Although cybersecurity is a hot topic across industries, it is no secret that the healthcare industry is one of the main groups targeted by attackers. This is not new. This industry is often targeted because the information and data generated have a very high value. In addition to the value of patient information, medical organizations generate a lot of research, new treatment processes, promising medications and other intellectual property that is valuable to competitors as well as countries. Look no further than the attacks on organizations currently working on COVID-19 vaccinations or pharmaceuticals to see how interested other countries are in that research, as noted in this Reuters article.¹
To further complicate issues, many medical devices have poor software support lifecycles, leaving perfectly good equipment with antiquated operating systems or in the best cases, experiencing very long waiting times before patches can be applied, making the equipment vulnerable to attacks.
As technology advances and new high-tech treatment methods are developed, such as remotely controlled surgical robots and implantable devices, cyberattacks are likely to escalate.
Cyberattack Methods You Should Know About
Many types of cyberattacks are being used in the healthcare community, including the two that we focus on: business email compromise (BEC) attacks and ransomware attacks.
Business Email Compromise (BEC) Attacks
BEC attacks, also called chief executive officer (CEO) fraud attacks, are not new; however, they are very costly and persistent. BEC attacks rely on social engineering, which is psychological manipulation of people. This happens through different media, including voice calls, text messages and the most popular method, phishing emails. Different types of cyberattacks fall under the umbrella of BEC attacks. All involve tricking the victim into performing an action—whether it’s transferring funds, giving up sensitive data (such as employee W-2 forms) or following a link to a fake login screen.
Because these attacks are psychological, the victims are often put under extreme pressure by the attacker and are left feeling foolish when the attack becomes known. Examples of common BEC attacks include wire transfer fraud and invoice fraud.
Wire Transfer Fraud
This is a very common type of BEC fraud. In these attacks, the cybercriminals often pretend to be someone with significant authority, such as a CEO, and use that authority to intimidate an employee into making a wire transfer to an attacker-controlled bank account. These attacks often involve a story. For example, an email states the company is making a sensitive business acquisition and must have funds transferred quickly and discreetly, or the deal may be killed.
In some cases, instead of requesting a wire transfer, the attacker asks the victim to purchase gift cards, often said to be going to important customers or even top-performing employees. Then the attacker asks the victim to send pictures of the gift card numbers and PIN codes.
This type of cyberattack has several different subcategories, but often works by tricking a user into typing their username and password on a fake login screen. The attacker then uses those credentials to access the victim’s real email account. Once in the account, the attacker can redirect invoice payments by sending actual customers emails requesting the funds be sent to a different bank account controlled by the attacker. Or the attacker may even generate a fake invoice and send it to the customer with a notice that it is overdue, and unless it is paid immediately (to the attacker’s account), the service will not continue, or orders will be canceled.
These invoice fraud attacks are particularly effective because the emails come from the real email account of the victim and may even be a reply to a previous email conversation.
Another damaging type of cyberattack that has been harassing the medical industry for years is ransomware. In a ransomware attack, the attackers use a type of malware that encrypts data and then charge a ransom to regain access to the data. The encryption used by the attackers is typically very strong, making it impossible to use methods to brute force the decryption of the data. Most modern ransomware tries to spread to other devices, attempts to encrypt databases and shared drives and looks for backup files stored on a shared network.
The vast majority of recent ransomware attacks took place either through email phishing or through improperly secured remote access products, especially the Microsoft Remote Desktop Protocol (RDP). Of those methods, email phishing attacks are still the most prominent.
Ironically, the first known ransomware was developed in 1989 by a biologist and was handed out at a World Health Organization (WHO) AIDS conference. The ransom amount was $189, and the money had to be sent to a post office box in Panama.² There was a long break in the use of ransomware until the introduction of cryptocurrency such as Bitcoin, which has greatly anonymized the methods with which attackers collect payment.
The newest game-changing trend in ransomware started in late 2019 when ransomware strains, such as Maze, began to not only encrypt files but also exfiltrate data. Once the data are exfiltrated, the attackers tell the victims know that they will publicly release the data if the ransom is not paid. This gives the attackers another leverage area and puts the victim organizations in a spot. Even if they can recover the data from backups, the organizations still have to face the prospect of a public breach and the associated issues.
This shift in tactics was caused in part because organizations had improved their backup strategies and were likely paying ransoms less often than they had been previously. The idea of threatening to release data is not new, as demonstrated in the 2016 ransomware attack³ on the San Francisco Municipal Transport Agency. Attackers threatened to release 30 gigabytes of data if the victims did not pay. The ransom was not paid, and no data were released. However, the threat is now real and being executed.
