state threat group dubbed Deep Panda has been launching attacks on healthcare organizations since 2012. The group launched attacks on Deep Panda has attacked VAE, Anthem, Empire Blue Cross Blue Shield, and Premera--in the United States healthcare sector.

Common attack technique: Deep Panda often uses the Sakurel Trojan, the Hurix Trojan, and the Mivast backdoor--developed by the group itself-to launch attacks. The malware spreads through droppers that appear to be legitimate software applications such as Adobe Reader, Juniper VPN, and Microsoft ActiveX Control.

Top Malware used to compromise healthcare institutions

VBS/Agent.LKY!tr

The trojan performs activities--such as collecting system information, downloading/uploading files, capturing keystrokes, launch denial-of-service (DoS) attacks, initiate/terminate processes, and establish remote access connections--without the user’s knowledge.

VxWorks.WDB.Agent.Debug.Service.Code.Execution

This malware affects VxWorks--an operating system for embedded devices like CT/PET/X-ray instrumentation, infusion pumps etc. The vulnerability in VxWorks was discovered in 2010, but it is widely believed that not all systems have patched the bug.

WITCHCOVEN

This is a profiling script design commonly used by APT actors to gather information, including operating systems, browsers, and applications installed in the systems of site visitors. This information is in turn used to profile computer systems and organizations.

XtremeRAT

This Remote Access Tool (RAT) is publicly available and is capable of manipulating processes and services, capturing data, interacting with Windows registry, and downloading/uploading files.

Gh0stRat

Another publicly-available RAT that can enable webcam, capture audio and video, manipulate files and processes etc.

ChinaChopper

A small webshell that allows unauthorized users gain access to an information system using a simple password for authentication. It is also capable of executing Microsoft .NET code within HTTP POST commands.

PingBed

This trojan is capable of executing/killing files, command lines and return results. This malware uses social engineering techniques to trick users into opening malicious zip or rar interface.

CONFICKER

The CONFICKER worm exploits vulnerabilities in removable drives and network shares. It can disable security settings, reset system restore points and delete backup files.

Powessere (aka Poweliks)

Powessere is a file-less malware that exists within the Windows registry and often uses phishing emails with Canada Post or USPS themes and Microsoft Office exploits to spread. The malware executes in various stages with an encoded JavaScript stored in an auto-run key. Once installed, a memory-resident dynamic-link library collects basis system information and downloads additional malware.

Jenxcus (aka njw0rm, njworm)

This is an evolution of the popular njRAT tool and includes sophisticated features such as credential theft and the ability to spread across removable drives. This tool is often delivered through malicious links in phishing emails and drive-by downloads on compromised sites.

HOUDINI (aka H-Worm)

HOUDINI is a VBS-based RAT that uses HTTP to communicate information--like operating system and host and name--about the compromised system. VBS malware is often packed with multiple layers of obfuscation, including custom Base64 encodings, and supports command line execution, theft of data and downloading/executing of programs.

Upatre

A trojan downloader that spread through spam emails, drive-by downloads. Upatre will download one or more additional types of malware onto an infected system--including Zbot, Dyre, Rovnix, CryptoLocker, Necurs and many more.

Popular breaches that targeted healthcare sector

Healthcare organizations are often bombarded with data breaches, as it is abundant with personal information of patients. Adversaries use this information to carry out insurance fraud (by using the data to create fake insurance certificates), identity theft, and targeted attacks. Hackers can also sell this information on dark marketplaces to make money.

1) Hyde Park: The healthcare administrative services and IT organization, reported a data breach affecting 220,000 individuals. Data used by the company to advise patients on whether certain treatments are covered by insurance, was illegally accessed. This incident was found in December 2015.

2) Oaks: A privacy breach at Oaks, affected 300,000 patients. The organization determined that external hackers had access to their systems since January 2017.

3) Urology Austin: In March 2017, Urology Austin notified 200,000 patients about compromise of their information following a ransomware attack.

4) Bowling Green: The Kentucky-based Commonwealth Health Corp reported a data theft incident compromising 697,800 patient records. The breach happened between 2011 and 2014 and the incident was reported in March 2017.

5) HealthNow Networks: The breach occurred after an employee of the HealthNow Networks, a healthcare telemarketing company, uploaded an unencrypted database to a virtual server on Amazon Web Services. This mistake exposed healthcare records of 918,000 consumers. It was found in April 2017.

6) Airway Oxygen: Home medical equipment supplier, Airway Oxygen, became a victim of ransomware attack in April 2017, affecting 500,000 individuals.

7) WannaCry: May 2017 registered a worldwide ransomware attack across multiple continents, affecting at least 16 of the U.K. National Health Service's facilities among other victims.

8) NotPetya: Pharmaceutical giant Merck was infected by NotPetya, that hit the company on June 27, 2017, and caused a significant disruption to its operations. The disruptions cut down profits by $300 million for the year.

9) Arkansas Oral & Facial Surgery Center: The company notified 128,000 patients of a July 2017 ransomware attack on its computer network.

10) Peachtree Neurological Clinic: They uncovered a 15-month breach in their systems while investigating a totally different ransomware attack in JUly 2017. The breach affected nearly 176,295 patient records.

11) McLaren Medical Group: Mid-Michigan Physicians Imaging Center under McLaren Medical Group fell victim to a hacking incident. Reported in August 2017, the breach compromised the data of 106,008 patients.

Strengthening Healthcare security

Following are few mitigation steps organizations must take to strengthen their cybersecurity measures.

Heightened HIPAA enforcement

Enforcement of data privacy provisions should become more aggressive with excessive fines to avoid negligence when it comes to healthcare information security.

The HITECH Act gives state attorneys general authority to bring civil suits in Federal District Court against individuals who violate HIPAA (Health Insurance Portability and Accountability Act). HIPAA indicates the baseline for sensitive patient data protection with its Privacy and Security Rules. As per these rules, organizations dealing with protected health information (PHI) must have stringent physical, network, and process security measures in place.

Web and server security

Prove your public and private sites and servers are legitimate while protecting and encrypting data submissions and transactions with SSL/TLS Certificates.

User and device authentication and access control

Implement strong authentication without burdening end users with hardware tokens or applications. Also ensure only approved users, machines and devices can access authorized networks and services.

Document signing

Digital signatures using trusted Digital Certificates create a tamper-evident seal to protect your patient records and other documents.

Secure Email

Digitally signing and encrypting all internal emails will help mitigate phishing attacks and data loss risks by verifying message origin so that, recipients can identify phishing emails. It also ensures only intended recipients can access email contents.