How are cyber attackers targeting the healthcare sector?

Ironically there have been so many healthcare breaches that the value of an individual data set has dropped significantly in recent years, but medical data is still a basic commodity in the underground cyber criminal economy.

As a result, healthcare providers and other organisations are under constant threat, and we are seeing major breaches being reported every few weeks. Each incident usually impacts thousands or even millions of individuals at a time. In February, for example, it was reported that Memorial Hospital in Gulfport, USA was hit by a phishing attack which exposed the data of more than 300,000 patients.

Affiliated industries such as insurance and third-party service providers dealing with medical data also face a high level of threat. One particularly high-profile incident saw medical bill and collection agency American Medical Collection Agency (AMCA) hit by a breach that involved the data of more than 20 million patients.

Low hanging fruit

The healthcare industry also has an unfortunately well-founded reputation as a softer target. A combination of factors including legacy equipment, stretched resources, and funding constraints mean the industry often falls behind when it comes to keeping systems up-to-date and secure. A recent report from Imperial College London found that the NHS was left at risk by “out-dated computer systems, lack of investment, and a deficit of skills and awareness in cyber security.”

Organisations on the frontend of healthcare also face unique security challenges due to the fact their main priority is treating patients and saving lives. This makes it far more difficult to manage the downtime required to keep systems updated and secured - even a few hours of downtime can impact lives, so it’s common to find systems running outdated software and lagging behind on patches that would address common exploits.

The connectivity dichotomy

Ironically, healthcare providers are also under pressure to invest in the latest smart medical technologies. These connected devices can help to deliver a more efficient and responsible environment that helps provide a higher level of clinical care while also reducing costs.

However, connected devices also present an easy target for cyber attacks. Clinical imperatives often trump technical security consideration. It’s common to find that smart medical devices have been deployed without any IT or security planning, and their network behaviours, update capabilities, and vulnerabilities are often not well understood.

These concerns are common in every industry where Internet of Things (IoT) devices are used, but the issue is especially pressing in the medical field, where patient’s lives may be directly at stake. A recent report found that a widely used series of connected anaesthetic machines could be vulnerable to attack, enabling a threat actor to inject overdoses or disable warning alarms among other potentially fatal activity.

Any new device added to the network – whether it’s a smart MRI machine or a WiFi enabled infusion pump – also increases the potential attack surface. This is exacerbated by the large number of visiting devices that are connected to the typical hospital’s networks.

Patients and their visitors, visiting physicians and specialists working at multiple sites, medical students and many other third parties will constantly be connecting to the network. Every connection will potentially expose the healthcare system to outside networks with limited security controls.

What are the risks?

One of the biggest challenges in security is the rapid pace of the threat landscape. To keep track of the latest threats and challenges, Vectra’s Cognito platform uses AI to analyse attacker data. The latest trends were showcased in the Attacker Behaviour Industry Report 2019, which draws on a sample of 354 Vectra Cognito AI deployments covering more than 3m devices.

The primary focus was behaviours that indicate threats across all phases of an attack, particularly advanced, targeted attacks that include activity such as command and control, internal reconnaissance, lateral movement and privilege escalation, and data exfiltration.

Is ransomware still on the radar?

Public awareness of ransomware skyrocketed in 2017 after the WannaCry outbreak locked down millions of machines around the world. The NHS inadvertently became one of the most prominent victims, with the attack causing the cancellation of almost 7,000 NHS appointments and impacting an estimated 19,000 follow-ups. The NHS racked up costs of more than £20m dealing with the outbreak in a single week, with more than £72m being spent on subsequent clean up and upgrade activity.

Nevertheless, we have found ransomware to now be a less prominent threat, with the number of incidents dropping significantly from July-December 2018. That doesn’t mean organisations should let their guard down, as the approach is still used by many attackers, and increasingly in a more targeted manner. The key to defence is catching an infection early in its lifecycle and stopping it from spreading, as this can prevent files from being encrypted and stop the attack from disrupting essential services.

Progressing the attack

Achieving persistence on a compromised device usually just represents the very beginning of an attack. After securing a foothold, intruders will begin to probe the operating environment, using their captured machine to perform scans of networks and file stores to identify useful resources and information.

As attackers learn more and gain enhanced privileges they will move laterally through the network towards their targets. The most common sign of lateral movement in healthcare that we detected was the use of Kerberos authentication services and SMB file share account brute-force attacks, which aim to grant the attacker more privileges in the network and access to higher value systems and assets.

These moves are remotely orchestrated by the attacker using stealthy Command and Control (C&C) signalling. However, C&C behaviours that indicate these malicious actions can also be very similar to the result of ordinary network activity, making attacker activity hard to detect. Detecting the use of a remote access tool, for example, could be a sign of a criminal using C&C communications, but could also be perfectly legitimate activity.

Common legitimate reasons for this behaviour in healthcare include communication with independent labs, imaging centres and other service providers such as IT support. Among the most widespread types of C&C behaviour we detected in the healthcare sector was the use of hidden HTTPS tunnels to hide command-and-control communications (C&C).

Completing the data heist

With patient records representing a reliable and lucrative payday for a cyber criminal, data exfiltration is usually the main priority for an intruder in the network. We most commonly see this being carried out through the use of hidden DNS tunnels, and allowing the intruder to covertly extract data over time hidden inside the legitimate everyday communications used to resolve domain names.

Alternatively, attackers may opt for the more overt “smash and grab” approach and extract a large quantity of data in a short period of time. This will result in an obvious spike in traffic to an external destination, making it easier to detect. However, there are once again legitimate reasons for similar data spikes, such as an IP CCTV uploading recordings to a cloud host.

More connectivity, more risk

Medical IoT-enabled devices with weak security controls can present attackers with many opportunities to find a way in and jump across subsystems. Connected devices also often provide ideal cover for malicious activity. Many healthcare devices will perform actions such as automatically logging into the network and will continuously attempt to login if they fail to connect. This generates a lot of noise that can conceal the intruder’s activity.

No organisation is totally attack proof, and those in healthcare suffer from more challenges than most as they deal with tight budgets, legacy technology, and difficulty in managing downtime.
Once an intruder has successfully infiltrated the network, detecting them effectively relies on contextual understanding. Most of the behaviours that indicate an attacker at work can just as easily be the result of perfectly legitimate behaviour.

Prescribing visibility and automation

Understanding the most common attack paths and achieving visibility into the traffic and behaviours used to identify them is crucial if healthcare security teams are to prevent intruders from running amok in their systems.

Solutions powered by AI have become increasingly powerful tools in providing this capability thanks to their ability to automate much of the analytical and detection activity and produce results at a speed and scope much greater than the best human analyst test could.

These AI capabilities however are optimised for their individual tasks and so augment human security teams to do the heavily lifting; freeing teams to perform high value security tasks. This results in improved threat awareness and incident response agility for the healthcare organisation.

Speed is of the essence when a threat actor is loose in the network, and the ability to identify suspicious activity quickly can prevent an intrusion from becoming a breach impacting millions of customers or essential clinical services. With so many attackers holding medical data in their sights, any edge healthcare organisations can achieve will make a difference.