MDAdvisor Winter 2022

Cyberattacks have remained an ongoing security threat for organizations around the world. As society has gone increasingly digital, cybercriminals have sought to maximize their profits by exploiting our vulnerabilities. The work-from-home trend that accompanied the COVID-19 pandemic over the past several years has increased our vulnerability, and threat actors have been quick to increase their attempts at cybersecurity attacks. The year 2020 saw not only an increase in the frequency of cyberattacks, but also higher ransom payments as well. According to the Harvard Business Review, the amount companies paid to hackers grew by 300% in 2020.¹ In this article, we will discuss how medical practices can be as prepared as possible in light of these imminent threats.

What is Cybersecurity?

According to the Department of Homeland Security, cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards. Sophisticated cyber actors and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy, or threaten the delivery of essential services. A range of traditional crimes are now being perpetrated through cyberspace. This includes the banking and financial fraud, intellectual property violations, health record theft, identity theft, and other crimes, all of which have substantial human and economic consequences.²

Health records are valuable to cyberattackers. If health records can be coupled with financial records from an individual, a cyberattacker can create an identity for multiple different purposes.  They can not only get a loan in your patient’s name but can also spin around and start perpetrating Medicare fraud. They can bill for services that never actually happened.   

In 2020 alone, the Federal Bureau of Investigation (FBI) received 15,421 internet crime complaints.³ In the first half of 2021 (during the pandemic), there was a 102% increase of ransomware attacks over 2020.⁴  It is estimated that $125 billion will be spent in cybersecurity in the healthcare industry in the next few years.⁵ According to the Ponemon Institute, the average cost of a data breach in the healthcare industry in the United States is $9.44 million dollars, the highest of any country. The costs include everything from downtime to lost business to legal costs to regulatory fines, lost productivity and brand damage, and it all adds up very quickly.⁶

We hear about cyberattacks constantly in the news, and yet people tend to believe that “it can’t happen to me. I’m a smaller practice. I’m not on the radar. I don’t have anything that anybody wants to steal.” Then, rationalization (the second-strongest human emotion) kicks in. You tell yourself, “I’m going to just put up better defenses and then I’ll be safe.” All of those mindsets must change. It is not a matter of IF cyberattackers get in; It is a matter of WHEN they get in, and whether or not you will be prepared when it happens.

An attacker is normally in a network for 207 days before they are detected. After detection, it takes on average 70 days to get rid of them.⁶ All that time they’re sitting in your network, watching, mining information and evading your attempts to hunt them. The people who do this are very skilled. They are experts at being quiet and hunting information. They know how your staff members work, where they tend to make security mistakes and where to find your most valuable data.

How Cyberattacks Happen

Most medical practices have a general level of cybersecurity defenses in place. They may have a firewall and anti-virus and anti-malware software, all with default configurations. They likely have email encryption and spam filters. All of the patient health data is stored in an electronic health record (EHR) platform with encryption. Some practices are also doing some social engineering testing. All of this is a good start, but cyberattacks have gotten increasingly sophisticated, and cyber criminals know how to evade these security measures. This means that you need to better understand how cyberattacks occur and you need even better defenses.

Step 1: Payload Download

Cyberattackers want to get into your network, and it all begins with a download of a small piece of software. This can happen when somebody at your practice unknowingly clicks on an Internet link, opens an email attachment or inserts a USB drive. Unfortunately, most people tend to be very trusting of the content they see on their computer and it is not uncommon for a staff member to accidentally click on a link that is sent to them before realizing the risks. Defending against these downloads requires hypervigilance from all staff members, who need to know that if they don’t know what something is or didn’t ask for it, they shouldn’t be clicking on it. Even if they think it could be legitimate, it is worth a call to the sender to verify that. Your information technology (IT) team (which probably includes internal staff and external partners) should restrict downloading and scripting processes to administrators only. If your antivirus software is not next generation, it is time to upgrade to something better. Additionally, given today’s climate, there is absolutely no reason why USB drives should be allowed at your practice unless for some reason it’s a software licensing key, in which case you can make an exception for that on specific machines. For example, I’ve seen that as a requirement on some MRI machines. Other than that, the use of USB drives should not be allowed.

