By their very nature, healthcare institutions are the bastions of the weak and vulnerable. Institutions that unlike most others, have matters of literal life and death constantly hanging over their heads. The pressures and precarious positions faced by such institutions coupled with the operational importance of IT systems, means that any threat actor can tip the balance – or threaten to - with potentially calamitous results. This provides enormous leverage to a would-be attacker in matters of coercion, as it forces a need for immediate response. What needs to be considered when looking at healthcare penetration testing?
First, we need to understand what medical systems can be potentially compromised?
“Anything. Anything technical can be. And it should be tested. You can never understand just how far an attacker can get without seeing it play-out in the real world, on your real systems.”
- Steve McLaughlin, Director & Principal at Core Sentinel
Anything Can be Tested (and should be!) - A Clip from Core Sentinel on KBTV
- One of the most evident attacks due the sheer scale of it was in 2017 when the UK’s NHS (National Health Service) was compromised. Leading to over 60 000 pieces of hospital equipment affected by WannaCry, it’s estimated that the total bill came in at nearly USD$100m.
- In 2018, we found out about the Singaporean Government Health records hack. This compromise alone saw the records of roughly 25% of the population, including those of the Prime Minister, exfiltrated.
- Australia's ‘My Health Record’ initiative delivered by Accenture has been a debacle. As well as the mismanagement and miscommunication of the entire program to the public, the annual report from the Australian Digital Health Agency (ADHA) has highlighted that 42 data breaches were reported. While most were seemingly not serious, it’s indicative of the systemic problems towards security.
- In the private sector, the health record company, Allscripts (the irony of the name isn’t lost on us) was hit by SamSam in January 2018, severely limiting the access of health records to many of its clients for nearly a week. This attack with SamSam saw numerous health institutions succumbing to the extortion and paying the ransom. At least 233 organisation paid nearly USD$6m and extrapolating from that, we estimate over USD$2m was paid by the healthcare industry in this one ransomware instance.
- Only in February 2019, cardiac specialists at Cabrini Hospital were held hostage with ransomware reportedly encrypting records contain some 15,000 patients.
Despite the enormous resources and potentially very visible culpability healthcare platforms pose - both private and public sector - fundamental issues have led to the recent spate of compromises and have eroded public trust. Secondly, the volume of attacks that have occurred, even the unsuccessful ones, highlights just how directed the attacks to the healthcare industry are given the scope of resources required for these numbers to even exist.
Unique Attack Vectors for Healthcare Security
New ways mean new vectors...
Moving to The Cloud
Cloud adoption provides rapid accessibility and ubiquity in data current to things like patient records and imaging that deliver a huge benefit in expediting access to accurate information in an industry where split seconds and access to data is often critical. This access is a double-edged sword though. The increased amenity comes at a risk for healthcare providers and consumers alike, as having vast amounts of healthcare records converged on central platforms and data in flight increases the attractiveness of a target, and hence risk.
Looking at the individual components as discrete parts is a mistake. The way modern IT ecosystems work is as an implicitly connected nexus, even more so with the adoption of the cloud. Securing 99 of 100 systems from infiltration leaves the entire network potentially open to compromise from implicitly trusted sources.
Customer Number 17
The commoditisation of malware and the marketplaces that have formed provide a very-low-friction method for attackers to be in a position to execute sophisticated attacks. With relatively very little technical maturity, an attacker can run these off-the-shelf ransomware attacks to compromise and lock-out administrative and even the critical operational machines of healthcare facilities by encrypting local files, or compromising connected equipment. In most industries this is a serious inconvenience. In healthcare it can be fatal, and this means it requires a more resolute weighting and diligent approach than perhaps in other sectors.
IoT Adoption and Increasing Attack Surface
The benefits of Internet of Things (IoT) devices - those that can push/pull data between them without human agency - are manyfold, including sharing of records like imaging, or valuable insights from remote specialists, or the continuous and remote monitoring of patients, and more specifically, the interweaving of this data to develop insights from subtle fluctuations that otherwise would have gone unseen.
An always-on device connected to a network upon which the patient might be depending to stay alive poses obvious risks. Even the compromise of non-critical IoT devices like a thermometre could cause tremendous harm through a knock-on effect, pulling focus and resources away from more critical activities. And let’s not ignore risks posed by critical elements like pacemakers or dialysis machines.
Generally speaking, Engineers are not thinking “security” first which means that measures are usually bolted on before going to market rather than adhering to ‘security-by-design’ principles during development. These engineers are unlikely to be IT but rather medical electronics specialists, further removing them from the realms of a security-first mentality. Their heart might be in the right place, but their frameworks are (likely) not.
While having a mature program to tackle patching is difficult enough in any industry - even with commodity systems - the healthcare sector has a major problem with it due to many of the devices having non-standard interfaces or in many cases, no way at all to practically patch. There’s also the 24/7/365 aspect to operations mean the opportunities to patch are infrequent at best within healthcare.
In 2017 WannCry Infected specific medical hardware that was running on a Windows kernel. This device from Bayer was joined by alerts from other devices from Medtronic and Johnson & Johnson acknowledging the potential issues that manufacturers were, at least in part, expecting.
The lifecycle of most medical devices is long. Due to the bureaucratic nature of FDA in the US and the Therapeutic Goods Administration (TGA) approval in Australia, and the overall expense in procurement of devices, the lifecycle of use often extends well past the sunsetting of updates and support from manufacturers, meaning vulnerabilities are no longer addressed.