An important note about data exfiltration in ransomware attacks is that even if the ransom is paid, and the data are not released publicly, the victims still have to deal with the impact of a data breach, as the data have left the network. The lost data are highly likely to show up on the dark web on underground hacking sites, even if the ransom is paid. In many recent cases, the consequences of the data breach caused by these new strains are much more severe than the effects expected from the encryption of the organization’s data.
Nobody has a crystal ball that will forecast exactly what we can expect in the future. I believe we will continue to see new and innovative schemes designed to get victims to take the bait and click on links or open infected files in an email message.
“I believe we will continue to see new and innovative schemes designed to get victims to take the bait and click on links or open infected files in an email message.”
Hybrid attacks using multiple methods of contact are likely to become more popular on the social engineering side. An example is an attacker sending an urgent email requesting a funds transfer from an email address that looks like it comes from the CEO, then following up immediately with a text message (also faked to look like it came from the CEO’s cell phone), verifying the email and adding more pressure to get it done quickly. None of these techniques are difficult to do, and, combined, they can become a highly effective attack method.
Another trend that will continue is attackers capitalizing on natural and human-made disasters to improve the effectiveness of the attacks. The surge in attacks since the COVID-19 pandemic began is an example of how these events can be used against victims. Many attacks rely on manipulating people psychologically to get them to take actions that benefit the attackers. This makes highly stressful events, such as hurricanes, earthquakes and other disasters, prime opportunities for this type of manipulation. From donation scams to emails purporting to contain updated information in an attached (and malware-infected) document, attackers do not waste an opportunity to take advantage of a situation.
Defending Against Security Threats
The threats to the healthcare industry are significant and can seem overwhelming when your organization is trying to create a defensive strategy. This situation is compounded by budget limitations, employee workloads, the complexity and volume of connected devices (ranging from surgical robots to remotely managed infusion pumps), making the connected medical landscape uniquely challenging.
Unfortunately, there is no magic formula to determine where to allocate and focus funding in your organizational environment. However, the following suggestions can help direct your efforts to deal with the most significant threats. Some suggestions are technical, and some focus on human-related challenges. Both areas should be addressed when developing a cybersecurity strategy.
Previous Occurrence Analysis
The first thing your organization should do is analyze data on recent incidents and issues. This means analyzing trouble tickets and incident reports to see where your defenses are struggling. My colleague and friend Roger Grimes wrote A Data-Driven Computer Defense,4 a book that helps readers understand the importance of using their organizational data to build the most effective defense. For example, if your primary source of security-related tickets or incidents is email phishing attacks, it does not make sense to spend a lot of your budget on defenses against SQL injection attacks.
Organizations should review or implement the following controls. They may be challenging, but they will help build a stronger foundation on which to apply additional controls. Unfortunately, these foundational principles are often forgotten or badly neglected, especially in organizations that have either grown significantly within a short time or have been around for many years.
A key control to combat accidental data loss or ransomware is a strong backup program. Backups should be tested regularly and should use the 3-2-1 principle,5 which means three copies of the data on two different types of media with one of them offsite. As modern ransomware strains focus on wiping out backups whenever possible, the offsite portion of this rule has never been more important. The most significant challenge to this type of backup strategy is the testing portion.
Backups must be tested regularly. Testing provides proof that the data can be recovered and helps with understanding the amount of time it takes to restore the data. It is best to perform a full data restoration of critical systems at least once every six months. This does not necessarily require overwriting or replacing the production data unless your organization has the risk appetite to accept that. However, you should at least verify in a test environment that the data can be restored properly.
Once a month, you should attempt to restore several randomly selected critical files or data to ensure the process is still working and behaves as expected. For example, in a test an organization found that although the backups worked fine for the cloud provider, the method of restoring the data failed for all but the smallest selection of files. This is not something you want to discover during an incident.
Data Encryption at Rest
Far too often, we hear cases of data being exfiltrated or a portable device being lost while unencrypted. It is important, not only for regulatory reasons, to ensure that data at rest are protected. Ensure that all portable devices have data encryption installed and that it is active. Note that the FACT SHEET: Ransomware and HIPAA6 published by the U.S. Department of Health and Human Services states that ransomware can be a breach under the HIPAA Privacy Rule unless the entity can demonstrate that there is a low probability that the protected health information (PHI) has been compromised. Ensuring that ePHI was encrypted at rest can be a significant step in demonstrating that the data were not viewable by the attacker.
Data Loss Prevention (DLP)
Exfiltrating data has become an even more significant threat with the newly developed versions of ransomware. Protections to spot and stop the exfiltration of sensitive data through email, at points of ingress and egress of the network and through portable media, such as USB drives, have never been more important than now.