“Cyberattacks have gotten increasingly sophisticated, and cyber criminals know how to evade these security measures. This means that you need to better understand how cyberattacks occur and you need even better defenses.”

Step 2: Installs to Machine

The next step in the cyberattack process is to get the downloaded software installed on your system. One thing that makes this easy to happen is when users are the local administrators of their hardware. Only your IT team should be able to download programs onto your practice computers and other devices.

Cybercriminals know very well that staff members across all practices tend to act similarly. A person in your practive will at some point need to run a report from the practice’s EHR, and they will store it on their desktop or another device. After they use it, they may remember to put it in the recycle bin, but likely will forget to empty the recycle bin. Or, team members may need to email information back and forth to each other. The good news is that they send it over secure email, which means it went from Hospital A to Hospital B securely. But then the file sits in someone’s Outlook folder, which has a local cache file, and it sits there unencrypted. 

A cyberattacker doesn’t need to go through your practice’s EHR system to find data. Inevitably, in every practice, there is a data packrat. This is somebody who will save everything on their desktop for their convenience or throw it in their My Documents folders. These data hoarders are a treasure trove to cybercriminals, who can easily find this data by performing searches for personally identifiable information (PII) and searching on terms like ‘patient presents’ or ‘diagnostic information.’ If someone can find your blank files, then they can search for filled out ones. In 200 days, if your practice has 50-60 staff members, a cyberattacher has likely gone through every bit of information you have a dozen times over, and then, even after they are caught, they are going to start moving around.

Step 3: Command and Control

In the next step of a cyberattack, the file that has been downloaded and installed, whether administratively or under the local profile, calls back home. In other words, it has to get its instructions from somewhere, so the attacker is going to set up a command-and-control server. For example, the attacker may be in Russia, but is not going to set up their command-and-control server in Russia. They are going to set it up on the Amazon cloud on the eastern seaboard. It’s all within the U.S., so your geo-blocking defenses on your firewall are now defeated. Command and control normally uses the default capabilities of the operating system in question, including PowerShell, scripting languages and command line entries. All of those things that are normally in the operating system that typical users never really even see or use are misused by the attackers. Once the installed file calls back home, there is now something called a shell. That means the attacker now has a little black screen, and when they start typing, it’s happening on your machine. You can’t see it, but your machine is responding to the attacker.

Step 4: Gain Persistence

Once the cyberattacker has a connection, which means the download has called back to them and they are now controlling your machine, they need something called persistence, which is the ability to live through a reboot. If the user logs off or closes the application, the attacker is not going to be able to trick the staff member to click on the link again. So once the attacker has a connection, they are going to make a change to the operating system, such as a new service, a scheduled task, a print monitor or a startup link in the registry. Now, the attacker is set, and when the user’s machine reboots it will automatically call back to the attacker when it comes back online, or maybe it is set up as a scheduled task where every hour it calls back to the attacker. The machine is now contacting the attacker directly with no user intervention, which means that the attacker is able to keep control of it. To defend against this, your practice will need monitoring services for task creations and modifications. Your IT team should know what your workstations look like and should be able to identify changes with regular checks. There are about 17 different major areas that need to be watched.

Step 5: Lateral Movement

Once the cyberattacker has control of one machine, they will want more. Lateral movement will allow them to control other machines. Maybe they control the practice administrator’s machine, but now they want access to the doctors’ machines or the IT administrator’s machine. The way they do that is normally through administrative shares or what’s called WinRM or PowerShell remoting. This often works because nobody in the practice turned on the firewalls on their local PCs within the network, or domain users have way too many rights, or the patching is not up-to-date. If you’ve got unpatched operating system flaws, I can exploit them and move around. To defend against lateral movement, you need to make sure that you take the domain users out of the workstations administrative group. You should also make sure you turn on your Windows firewalls on the personal computers (because it is very rare that computers have to talk to each other on the network), remove access to PowerShell and disable the WinRM service on all Windows machines. 

