Code red: How the healthcare sector found itself at the centre of the cyber storm

Healthcare organisations are increasingly finding themselves the target of sophisticated cyberattacks as sensitive medical data continues to be an attractive target for criminals.

The news has run hot in recent years with stories about healthcare organisations being breached by laptop-wielding larcenists. Private hospital network Fresenius suffered a second ransomware attack in May 2020 after paying a $1.5m ransom in a previous incident. A few months later, a digital assault caused widespread IT failures at the Duesseldorf University Hospital.

Cybercriminals have every reason to target the healthcare industry. With organisations under pressure to restore vital services following an attack, the temptation to pay ransoms is strong. The growth of telemedicine, prevalence of legacy technology and the potential risk to human life means the fallout of a successful breach in the healthcare sector can be particularly severe.

With the Covid-19 pandemic putting the healthcare sector firmly in the spotlight, many predict this worrying trend is here to stay. Ellen Daniel spoke to Orange Cyberdefense’s chief security strategy officer Charl van der Walt and threat research analyst Diana Selck-Paulsson to find out more. 

Charl van der Walt: It’s very difficult to tease industries out from each other. There's a strong tendency to want to do it, but I'm not sure that it's always logically that reasonable, and I'm not sure that we always have the data required to make meaningful distinctions between industries. There are some distinctions and exceptions and healthcare does have some of those, but vulnerabilities tend to be universal. 

 I think there is perhaps much more opportunism and capitalism that happens in the crime landscape specifically. For example, if you look at ransomware gangs which are very syndicated, you'll have initial access vectors that will seek to compromise victims and then sell that compromise on to a second stage operator that looks to monetise it in some way. So those initial access vectors, I don't think that they particularly pay attention to just focusing on healthcare or just focusing on manufacturing. I think they seek to get in whenever and wherever they can as cheaply and as they can, and then they look for customers for the access that they've achieved. 

The major avenues that criminals are making money through at the moment is the sale of intellectual property, the sale of personal information and then, of course, extortion. This puts healthcare particularly in the limelight because at the moment they happen to have a lot of intellectual property and a lot of personal information that is of value and sometimes of extraordinary value. So you can imagine that attackers may favour putting time and energy in there.

I think also healthcare is somewhat immature from a security point of view. And so business models like ransomware we see manifesting with healthcare much more often, not necessarily because they're being specifically targeted, but also because maybe they're [bad] at defending themselves, or not that good at recovering. 

Diana Selck-Paulsson: I think that 2020 has been a little bit special for healthcare, and I think that we have seen a change of threat and in the sense that according to some external reports, healthcare has always faced internal threat. [For instance,] the insider threat was just as big as an external threat, and I think we might have seen a change now in 2020 and it is likely to continue. 

Healthcare is very special and very interesting to observe because they are very vulnerable just because of their function in society and they have to provide healthcare services to us and being faced with the threat of, for example, ransomware attacks, increases the likelihood that they might pay in order to be [operational]. 

Secondly, the nature of data. So not only is it person-identifiable information, but it has much more impact on the victim because it’s data that cannot be changed. So the value of the data becomes higher than maybe in other industries. I think they are also facing the interconnectedness of medical [internet of things], for example.

D: You get the impression that we’ve seen an increase [in the number of attacks] and this is based on several types of attacks, not just ransomware. This can be insider threats or unauthorised access. I think it depends a bit on the detection capabilities as well. So even though we say that healthcare specifically might be not as mature as other industries, they have increased their security budgets more and more because they have too. And that [also means] that [they’ve] increase their capabilities to detect.

When looking at ransomware, I would say that we have seen an increase and that is because it became so attractive because of the attention that [healthcare] has received [they] were a very attractive target and we've seen a few specific ransomware strains that have targeted healthcare.

C: Partly what makes that question difficult to answer is that we've seen a general increase in attacks and compromises that is almost breathtaking. On the one hand, healthcare is being swept along with that. Because of [healthcare’s] vulnerability and because of the propensity to pay ransoms and the value of the data, it may be growing a little bit faster than in other sectors.

