Patient Zero - The Enemy within
Author: Jessie Amado, Head of Cyber Research at Sepio Systems
Patient Zero - The Enemy Within. The healthcare industry provides day-to-day services, as well as life-saving operations.
The latter was no more evident than during the COVID pandemic in which the healthcare industry was relied upon like never before.
But with the overwhelming number of patients being admitted to hospital – suffering from a novel virus, no less – cybersecurity was the least of the industry’s concerns.
The perfect opportunity
Cybercriminals saw an opportunity to exploit the fear and uncertainty brought on by the pandemic by conducting more cyberattacks, according to the Cyber Security Agency of Singapore (CSA). A report by Protenus found that incidents targeting healthcare facilities increased by 42% from 2019 to 2020, marking the 5th year in a row that attacks on healthcare are rising. Asia-Pacific (APAC) was the second most attacked region in 2020, and McAfee reports that there has been a 54% surge in threats specifically targeting Asia from Q4 2020 to Q1 2021.
Where is the wealth in health?
Healthcare providers are appealing targets for all kinds of malicious actors carrying out various attacks. Ransomware, which causes operational disruption by making data and systems inaccessible through encryption, is the most common attack type experienced by the healthcare industry, accounting for 28% of attacks. In 2021, a ransomware attack caused an Australian healthcare facility to lose control of its systems for nearly two months, causing the organization to revert to manual, paper-based workarounds. However, the impact of ransomware can be more severe when there are no alternative workarounds.
The healthcare sector is part of a nation’s critical infrastructure, meaning its continuous functioning is fundamental to national security. The low tolerance for downtime means that any incapacitation can have significant consequences. By disrupting healthcare operations through ransomware, state-sponsored actors can seriously threaten an adversary’s national security. Ransomware attacks are less effective for financially motivated cybercriminals who seek an instant payout.
Organizations are backing up their systems and data, which minimizes the pressure to pay. As such, to coerce victims into paying, ransomware attacks are often preceded by data theft. Malicious actors will steal sensitive data and threaten to leak it to gain more leverage over their target when file encryption alone does not work.
Healthcare entities are often victims of data theft, whether ransomware follows or not. Everyone requires healthcare, meaning the industry collects masses of data. Patients’ Personally Identifiable Information (PII) can be stolen and used for identity theft or sold on the dark web. But a PII database, such as credit card numbers and addresses, is not unique to healthcare; what makes the industry such an appealing target for data theft is the collection of patients’ Protected Health Information (PHI).
PHI is worth three times as much as PII on the dark web due to the fact that this information is engrained within us and can never be changed. Credit cards can be blocked, addresses can be changed, but our medical history is a fixed part of who we are. Stolen PHI can get used in nefarious ways that, in some instances, put the victim’s life at risk.
The undiagnosed disease
Bad actors find great value in using hardware attack tools, known as Rogue Devices, to carry out their malicious activities. Such devices can inject malware, cause data breaches, and more, all while operating covertly. Traditional security software, such as NAC, EPS, IDS, or IoT Network Security, fails to provide the Layer 1 visibility required to detect and accurately identify all hardware assets. As a result of this blind spot, Rogue Devices, which operate on Layer 1, go undetected. By hiding or spoofing their identity through Layer 1 manipulation, Rogue Devices bypass existing security efforts, even those as stringent as Zero Trust.
Infecting the industry
Hardware-based attackers do face one main obstacle: the need for physical access to the organization. Yet, the healthcare industry is rife with vulnerabilities that make such access attainable. One such vulnerability is the industry’s digital transformation. Asia is leading the world in providing a digital healthcare ecosystem, which already impacts more than 1 billion lives, according to a report by McKinsey. While digitalization has many advantages to healthcare, it also expands the attack surface due to the interconnected environment. Every endpoint acts as an entry point; by accessing just one device, an attacker can gain control of more devices and/or the system.
In 2020, a Thai hospital suffered a ransomware attack that permeated into other connected networks, causing damage to patient databases, scanned medical records and the hospital’s telephone services, demonstrating the risk of an interconnected infrastructure. With the use of Internet of Medical Things (IoMTs) devices - ranging from activity trackers to heart-rate monitors - spillover effects of an attack can have a physical impact, even potentially resulting in fatal consequences. Further, IoMTs collect massive amounts of valuable data and the ease with which they can be accessed puts such data at risk of being compromised.
Employees are another vulnerability found within the healthcare industry (and all industries, for that matter). Negligence is the most common type of insider threat in the APAC region, a vulnerability exploited by the deceptive appearance of Rogue Devices. Such risk is exacerbated by the shift to remote work as the remote working environment is less secure, making the organization more accessible. Malicious insiders also pose a threat. Although instances of malicious employees carrying out attacks are less common, the outcome can be more severe. Their access to, and knowledge of, the organization’s infrastructure means malicious employees can carry out a hardware-based attack with ease.
Another vulnerability to healthcare facilities is their supply chains. A compromise of a trusted supplier can result in a widespread attack; a single point of attack can have multiple victims. Sometimes a supply chain attack is an instance of “spray and pray”, whereby the perpetrator has no specific second-hand target in mind. Other times, however, suppliers are specifically targeted because of their connection to an organization. When an organization is highly secured and cannot be physically accessed, hardware-based attackers can infiltrate it via their suppliers.
Organizations are only as secure as their weakest link, and the more suppliers there are, the more entry points for attackers. Attackers can get inside a supplier and plant a Rogue Device along the supply chain, where it will eventually land up inside the target. Alternatively, suppliers can fall victim to a hardware-based attack themselves due to data sharing between the organization and its suppliers. In the case of the latter, a healthcare provider in Singapore recently had its patients’ personal data compromised as a result of an attack on one of its suppliers.
HAC-1
To prevent hardware-based attacks – and protect their patients – healthcare entities need full asset visibility. Sepio Systems has developed the Hardware Access Control (HAC-1) solution to provide a panacea to the gap in device visibility. The HAC-1 solution uses Layer 1 information to calculate a digital fingerprint of all IT, OT and IoT assets, meaning every device gets identified as what it truly is.
Additionally, the comprehensive policy enforcement mechanism of the HAC-1 solution, combined with its Rogue Device Mitigation capability, means that any unapproved or rogue hardware is blocked instantly, preventing any hardware-based attacks from occurring. With the HAC-1 solution in place, not only is the hardware level covered but, in doing so, current cybersecurity investments, such as NAC, EPS, IDS, or IoT Network Security, get put to better use, and Zero Trust Hardware Access is achieved.
HAC-1 requires no hardware resources and does not monitor any traffic; within 24 hours, we can provide organizations with complete asset visibility, identifying and blocking previously undetected rogue or vulnerable devices. Healthcare facilities’ main focus might be that of their patients’ health, but we’re here to determine what’s infecting the facilities.
Follow Us
Patient Zero - The Enemy within
