[PDF] Securing Connected Hospitals: A Research on Exposed Medical

View - Download Securing Connected Hospitals: A Research on Exposed Medical

Previous PDF

Next PDF

A TrendLabs

SM

Research Paper

Securing Connected Hospitals

A Research on Exposed Medical Systems and Supply Chain Risks

Mayra Rosario Fuentes and Numaan Huq

Trend Micro Forward-Looking Threat Research (FTR) Team

TREND MICRO AND HITRUST LEGAL DISCLAIMER

The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all Nothing contained herein should be relied on or acted particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro and HITRUST reserve the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. efforts to include accurate and up-to-date information herein, Trend Micro and HITRUST make no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro and HITRUST disclaim all warranties of any kind, express or implied. Neither Trend Micro, HITRUST, nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an “as is" condition.

Contents

Cyberattacks Against the

Healthcare Industry:

A Quick Primer

4

Exposed Devices and

Systems in Healthcare

Networks

10

Healthcare Supply Chain

Attacks

24

Threat Modeling the

Hospital Ecosystem

32

Recommendations:

IT Defense for Hospitals

38

Conclusion

42

Appendix

44

For Raimund Genes (1963-2017)

The damage caused by the WannaCry ransomware during and after it held systems hostage in May 2017 exposed just how vulnerable healthcare networks are to cyberattacks. Spreading indiscriminately to 300,000 computers in 150 countries, 1

WannaCry's hold over

infected systems blocked National Health Service (NHS) trust hospitals from accessing patient records, compelled hospitals to divert ambulances to other area hospitals not affected by WannaCry, and forced doctors to cancel scheduled appointments, scans, and even surgeries.

2, 3, 4

infection vectors in today's healthcare networks. As hospitals and other healthcare facilities adopt new technology, add new devices, and embrace new partnerships, patients get ĺ— but the digital attack surface expands as well. The more connected they get, the more attractive they become as lucrative targets to threat actors. medical devices, and the like. We successfully discovered exposed medical systems, not be viewable publicly. While a device or system being exposed does not necessarily mean that it is vulnerable, exposed devices can potentially be leveraged by cybercriminals ransomware, etc. Furthermore, it shows that a massive amount of sensitive information is publicly available when it shouldn't be. involved lapses in the supply chain.

5, 6 ,7

Furthermore, according to a health and human

services public breach reporting tool, 30 percent of healthcare breaches in 2016 were due 8

To learn from these cases, we

studied the different ways threat actors can take advantage of weaknesses in the supply Finally, we performed a qualitative risk analysis across various attack vectors to give implement as a basic minimum. We strongly recommend a blend of security technology and employee/partner awareness and education, including a threat response protocol. system and governance framework related to the transfer of resources to and from any services.

4 | Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

Cyberattacks Against the Healthcare Industry: A Quick Primer Global life expectancy has been steadily increasing, 9 and much of it can be attributed to advances in

medicine and healthcare technology. Technology is at the heart of the modern hospital. Technology allows

physicians to identify diseases and treat patients quickly and effectively. A patient in a modern hospital

is typically treated by a small team of doctors and nurses who attend to different aspects of the patient's

care. This system is designed to ensure that the patient receives the best possible treatment in the most

and fast data transfers.

processing aspects of a hospital's operation such as medical (diagnostic, treatment, admission/discharge,

that each application and every device running on the network represents a possible entry point for

hospitals lucrative targets for cybercriminals. For one, given the critical nature of hospitals, cybercriminals

ransomware, then there is a high probability of payout by the affected hospitals. Beyond ransomware, typically target and their motivations and methods when it comes to attacking healthc are networks.

What is at risk?

Ransomware has been in the limelight in terms of media coverage and public attent ion, but in reality, it is

not the only threat. The hospital environment has many pathways for different threat actors and several

three broad areas that are at high risk of being targeted by cybercriminals are the following:

5 | Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

These will be our three critical areas of interest.

Who is attacking the healthcare industry?

Where there are opportunities, there are perpetrators who attack, steal, and abuse the system for a wide

variety of reasons. These threat actors can be criminal gangs that are highly skilled hacking teams, funded

using different methods such as ransomware, phishing, and so on, to generate illicit revenue for the gangs

or malicious actions for political reasons.

gain competitive advantage. For instance, the second largest healthcare insurance provider in the United

States was affected by a foreign government attack in this way in 2014. 10

Cyberterrorists, meanwhile,

launch disruptive or destructive cyberattacks to cause physical destruct ion of property, loss of life, and

spread terror. Hacktivists are internet activists who attack cyber assets to draw attention to their politic

al on social media sites from peers. 11

Another category of possible attackers is the insider threat. This type of attacker can be motivated by

money, ideology, coercion, ego, revenge, and politics, and could very well be disgruntled employees who

steal data or equipment, or keep old employee and admin accounts active for snooping purposes. Other times, insider threats may be borne out of negligence, like opening a phishing email by mistake.

Data privacy

Patient and employee PII, which includes patient diagnosis and treatment data, insurance and

Patient health

hospital operations

6 | Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

Why is the healthcare industry being attacked?

