If 2020 cyber-criminals were asked why they are targeting healthcare, a response might be, “because that’s where the data is.”
This is likely because of Covid-19 dominating everything, everywhere. So, it is now the top topic for phishing emails, with tracing apps too also producing a wholly new category of data & potential source, as well as the normal health records.
Medical records can yield excellent profits on dark web black markets & forums. Their loss can serious penalties for failing to comply with data privacy laws. As well as exploiting stolen data for crime, the vital nature of services provided makes healthcare a focused target for ransomware attacks, with important operations put on hold until a ransom is paid (no guarantee that payment results in unlocking of computers & networks).
Because healthcare is now targeted by cybercriminals, there has been a call for all governments to work together to stop attacks on hospitals & international organisations fighting Covid-19, put out by the Geneva-based CyberPeace Institute & signed by 40 former & current government leaders.
The President, and the CEO of the CyberPeace Institute, Marietje Schaake & Stéphane Duguin, led an appeal for govts. work together, including at the UN, to assert without hesitation that cyber operations against healthcare facilities are both unlawful & unacceptable & to work with each other, with civil society & with the private sector, to ensure that medical facilities are respected & protected.
The call follows recent cyber-attacks against medical facilities, including in the Czech Republic, France, Spain, Thailand, & the US, international organisations such as the World Health Organisation (WHO), & other health authorities.
In Germany, Fresenius, Europe’s largest private hospital operator & a major provider of dialysis products & services was hit in a ransomware cyber-attack on its technology systems, limiting some of its operations.
Malicious Threat Actor
Professor Oleg Kolesnikov, VP of Threat Research at Securonix, commented “One of the things that sets the “snake/ekans” malicious threat actor reportedly involved in the Fresenius ransomware attack apart is a relatively high amount of manual effort/targeting typically involved in the operator placement activity, which can sometimes enable them to have a bigger impact on the victims.
With some of the recent attacks observed, it appears that the malicious threat actors are expanding the list of targets.
“While the attack behaviours used by the malicious ransomware payload itself are fairly trivial, the golang-based payload encryption process, & also the list of processes that are terminated to maximise the ability of the ransomware to encrypt sensitive data & impact the targets appear to be longer that some of the other ransomware instances observed, & some of the past instances of the malware family also included impacting processes from the ICS/SCADA/OT environments, which is uncommon for ransomware.”
Peter Maurer, President of the International Committee of the Red Cross & signatory of the CyberPeace Institute letter observed “We’re in the midst of the most urgent health crisis in modern history, & these attacks threaten all of humanity,” adding, “We must take action collectively to ensure this threat is addressed, & already fragile health care systems, particularly in countries affected by war & violence are not put at further risk by cyber operations.”
Jamie Akhtar, CEO & founder of CyberSmart (cybersmart.co.uk) added “There has been an enormous spike in cyber-attacks since the beginning of the Coronavirus epidemic. The healthcare industry already stretched & now even more overwhelmed & distracted, is a prime target. The World Health Organisation has reported a 5x increase in attacks over the last 2 months.
It is critical that healthcare organisations prioritise security right now as a breach could have huge impacts. That means keeping all software up-to-date & making sure firewalls & security features are enabled at all times.”
For Ilia Kolochenko, founder & CEO of web security company ImmuniWeb, the lesson of “This outrageous incident,” is “a colourful validation of the FBI’s warning not to pay ransom. Reportedly, Fresenius has already paid a 7-digit ransom in the past to recover from a similar attack. Obviously, such a generous payment did not leave unscrupulous cyber-criminals indifferent.
Instead they quickly exploited the windfall & perfidiously re-raided this susceptible victim amid the crisis. Being mindful of Covid-19 social challenges, some cyber gangs decisively called to abstain from any attacks against medical & healthcare organisations, but unsurprisingly not everyone follows this Robin Hood code of ethics.
“Unless the details of the attack investigation are disclosed, it would be premature to make any definitive conclusions. There are, however, more questions than answers given this is a second successful and large-scale attack, as some sources report.
It is unclear whether foundational security processes were and are in place, such as holistic patch management and network segregation, but it seems that even if the answer is affirmative the latter are largely insufficient.
“For the moment, there is likewise no visibility whether any medical records & PHI were stolen during the attack. The worst-case scenario is if the data was extracted & now may be published in case of eventual refusal to pay ransom. Cyber-criminals now took their ransomware campaigns to the next level by threatening not just to delete the data, but to disclose it thereby unleashing a parade of horrors from severe regulatory sanction to lawsuits by the victims.”
Regarding phishing, Fiona Fernie, a Partner at Blick Rothenberg explained “Within hours of the Government’s Coronavirus Job Retention Scheme (CJRS) there was significant activity by cyber-criminals trying to cash in on the scheme in the form of emails that purported to come from the Government & suggested that HMRC needed bank account details into which the grant should be paid.”
She further observed “Of the over 2,000 online Coronavirus scams which have been removed over the last month by the NCSC, almost 500 were fake online shops selling personal protective equipment items such as gloves & face masks which either never arrive or do not meet the required standards. Some of the sites also distribute malware which damages the computer systems of those who visit the sites.”
