News Jun 1, 2020

Protecting Our Healthcare Heroes: Preventing Cyber Attacks During a Crisis

Because healthcare has traditionally not been a high-profile target for attackers, network security of hospital and healthcare facilities has not typically been a priority. That is no longer the case.

Healthcare provider using an iPad with digital data swirling around

With the COVID-19 pandemic commanding a lot of the time, attention and resources of our healthcare networks, cyber thieves are using that as an opportunity to attack. Jacobs Operations Manager, Director and Data Scientist for Cyber Charles Ramsay shares some insights on steps to take to help protect our healthcare providers.

You might think, because of the life-saving work they perform every day, that healthcare providers would be immune from hackers and cyber thieves, especially during a pandemic.

This is not the case.

As reported in a recent news story from Bloomberg, cyber-attacks specific to the COVID-19 crisis events include attacks on the World Health Organization and the U.S. Health and Human Services Department hospitals; upon on federal, state, and private sector critical infrastructures; and include fraudulent attempted sales of pharmaceuticals and critical medical equipment, using online social engineering.

In a 2019 paper from Proofpoint: New Healthcare Report Reveals Top Trends in People-Centric Cyber Attacks, author Ryan Witt discusses the increase of activity (a 300% one-year increase in email phishing attacks alone) and the critical impact cyber-attacks have had on the medial industry through fraudulent emails, ransomware and system breaches: “77% of email attacks on healthcare companies used malicious URLs” and “Banking Trojans were the biggest threat to healthcare companies over the period of our research” (representing 41% of the malicious payloads).

An email attack containing a malicious link exposes the person to attack when they click on an email, taking them to a URL containing compromising executable code. A banking trojan is malware intended to extract banking account information from the victim’s banking accounts and computer assets.

How sophisticated banking trojan malware has become is illustrated by Emotet, a banking trojan now classified as a malware bot. As reported by Malwarebytes, the “Department of Homeland Security … conclude[s] that Emotet is one of the most costly and destructive malware, affecting government and private sectors, individuals and organizations, and costing upwards of $1M per incident to clean up.

ProofPoint’s one-year study concluded that bad actors are predominantly targeting healthcare professionals through social engineering methods as the tool for exploitation.

What is social engineering?

Social engineering is easily described as actions taken to influence another. The call to action by the person may be to the benefit or harm of the other. Social Engineering Attacks (SEA) are campaigns usually directed to exploit another for money, security exploits or information for use in another attack.

In Christopher Hadnagey’s book Social Engineering: The Art of Human Hacking, he breaks down Social Engineers into 11 categories ranging from Scam Artists and Identity Thieves to even Disgruntled Employees.

Types of SEA include email phishing attacks, online data collection of personal profile information and phone calls. Attacks include the impersonation of IT support, customer support or Human Resources, as well as federal or local government and others. Usually, during a SEA, the main goal is to extract as much information about the victim as possible, including personal information, credit card information, family information (e.g. names, birthdates, security credentials), phone numbers, job titles and roles, locations, social security information and anything that may provide hackers with enough data to proceed to the next phase of the attack. Next steps include using this information to gain access to others for exploitation or injecting malicious exploits on the victim’s computer network.

In Verizon’s 2019 Data Breach Investigations Report, over that last five years social engineering attacks have reportedly grown to 35% of all data breaches reported. Notedly, the Verizon findings do not include data breaches that may have come from compromised security credentials, leading to a system breach itself.

Attempts to exploit by human fear allow social engineers to gain information – for instance, healthcare worker information. The over-worked healthcare crisis management teams may be targeted because fear and stress breed opportunity for hackers.

Imagine yourself as a healthcare professional receiving the following email - Subject: “CDC Announces New COVID-19 Recommendations for Emergency Room Triage” - with a link embedded within the professional email message. It may only take one of potentially thousands of healthcare workers to click on that one malicious link to expose an entire hospital network.

Jacobs’ cyber response for healthcare

On a previous client engagement, Jacob’s Cyber data science team worked data that originated from a small hospital chain. During our evaluation, several IOCs (indicators of comprise – i.e. potential security breaches) were discovered, including an understaffed hospital IT department where the priorities were focused on the following:

  1. Healthcare staff day-to-day needs
  2. Billing
  3. Integration and maintenance of external systems (out of network)
  4. Renovation Planning

Because healthcare has traditionally not been a high-profile target for attackers, network security of hospital and healthcare facilities has not typically been a priority. That is no longer the case. Hospitals and healthcare facilities have gained the attention of those who intend mal-intent for predominantly financial gain through fraudulent means.

Recommendations

Through social engineering and other methods, a bad actor can gain a foothold on the computers of key IT personnel with the right document coupled with the right exploit in an instance. Below are some steps that may help alleviate cyber threats, specifically social engineering exploits.

  1. In general, just eliminating email workflows of documents that start outside of the organization can improve the organization’s security posture by an order of magnitude.
  2. Training and Personnel Diligence – It takes only one instance to compromise a network. Understanding cyber threats and training professionals on proper threat prevention guidelines assists in the prevention of such attacks. Cyber security awareness training, cyber workforce development and privacy awareness training to include social engineering prevention will all help to decrease threats.
  3. Workflows – Every organization has workflows that tend to revolve around email. Receiving, reviewing and approving attachments are commonplace. Clicking on links, opening attachments and other normal day-to-day innocuous activity may lead to exploitation. Workflows should be a) Identified, b) Eliminated and c) Mitigated:
    1. Identify - Identify existing workflows and observe potential points of risk;
    2. Eliminate – Choose security system workflows over email. Where possible, eliminate email attachment workflows. For instance, instead of accepting resumes or patient records as email attachments, request a link to a shared folder via a cloud document that can be viewed from an IT-approved browser;
    3. Mitigate –Some email attachment workflows will not be easily eliminated. However, email attachments can be stripped from emails and replaced with internal links to documents. Limiting exchanged interorganizational emails to those with whom you have an encryption relationship can decrease the likelihood of an attachment being malware.  But it must be remembered that the exchange of signatures involves public keys and there is no expectation that public keys will be protected. This means that encrypted emails can still come from spoofed email sources.
  4. Strict Adherence to Health Insurance Portability and Accountability Act (HIPPA) Compliance – HIPPA protects individual's Personal Health Information (PHI) from public access. There exist HIPPA Compliance Software Standards, and HIPPA compliant software includes Database Encryption and strong administrative protections (including frequent monitoring and audits). Risk Management Framework and other government-provided security frameworks and controls provide a strong security baseline for IT professionals.
  5. Cyber Readiness, Security Practices and Roles – Healthcare can benefit from proactive and tailored cyber initiatives to include defensive cyber vulnerability assessments, the application of canonical cyber tools and secure cloud appliances.
  6. Monitoring, Metrics and Adjustment – The monitoring and assessment of network traffic found in healthcare facilities can lead to the discovery of anomalous behavior beyond conventional Intrusion Detection Systems (IDS). Cyber BU analytics that discover threats that normally go undetected can be leveraged.

Cyber-attacks are targeting our healthcare system and have the potential to significantly disrupt the ability to provide critical aid. As networks are increasingly vulnerable, especially through social engineering, we recommend identifying, eliminating and reducing workflows surrounding email systems to greatly reduce the risk of end points being compromised.

About the author

Charles Ramsay, Jacobs Operations Manager, Director and Data Scientist for Cyber, is a computer and data scientist with over 20 years’ experience. He and his team are responsible for data science research and development and for the transition of capabilities into real-world client needs.