The key motivator for the vast majority of cyberattacks that we see dail y is money. But in the healthcare

world, not all perpetrators attacking healthcare providers will be motivated by money. Healthcare providers

is a key motivator for many of these perpetrators. For instance, threat actors using ransomware can

severely impact the daily operations of healthcare providers. Taken further, disruptive attacks can disable,

suffers as a result. billions of dollars in research money. Attacks perpetrated by insiders, or those with physical access to the sy stems or expert knowledge of their use, are typically acts of revenge. 12 attention to their political and/or social causes.

How are they attacking the healthcare industry?

The healthcare industry is a massive, complex, interconnected ecosystem with thousands of endpoints,

Spear phishing

13 ; a subset of this is business email compromise (BEC), which targets companies that conduct wire transfers abroad. 14

Distributed denial-of-service (DDoS) attacks

from multiple locations. 15 Exploitation of software vulnerabilities - Deliberate use of known weaknesses in a software; in a striking example in August 2017, the U.S. Food and Drug Administration (

FDA) recalled half a million

and let them manipulate pacing and battery strength. 16 malware - Malicious code intended to disable, damage, compromise, or steal data from computers; various examples exist where ransomware, 17 keyloggers, 18 worms, 19

Trojans,

20 and others affected healthcare networks.

7 | Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

Misuse of privileges

party software that had weak passwords and allowed administrator access. 21

Data manipulation - Digital image or data alteration; in 2015, the FDA warned that certain infusion

systems contained a vulnerability that could allow a hacker to manipulat e the data in infusion pumps used for dosage calculations, thus putting patients' lives at risk. 22

Threat actors can use any of the above methods to launch major cyberattacks against hospitals in recent

indicator sharing platform - show a few chosen markers about the health industry cyberthreat landscape

that provide a snapshot about the most common infection vectors.

Email-borne threats

Phishing

Ransomware via email

C&C callbacks

other threats56.82% 1.62% 0.34% 0.27%

40.95%

(Source: CTX Enhanced Pilot)

8 | Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

DECNOVOCT

Ransomware

81
55
40

DECNOVOCT

high risk ioCs

3,3114,330

2,354

DECNOVOCT

C&C Callbacks

175
87
11

DECNOVOCT

Total indicators of compromise

6,8066,477

4,143 (Source: CTX Enhanced Pilot)

9 | Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

To date, the majority of publicly reported cyberattacks against hospitals have been one of the following:

data breaches, ransomware, or medical device compromise.

our observation on data breach attacks against hospitals. Based on their data, the number of reported

data breach incidents in hospitals resulting from hacking or malware attacks is on the rise. 23
Figure 3. Number of incidents for hospital data breach methods from January 2005 to July 2017

attacks, but ransomware has been affecting the entire cyberthreat landscape for a long time. Ransomware

encrypts data such as documents, folders, databases, among others, on th e victim's computer, making them inaccessible, and demands a ransom payment in the form of digital c urrency like Bitcoin to decrypt

020406080

Payment Card Fraud

Hacking or Malware

Insider

Physical Loss

Portable Device

Stationary Device

Unintended Disclosure

Unknown

Figure 4. Annual number of ransomware families since 2012

Finally, and perhaps fortunately, we found only a handful of reports about compromised medical device

incidents, none of which ended with the attackers sending any commands to the devices. 24
section we will examine how exposed medical devices and systems are in healthcare networks.

201720162015201420132012

342129247

327

10 | Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

Exposed Devices and Systems in Healthcare Networks

mobile devices, cars, industrial robots, home appliances, and even smart clothing to the internet. This

interconnected world is very exciting and has created new and unique opportunities to improve our lives.

But truth be told, today's society is adopting connected technologies at a faster rate than we ar e able to

be inadvertently exposing information about us and our surroundings online, and that could potentially

The diagram in Figure 5 shows what a typical modern healthcare facility looks like in terms of how

11 | Securing Connected Hospitals: A Research on Exposed Medical Systems and Supply Chain Risks

Figure 5. The connectedness of devices and systems to the health information system

note that when a device or system is exposed on the internet, it does not automatically imply that the

accessed over the internet.

What is Shodan?

unpatched vulnerabilities in the exposed cyber assets. However, an adversary can also use Shodan to

perform detailed surveillance and gather intelligence about a target, which is why Shodan has been called

the World's Most Dangerous Search Engine. 25
DiSClaimER: aT no PoinT DuRinG ThiS RESEaRCh DiD wE PERFoRm any SCanninG oR aTTEmPT To aCCESS any o F T h E in TER n ET C onn ECTED DE vi CES an D S y STE m S a ll P ubli S h ED D a

Ta, in

C lu D in G SCREE n S ho TS , w ERE C oll ECTED via Sho D an.quotesdbs_dbs35.pdfusesText_40

[PDF] la hiérarchie des normes au maroc pdf

[PDF] enseignant chercheur sociologie

[PDF] assistant professor en français

[PDF] liste des médicaments ? marge thérapeutique étroite

[PDF] bioequivalence guideline

[PDF] étude de bioéquivalence pdf

[PDF] les differents types de microfinance

[PDF] difference entre mission but et objectif

[PDF] vision mission valeurs

[PDF] mitose meiose 3eme

[PDF] l'opinion est elle un obstacle ? la recherche de la vérité

[PDF] ressemblance vraisemblance arts plastiques

[PDF] difference entre poeme et poesie

[PDF] comparaison dictature démocratie

[PDF] les roms en france