Exhaustion is commonplace within the industry, and it's a tall order to expect employees to hark back to the 2 hours of Security Awareness Training they did 3 years ago even when well rested.
Phishing is the most prolific of attack vectors regardless of industry. In healthcare, however, it’s particularly pronounced as the simplicity in its execution and the necessary (and demonstrable historical willingness) in organisations responsiveness to ransomware is very attractive to threat actors. Too, staff lists are readily available with online rosters and profiles in the public arena.
Healthcare professionals will, like many industries, also petition for the use of BYOD within the organisation. With the ‘rental’ model where many healthcare professionals, even within hospitals, are essentially tennents, it can be exceptionally hard to enforce strict policies that will keep institutions secure. Further, while most professionals understand to some level the risks of virii or other threats to desktop/laptop computers, the threats by mobile devices - now the bulk of BYOD endpoints - is less understood.
Not All Dire News
While the rate of change in attacks is still increasing, it’s increasing at a decreasing rate compared to 2016/17/18. The adoption of more sophisticated approaches to tackling cybersecurity challenges within healthcare have occurred since early 2017 when the Department of Health and Human Services Health Care Industry Cybersecurity Task Force cited the industry security posture as ‘critical’ globally. Since then, we have seen determined efforts leading to somewhat of a swinging back of the pendulum, or at least a loss in momentum. While maturing approaches in some areas and organisation are having an effect, education is still the weakest link with social-engineering and phishing being the primary vectors.
“We at Core Sentinel are seeing Security Awareness improving. It’s taken a long time to permeate into the public consciousness within healthcare, but I think we’ve seen a tipping point corresponding to the often very public coverage of incidence. Individuals may not know the specifics of how to respond, but they’re now starting to understand the gravity of some of these threats.”
- Steve McLaughlin, Director & Principal at Core Sentinel
Some Things are Improving - A Clip from Core Sentinel on KBTV
It’s not a cheap exercise, but the risk reduction and spill-on effects to cyber insurance, PR, and ICT clean-up can prove to make security risk assessment and penetration testing of medical equipment and healthcare environments invaluable.
While far from perfect, the healthcare industry is faring better than most in terms of embracing encryption for communications. Anecdotally, we’re seeing some institutions adopting proactive approaches to data encryption for at-rest states, but this is still lagging behind in terms of adoption compared to communications encryption. This is relatively low-hanging fruit in many cases to improve security for healthcare organisations.
Healthcare organisations are constantly under pressure from attackers, and constantly chasing their collective tails. One healthcare approach that has stood out is that of the UAE Government. They have vocally and demonstrably understood the need for ongoing evolution, and see the part machine learning can play in overall strategy in terms of both healthcare and the security options it may provide in this context. This has stemmed from their willingness to act on aspects of the Fourth Industrial Revolution Protocol (4IR) established in 2018. This could well be proving ground for huge breakthroughs in healthcare and its security.
Immediate Steps - Healthcare Penetration Testing
Industry specialism is of paramount importance when it comes to security engagements such as penetration testing. Understanding the nuances in requirements often makes a huge difference to ultimate outcomes, and none more-so than that of the health industry.
“Anything. Anything technical can be tested and should be tested. You can never understand just how far an attacker can get without seeing it in the real world.” said Steve McLaughlin of Core Sentinel. “Conduct a penetration test at least once a year, and from someone outside your IT providers, and an organisation that specialises in penetration testing for health care” he went on to say.
Use and External Auditer - A Clip from Core Sentinel on KBTV
The low-hanging fruit for healthcare organisations to address falls typically into one of only several bins. Like most things, the fundamentals are almost always the critical elements in success or failure;
- Vulnerability management processes integrated with intelligent patching.
- Integrate proper network segmentation as part of the overall design.
- Up-to-date, offsite backup processes are a universal catch-all to recover from several of the incidents we’ve seen with ransomware.
- Also conduct a penetration test prior to any go-live deployment, and after any significant changes.
- Documented build standards aligned to industry hardening standards and frameworks such as OWASP.
- Network and host based malware/antivirus detection and prevention.
- Network and web application firewalls (WAF).
- Security review integrated into change management.
- Documented security processes, procedures, standards, and guidelines which staff are trained to follow.
- User awareness training.
Recovery from ransomware while historically difficult and unlikely, can often now be done. The industry has responded, and tools to identify and often remediate infections are now available from many vendors, and it’s constantly evolving. However, a simple, well-implemented enterprise backup and recovery program for critical data, can allow for recovery of a ransomware outbreak with minimal loss of data. There are new variants to original ransomware being released which aren’t possible to remediate. However, a specialist like Core Sentinel can help you understand your risks, and where to best focus your attention. Our security testing allows you to identify security weaknesses, vulnerabilities, and architectural weaknesses all across the board, so you are able to prioritise risk remediation based on a risk assessment targeted to your specific business and technology environment.
Whether looking at the security of a blood gas analyser or Siemens MRI, these systems are generally not addressed by IT Teams inside organisations. This leaves them unpatched and now sitting connected to the internet. Core Sentinel addresses these areas that need a focused engagement, and need unique testing, ensuring healthcare institutions stay secure.
Afterall, as the medical industry is well aware; prevention is always better than a cure.
Call one of our consultants today to see how we can assist you.