One year on, the WannaCry scare hasn't made healthcare security any better
Cybersecurity in the healthcare sector was put under the spotlight after the WannaCry ransomware attacks that hit in May 2017, and it painted a vivid picture of how threats can paralyse real-world processes.
That's according to Trend Micro and HITRUST's latest research on how connected hospitals can be exploited – and researchers believe that the WannaCry scare has only made matters worse.
The research paper, titled Securing Connected Hospitals, looks at how internet-connected medical devices are often exposed due to misconfigured networks or software interfaces.
Connected devices can include surgical equipment, office applications, inventory systems, monitoring equipment, and imaging equipment.
Using search website Shodan, researchers were able to pinpoint devices connected to the Internet of Things and gather information about the devices' geographic locations, hostnames, operating systems, and other information.
“An adversary can also use Shodan to perform detailed surveillance and gather intelligence about a target, which is why Shodan has been called the World's Most Dangerous Search Engine,” the report says.
Beyond Shodan, exposed devices can also be profiled using network tools. Attackers could potentially access sensitive data, webcam feeds, compromise assets to conduct DDoS attacks or botnets, demand ransoms and much more.
The paper also looked at how supply chain attacks, including associates and third-party contractors, also play a dangerous role – 30% of healthcare breaches in 2016 were due to third parties.
“Supply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers,” the report says.
“Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their own products and software for cybersecurity risks, and may also be outsourcing resources as well. This allows perpetrators to exploit sensitive information across the supply chain.
There are seven major supply chain threat vectors that attackers can use against the healthcare sector:
Firmware attacks, mHealth mobile application compromises, source code compromise during the manufacturing process, insider threats from hospital and vendor staff, website/EHR and internal hospital software compromise, spearphishing, and third party vendor credentials.
The report points out that source code compromise during the manufacturing process can be extremely dangerous because hospitals tend not to test device security before installing it on their networks.
While no data on incidents involving medical devices was publicly disclosed in 2017, tablets, phones and even USB devices have been compromised in the past.
“In 2016, a healthcare organization unknowingly sent 37,000 malware-infected USB thumb drives to their offices nationwide. The manual of procedure codes for that year included the flash drive on the back pocket,” the report says.
The paper draws on qualitative risk analysis of various attack vectors to give an overview of some of the most pressing threats in healthcare.
Those threats include insecure devices that can be used to access a network, DDoS attacks, spear phishing, and unpatched systems.
“Having effective alert, containment, and mitigation processes are critical. The key principle of defense is to assume compromise and take countermeasures.
- Quickly identify and respond to ongoing security breaches.
- Contain the security breach and stop the loss of sensitive data.
- Pre-emptively prevent attacks by securing all exploitable avenues.
- Apply lessons learned to further strengthen defenses and prevent repeat incidents.