Step 6: Privilege Escalation

What happens when attackers start moving around?  They are going to find different people logged in at different levels of permissions or levels of rights, which means they are going to be able to escalate their privileges. To stop privilege escalation, you need to use something called administrative user segmentation, where you have different administrator accounts for different levels of the network. For example, the administrator for the IT system may have an administrator account that works only on workstations, another administrator account that works only on database servers, and a different administrator account that only works on exchange servers or mail servers. Then there is a domain administrator account that lives only on the domain controllers. Every one of those accounts only has rights to the specific target and no rights anywhere else.  You are taking these credentials that are normally just floating around out there, consolidating them and specifically putting them in places that, if they were breached, are now contained. It means controlling what protocols and what machines can talk to what servers. Instead of a situation where an attacker could get to everything, network segmentation enables your IT team to control what information can flow to what parts of your network.

Step 7: Network Recon

Once your attacker has the control and the administrative rights they want, they can start looking for data. Think about where the treasure trove of information is located on your network. To give a hint, it is not your EHR system! Your EHR system likely has multifactor authentication requirements and bells and whistles that go off when it is attacked. Most of the information that is stolen can likely be found right on the Windows network. Attackers will find the reports that didn’t get cleaned up and the emails that are stored incorrectly, courtesy of the practice packrat. The recycle bin is another great place to find data, because nobody ever seems to empty it. In order to defend against this step, your IT team must identify, organize and locate where the personal health information (PHI) or the PII exists. If you’re not scanning for this data and you’re not looking on the workstations and the laptops and the servers for data that is improperly placed, then you’re doing a disservice to yourself and your practice. Have your IT team set up group policies to empty the recycle bins and turn off exchange caching so that those Outlook messages don’t exist anymore on local machines. The goal is to minimize what is on the local workstations and to clean up temporary files. Take away the low-hanging fruit so that cyberattackers have to work harder.

Step 8: Data Theft

Now that your attacker has found the data, they are going to zip it and transfer it over HTTPS, so your firewalls can’t see it. Your firewalls will just view it as regular encrypted traffic, no different than talking to your online banking. To defend against data theft, get the PHI and the PII off your network.  Configure your web filters and firewalls to look for this type of theft stuff using SSL inspection, application control and something called DLP filtering. DLP stands for data loss prevention and is on 99% of the next generation firewalls. DLP looks for data like social security numbers, credit card numbers, driver’s license numbers and Medicare information numbers. All of the things that your attacker would be looking to steal, DLP looks for to protect.  Some of your next-gen antivirus will also look for this data as well on the local workstation.

Finally, your cyberattacker goes quiet and watches for new data to mine and steal. At this point, there are no known defenses because if the attacker gets to this point, you’ve already failed in defending your network. Now what happens is one of two things. This is ransomware and it  happens for one of two reasons. The first is an automated attack. Someone has clicked on a link they shouldn’t have and your attacker has started encrypting everything underneath the sun in order to charge a large ransom. Second, the attacker has gotten into your network, has stolen everything underneath the sun, and now realizes they are caught. Now they are going to execute the ransomware to destroy you as they make a clean exit. Those are the two reasons ransomware happens. The first one is just kind of a pain. The second one, where I’ve now destroyed your network so I can make an exit, is truly insidious. That’s where major breaches come from, which is why all of the federal law enforcement now wants forensics on even small ransomware attack hits. They want to know what’s happened in the last few weeks because they’re looking for the advanced persistent threat, the attacker that got in and is now hiding their tracks.

In summary, in order to stop someone from installing something malicious at your practice, the first thing you need to do is properly configure your antivirus and antimalware solutions. Remove local administrator rights from users, as a person does not need to be an administrator of their machine to run any software. Properly configure a web filter that is either on your firewall or use a third-party device that can start looking for these downloads and the installs that happen. Make sure you have software that can detect ransomware. Talk to your IT team about implementing log aggregation. Patch all software all of the time. Use password managers to keep your credentials in encrypted programs that are securely stored. Taking these steps will remove 95 percent of your vulnerability. Let the attackers go to the practice down the street that didn’t take these preventive measures, and let them be on the front page of the newspaper instead.