You have to differentiate between the benefit to the attacker and the cost of the victim. So it can be that an attacker only has marginal benefits, but the impact on the victim is extremely high. You know, because with healthcare you're dealing with the ability to deliver an essential service that literally saves or costs lives. You could argue that even the slightest failure [for healthcare operators] is so much more impactful than the general trend.

C: There have been some other interesting things that we have seen and some that we haven't but we should really watch out for. One of the things that we have seen is attacks against the producers of medical technologies like implantable medical devices. 

The other thing that I think we haven't seen but are really anticipating is attacks that directly targets the industrial components of healthcare. Not so much that the computers, the PCs in the desktops, but the actual mechanical or physical systems that keep people alive. All indications are that there is a big security problem with those kinds of technologies. But we haven't seen those problems being targeted yet at any sort of significant scale but it seems apparent that [it] will probably happen at some point.

C: Legacy plays a big role. A lot of those devices don't get updated and people don't want to update them because it's scary to do it. But more generally speaking, the operational technology or industrial technology space just hasn't been confronted with these kinds of problems [yet.] As more and more stuff gets connected to the same network and we are all talking to the cloud, they are now being exposed to attacks and decades of security [deficits are] suddenly being laid bare. That's not just in the technology, it is also in the mindsets, the cultures, structures and standards that exist. 

C: We have some strong views on the impact of Covid. Firstly we don't think that the issue of Covid premising is that big a deal. In other words, the idea that people are sort of hiding their phishing mails or their water holing sites behind Covid messages [is] a systemically important thing. We saw some pivoting towards that but that's very normal, and the attackers are pivoting all the time to jump off the back of contemporary issues.

We also are not convinced yet by the argument that the user [or their computers are] necessarily more vulnerable by virtue of being at home. And I wouldn't take an absolutist stance on that, but I think we're yet to be convinced that there's strong evidence that that's the case. We're also not convinced that attacks escalated because of the crisis. 

The data seems to suggest that if anything there's kind of a general malaise that occurs over the lockdown periods. Everything kind of slows down. Because so many of these attacks require human interaction, the fewer people [that] are working [or] are active on their computers [there seems to be] fewer successful attacks [happening as a result].

D: When looking at ransomware, it feels almost that the shift that we saw in 2020 could have happened without the Covid impact. For example Maze, which was one of the first groups that started the whole scheme of double extortion and victim shaming and the leaks and so on, they started in 2019 and they became very successful and it was adopted already in the beginning of 2020.

We would have seen that eventually developing anyway, and I don't really see a connection so much with Covid. And while we might see an increase in those attacks, it can also be because of that ecosystem and how it has developed. 

I think that increasing the pressure on hospitals and the capacity of taking care of patients might play a role in that they've been very much on the spot during [the coronavirus crisis]. I think that Covid increases the pressure and maybe the likelihood to pay [ransoms]. And that as a result increased motivation.

C: The security problem is a systemic one and it's affecting everyone and it's causing the problems to get worse and worse in every field. Having said that, I think healthcare struggles more because it’s mission critical. It can't afford to shut down because of the value of the data that it deals with, because it's an operational environment and perhaps because there's a financial constraint in terms of what they can invest in terms of security. So within the context of a generally growing problem, I think they are particularly heavily burdened.

C: Technology always increases the attack surface. So any development or addition of technology almost always makes things less secure, not more secure. To the extent that those platforms grow and to the extent that they collect data about us, I think the security problem will grow with them. 

And the closer they are to us, the more personal that problem becomes. It's now not just the telemetry of a centrifuge in a factory somewhere, it’s now your sleeping habits or your sexual preferences or your illnesses that are now being collected and monitored by these technologies.

I think that as far as wearables are concerned, and as far as those wearables are coming from reputable vendors like Apple, Samsung etc. they haven't got a particularly bad reputation security wise. But I think there is a real concern in terms of the aggregation of data in the cloud and on the platforms of the vendors. I don't think the issue is so much that your Apple Watch is going to be compromised. But I think there is an issue with individual companies collecting data from millions and millions and millions of people and putting it in one place. And breaches of those kinds of platforms are common. 