A recent report, Health Scare: Data Privacy Concerns in the Age of COVID-19 from IntSights further details how healthcare organisations are being targeted. It describes how the healthcare sector continues to fall behind in its cyber-security protocols just as it becomes responsible for more sensitive data than ever before. Ever-expanding attack surfaces, vulnerabilities of legacy systems, & third-party risks have conspired to peg healthcare as the most-targeted industry when it comes to cyberattacks.
The report notes that: “A third of all data breaches in the US happen in hospitals, & the number of breached personal records in the healthcare industry nearly tripled from 2018 to 2019, jumping from 15 million to 40 million. “
The Covid-19 pandemic has placed further strains & a primarily remote global workforce presents severe security challenges, with protected health information (PHI) even more sought-after by threat actors.
Another IntSights report on the COVID-19 threat landscape The Cyber Threat Impact of COVID-19 to Global Business exposes numerous scams selling fake virus tests & vaccines.
Also, Tracing Apps are increasing the health sector’s digital footprint, which also adds to the existing risk from third-party providers such as medical device manufacturers & others in the supply chain – even apart from the criminal supplied fake tracing apps.
Following the UK’s track & trace system launching without an app, Isle of Wight-based cyber-security expert Matt Middleton-Leal, General Manager of data security firm Netwrix, who has been using the trial app since launch, gave his opinion, & the challenges he expects:-
Isle of Wight
“I’ve trialled the app from day one, & it’s a shame it’s not ready for national roll-out. Most of my friends & family on the Isle of Wight have been using it, & we have not experienced battery issues which there was some concern around when an app was first announced.
“The key issue I actually foresee as it rolls out across the country isn’t technical, it’s that the negativity surrounding the app which may lead to people not downloading it, therefore negating its purpose. I do hope the potential benefits of the app, from easing lock-down & enhancing public health & safety do not get lost amongst the politics.
“In times of crisis we should be trying all routes to get to a new normal, & the app, while not the final answer is an essential part of the jigsaw. The NHS has stated it’s not a perfect platform, but as long as there is a commitment to continuing to enhance the app, we’ll be moving in the right direction.”
“However, there is no doubt that due to its notoriety, lots of cyber-criminals will work hard to break into the app. We should prepare for a spike in related phishing attacks & fake Covid-19 tracking apps booby-trapped with ransomware. During March researchers discovered “CovidLock” – a Covid-themed screen-lock attack against Android phones that forces a change in the password that protects the phone’s screen-lock capabilities.
“While the public will have to rely on Government security advisers to stay ahead of the threats, there are a few simple things we can do to take control of our own security, to avoid falling for tracking app scams.
“Make sure you:
– Only download an app from the official government source
– Do not click on anything in your email that’s health related, even if it contains familiar logos of your health service provider & looks similar to the emails you usually receive from them.
– Do not follow online ads calling for downloading a COVID-19 tracking app & do not download any apps from un-trusted third-party stores.
“Even if you search for any Coronavirus-related app in official marketplaces such as Google Play or App Store, be especially suspicious to newly-made applications from unknown developers that have low number of reviews.”
Health Research IP
Theft of health research IP has also gained publicity with hacks on Covid-19 vaccine research leading to a joint advisory earlier this month (May) by the UK’s National Cyber Security Centre (NCSC) & the US’s Cybersecurity and Infrastructure Security agency (CISA) exposing malicious cyber campaigns targeting international healthcare and medical research organisations involved in the coronavirus response, & giving advice on how to stay safe online.
The govt statement at the time commented “Attacks by state & non-state actors seeking to undermine the global response to this unprecedented global health crisis endanger lives.
International law & the norms of responsible state behaviour must be respected & all states have an important role to play to help counter irresponsible activity being carried out by criminal groups in their countries. Our support for the most vulnerable extends to cyberspace.”
This was followed up with a call by the UK Foreign Secretary Dominic Raab for an end to cyber-attacks by hostile actors, who are using the Coronavirus (COVID-19) pandemic as an opportunity to carry out bad cyber activity, including targeting medical facilities worldwide.
Much of the guidance from the NCSC was about the basics – advising staff to change any passwords that could be reasonably guessed to one created with 3 random words & implement two-factor authentication to reduce threat. It is also said to have observed large-scale ‘password spraying’ campaigns against both healthcare bodies & medical research organisations.
Working from Home
No less obviously an issue, but still a consequence of the Coronavirus, huge numbers of people are now working from home, & where they transfer intellectual property (IP), personally identifiable information (PII), & PHI data to local drives & process it on their private computers, they increase security risk, & also regulatory compliance risk including PCI DSS, GDPR & CCPA.
In addition to the direct theft of personal data & IP, the freezing & ransoming of infrastructure & potential hacking of equipment, the loss of resources spent on remediation, ransoms & regulatory fines, with fake Tracing Apps & hacking threats, there is now potential loss of trust/fear creating a barrier to the sharing of data for improved outcomes.