A cybersecurity expert describes how to close the longstanding holes that enabled the cyberattacks.
By now, you’ve heard of the enigmatic hacker group Orangeworm and how it has blasted healthcare over the past few years. Its Kwampirs malware might be simple and messy, but it has proved effective in stealing patients’ protected health information. So, what can healthcare organizations do to prevent—or respond to—an Orangeworm attack?
To answer this question and more, Healthcare Analytics News™ reached out to John Nye, senior director of cybersecurity research and communications for CynergisTek, a security and information management firm with deep roots in healthcare. Nye understands how malicious actors operate because, well, that’s his job. He’s been a penetration tester for years, meaning companies have retained him to break into the very networks they want to protect. So, when news of Orangeworm broke, he began analyzing the cyberattacks and what went wrong.
Right off the bat, he lists 2 notable things about the Orangeworm hacks: For one, it’s unlikely that a nation-state (like China, Russia, or North Korea) is behind this. Second, although the group has mostly targeted healthcare, it has also terrorized businesses, like information technology companies, that are linked to healthcare.
Insights like those are key to learning how to build suitable cyberdefenses, and Nye did just that in our conversation. Although not everything below is easy, these 5 points can go a long way to warding off Orangeworm—and other hackers, too—from breaking healthcare’s barriers and the public trust.
Orangeworm entered health systems through their imaging suites, including x-ray, CT scan, and magnetic resonance imaging (MRI) machines. What’s unsettling is that cybersecurity experts and healthcare leaders have known for years that these technologies were outdated and vulnerable, but still they remain at risk.
As Nye notes, these machines may cost tens of millions of dollars, and hospitals tend to lease them from the manufacturer. Those contracts often bar health systems from updating or patching the software without written permission. That means that these heavy-duty systems typically run old, spotty software, such as Windows XP, which is the system that Orangeworm targeted.
“The only reason that this entire campaign works at all is because of these old systems,” Nye says. “We have way too many systems sitting in these hospitals that hospitals have no control over, and the imaging suite is the biggest offender.”
His solution: Cut them off from everything else. Make sure that these machines can’t connect with other networks and devices, as they are insecure and likely will be for some time.
Since Kwampirs malware is a noisy, backdoor Trojan. “It’s very old, and it’s very loud, and it’s very easy to find,” says Nye. So, when a health system gets infected, it should learn of the problem quickly, even if it has just the most rudimentary cyber tools. That’s the good news.
The bad news? If a healthcare org doesn’t find this malware early on, it means that something is severely broken in its cyberdefenses. Imaging suites make this more difficult, but now is the time to examine updates, scans, antivirus programs, and all.
This won’t be easy, but it’s worth a shot. Moving forward, healthcare organizations must be more aggressive in striking contracts with device manufacturers, especially those focused on medical imaging, Nye says. Ensure that these documents include language about patching: For example, get it in writing that once a vulnerability is identified, the vendor has 90 days to fix the issue.
Many of the Orangeworm-affected companies were not in healthcare, but they worked alongside healthcare. So, how can a healthcare organization ensure that its vendors have strong cyberdefenses when the institution doesn’t know how to protect itself? Nye says this is, and likely will remain, a tough box to check.
But healthcare groups must be more vigilant about the companies they retain and, again, how they structure contracts. Don’t just take what’s on the table; push for greater, proven cybersecurity measures, even if the vendor has been on the team for years and appears safe.
Although the US FDA is requesting money and support from Congress to form a team to investigate and learn how to prevent cyberattacks on medical devices, whether that will pan out is unclear. Medical imaging manufacturers, meanwhile, appear unwilling to change their ways, Nye says.
So, the lack of incentive to improve leaves healthcare organizations in a place without much purchasing power. “It’s a huge problem, and I don’t know how we’re going to fix it,” Nye says, “unless we got every hospital and every provider to band together.”
Unlikely? Sure. But if health systems and the industry as a whole were to push for, say, contracts with more cybersecurity tools and accountability, perhaps the MRI machine would no longer be a ticking time bomb. And the rapid progression of healthcare consolidation could give big providers, like Kaiser Permanente, the power to push for stronger provisions, Nye says. State hospital associations may also use their clout in this area, as they have done so in the past to get better deals on electronic health records, he adds.
Get the best insights in healthcare analytics directly to your inbox.