Specifically with regards to medical devices, so not so much the wearables but more like implantable devices, there's a real security challenge [in striking the right] balance between security and the function of those devices. [Take encryption for example.] You want [to] encrypt data at rest or you want to encrypt data between your embedded pacemaker and your monitoring station. This requires energy. It takes a lot of CPU cycles and those in turn use up batteries. There's a tension there between doing the right thing security-wise and doing the right thing in terms of maintaining the life of your pacemaker [without] having to dig it out of your chest every two years. Similarly, if you're in an accident, they don't want the data of your pacemaker to be too well protected. They want it to be available to doctors and triage nurses. 

C: We've been theorising about the risks in those kinds of devices for a long time and the vulnerabilities have been shown but there's been very little in terms of actual attacks thus far. I think that that's probably because the incentive hasn't been there yet. There's nothing in it for the attacker. At this point, they're doing very well out of ransomware and stealing medical records.

D: It's very hard to say since we not in their shoes and I would say it's very dependent on the motivation. We see financial gain as one of the most common motives. But if it is just destruction or inflicting harm, it's technically possible, but it's not something that we have seen yet.

C: We have seen maybe parallel cases like the compromise of Ukraine's power grid by the Russians where they would switch things on and off, which arguably has as a human impact. We've seen several ransomware attacks against hospitals which arguably have had an impact on wellbeing, and in some cases arguably have directly led to loss of life. Some of the actors took a principled stance and said they wouldn't. Many said they wouldn't, but still did. And some seem to have quite deliberately targeted healthcare as their modus operandi.

D: There’s a wide list of security recommendations. If we look at ransomware for example, attacks don’t start with ransomware. There are other things that can be detected. We know that some of the threat actors behind specific ransomware strains collaborate or use specific tools so watching out and trying to detect Trickbot or Emotet infections would be one.

I think [legacy software and hardware] is a really difficult one for healthcare. Most of the medical equipment was built not to just last five years but for a decade or more. So I think that is a challenge, but still needs ongoing vulnerability management. 

[I recommend making] regular [penetration tests to] get a report on what your entry points could be and what your vulnerabilities [are.]

People, of course, play an important role, especially in hospitals or healthcare. In general it's not their focus, experts in healthcare are not IT security expert. [However,] I think [more training is needed and that it’s] coming and it's happening [to make] users aware.

C: [The] SolarWinds attack [offers another potential scenario. A hospital] that does their security brilliantly and very conscientiously updates their SolarWinds software [would’ve ended] up being compromised because they updated their software. To counter the problem then, beyond best practise, I think there needs to be some engagement with some of the systemic issues. So for example, cybercrime is a crime, ransom is a crime, there should be law enforcement finding and arresting these people. More needs to be done to tackle the problem at its source. Similarly, I think more needs to be done to clarify our expectations and the responsibilities of the various vendors. Who is responsible for the security of a heart rate monitor? There needs to be a shifting of the incentives if you like.

We don’t think it's fair to expect that the hospital is wholly and solely responsible for its own security. It’s not wholly and solely responsible for defending itself against robbers or terrorists. There needs to be more of a societal and government response. 

D: The interconnectedness will not stop. Wearables and [connected devices] are technological developments that we want. They are beneficial for us as patients and for us as a society if we can share patient data and medical records. But of course, it does increase the attack vector.

C: I think that ransomware attacks are going to continue basically as long as data continues to have value, and as long as [the] ransoms get paid. I think that problem is just going to escalate, it's not going to change until one of those two things changes. To the extent that our technical response is effective, to the extent that we're able to block the current version of an extortion attack, I suspect what will happen is those extortion attacks will just evolve perhaps to attacking the industrial operational technology.

If we really get good at detecting ransomware on Windows computers or really get good at backing up our data in the cloud or something, then I think that the attackers will pivot to some other form of extortion. Whether that's by threatening to break the computer completely or attacking the operational technology or running denial of service attacks or something. I think that we're not going to technology ourselves out of this problem.

I think the way it gets better is that we probably have to do some hard things. Either [finding] a way to collaborate internationally and actually take some of these criminal networks down, truly impose costs on them, or we need to cut off the payments to the extortioner [somehow, either legally or with tech].

Or some other kind of state intervention where governments, for example, say [they’ll] foot the bill for cybersecurity in hospitals, [that they’re] going to build a healthcare network that's secured in a different way to the rest of the internet or [that they’re] going to impose standards for technology and healthcare that ensure security.