As part of the testing, organizations should review the ports and protocols allowed on the outbound side through the firewalls as well. For example, many forms of malware use services or ports such as those used by the file transfer protocol (FTP) as command and control channels. Ensure that if employees do not need to access outside FTP sites from within the protected network, it is blocked and monitored. Domain name system (DNS) traffic is also a good candidate for monitoring or limiting known, trusted servers for many of the same reasons. There are many other examples. Therefore, ensure you are considering the data leaving the protected network, not just blocking data from entering the network.
Principle of Least Privilege
People should have the least number of permissions required to accomplish their role. In practice, this is often not the case for many reasons. In some cases, employees have moved between jobs or roles, and the old permissions were never revoked. In others, the employee may have needed special permissions for a project, but these permissions were not removed when the project ended.
To battle this permissions creep, an industry standard Role-Based Access Control (RBAC) approach is often used. In this approach, all users assigned to a specific role or job have a very specific level of permissions needed to accomplish their tasks. When users move from one role to another, old permissions are removed, and new ones assigned. This control system can be challenging to set up and deploy, and it requires a well-defined procedure for handling exceptions. However, RBAC addresses the issue of permissions creep very well.
This reduction in permissions helps when a user’s account is compromised or when that person is the source of the ransomware infection, because RBAC can limit an attacker’s access. If the user does not have access to files, ransomware cannot encrypt or exfiltrate them.
Non-technical controls can be a challenge for people with very technical mindsets. Many cybersecurity and information technology professionals excel at their jobs because they enjoy technology. Many do not enjoy the process of dealing with the human side of security. For this reason, these controls tend to be more difficult for many technologists. However, these controls are critical to an organization’s security.
Education and Training
This security control is likely the most cost-effective for organizations. Users are targeted heavily by attackers who are focused on healthcare industries. In ransomware and BEC attacks, the user is the critical point where the attack can be stopped before it becomes an incident.
“Users are targeted heavily by attackers who are focused on healthcare industries.”
Unfortunately, users are often poorly trained and educated on how to spot and report these attacks, leaving the users vulnerable. Even when organizations meet the regulatory requirement for annual training, generally, users are not prepared properly.
Healthcare industries have several unique challenges regarding training; however, they are surmountable. For example, nurses and physicians may have email accounts but very limited time to spend on the computer checking these accounts and doing administrative tasks during their shift. In these cases, short, regular relevant training modules tend to work better than a single, longer session. In addition, the more employees can see how this information can help them personally (e.g., keeping them safe from scams at home), the more likely they are to pay attention to and absorb the content of the message. This is true for any kind of training.
Whether you use a professional service to provide the training tools, or you have your own organization put them together, it is important to understand the types of training that best engage employees. The same training that may be well received in a corporate law office may not be as well liked in a Silicon Valley startup. Ensure the training you provide matches the culture of your organization. Consider games or other methods of engaging learning. If the technical staff doing the training is not comfortable with training people, you may be able to tap your Human Resources (HR) or marketing departments to help make it more enjoyable for all.
Training once a year will not meaningfully impact the threat of these phishing and social engineering attacks. Training needs to happen often, even if it is in small chunks. In addition, if at all possible, training should be followed up with simulated phishing attacks. These simulated attacks are not meant to trick users, but to give them a way to practice the lessons they learned during the training in a fail-safe environment. The simulation will also teach them to be on the lookout for potential simulated emails, helping them spot the real ones.
Policies and Procedures
Another critical non-technical control is the creation of policies and procedures. They can help protect an organization from many types of attacks. For example, having the transfer of funds policy require that any transfers above a certain amount be verified with a phone call to a known phone number of the requestor (not the one included in the request) has stopped a considerable number of wire transfer scams from being successful.
Policies should be approved by leadership and should be the basis and authority for many of your other security controls. Therefore, the policies need to be well defined and reasonable; they should also address possible exceptions. Without those attributes, policies can be very difficult to enforce.
A Solid Security Strategy
The healthcare industry has been heavily targeted due to the value of the information handled. Attackers have used BEC schemes to scam organizations out of money and ransomware to successfully cripple organizations and exfiltrate data. By reviewing and implementing the controls discussed in this article, organizations can build a firm foundation for creating a solid security strategy.
Although the specific scams and related stories are likely to change, the attack methods will continue without major changes until the attackers stop being successful. We must ensure that the effort required to successfully attack our organizations is more costly than what the attackers hope to gain by doing so. Only then will the attacks end.