The recent Vectra 2019 Spotlight Report on Healthcare indicates that the proliferation of healthcare internet-of-things (IoT) devices, along with a lack of network segmentation, insufficient access controls and reliance on legacy systems, has created an increasing attack surface that can be exploited by cyber criminals determined to steal personally identifiable information (PII) and protected health information (PHI) in addition to disrupt healthcare delivery processes.
Protecting patient medical, insurance and personal information must be a top priority. However, to best protect that data, security professionals need a better understanding of the types of cyber threats they are dealing with. That was the purpose of the report, which was published in April 2019.
In addition, the report has identified gaps in policies and procedures that can result in errors by healthcare staff. In fact, the findings of the report are in line with those of the Verizon 2019 Data Breach Investigations Report (DBIR) for the healthcare industry, which indicates that the majority of breaches are associated mostly with internal actors (59%) than with external ones (42%). This means that human errors pose a bigger risk in healthcare, most often in the form of misdelivery, which Verizon describes as sending something intended for one person to a different recipient. Misdelivery is followed by publishing errors, disposal errors, loss and misconfiguration.
Before digging into the report findings, it is important to understand the challenges the modern healthcare environment faces.
Saving lives and treating patients is the top priority for healthcare organizations, and they can’t afford to have their systems down to be patched, even for just a few hours. Sustaining 24/7 operations is critical for all healthcare organizations. Consequently, outdated systems and software have become common, and many healthcare legacy systems lack essential cybersecurity controls. The truth is that in an emergency a lot of well-planned protocols, procedures, security controls and training are being ignored by medical personnel trying to save a human life.
Medical IoT devices offer new ways to monitor patients and equipment while improving care and lowering costs. But many of these smart devices have unknown security protections. Connected medical devices – from Wi-Fi enabled infusion pumps to smart MRI machines – increase the attack surface of devices sharing information and create security concerns including privacy risks and potential violation of privacy regulations.
In addition to the above, most hospitals don’t have network segmentation of IoT from other devices. The result is that any device that is introduced locally can end up having a global organizational impact especially due to the lateral movement of patient medical and sensitive information across devices and departments. The security problem becomes more threatening because of the procurement procedures of medical devices. Security isn’t often included in the device acquisition or implementation phases, and it is usually an add-on feature. The lack of embedded security features increases the risk of human error, which can be anything from poor system configuration to the absence of audit logs, unauthorized access control or even a lack of processes surrounding the device’s use.
The device problem isn’t just about medical IoT. Medical facilities also allow BYOD (bring your own device), and many of those devices are considered non-compliant. Often bringing in their own personal devices are physicians employed by outside, independent medical groups which work on-site at multiple hospitals and medical students at teaching hospitals who have access to critical healthcare information for academic purposes. Even if there are proper policies in place regulating the use of personal devices, violation of policies occurs unintentionally by staff focused on providing the optimal patient care.
In all these examples, healthcare systems are exposed to outside networks with limited security controls.
Key Findings from the 2019 Spotlight Report on Healthcare
Hidden HTTPS Tunnels
According to the report, the most prevalent method attackers use to hide their command-and-control communications in healthcare networks was through hidden HTTPS tunnels. This traffic represents external communication involving multiple sessions over long periods of time that appear to be normal encrypted web traffic. When attackers hide their command-and-control communications in HTTPS tunnels, it often looks like service provider traffic. Validating that a device’s connectivity to remote locations is working as intended is a challenge for healthcare security teams as it is unclear what ports should be allowed to communicate inside and out of the network because service providers set their own requirements and documentation often lags behind versions and upgrades.
Hidden DNS Tunnels
The most common method attackers use to hide data exfiltration behaviors in healthcare networks was through the use of hidden DNS tunnels. “In a hospital, the moving of patient data is quite normal,” explains Chris Morales, head of security analytics at Vectra. “This is to both through the sharing of patient records between medical professionals to provide health care as well as the management of medical devices by the device manufacturer.”
This can emanate as outbound network traffic in many different ways. “Hidden DNS tunnels often are associated with IT and security tools that use DNS communication. Smash-and-grab behaviors can reflect the normal operation of an IoT device. And data smuggling behaviors can occur when patient medical records are transferred.” Bottom line, anytime patient data in transit are left exposed due to a configuration error, it becomes easier for an attacker to compromise and access the system involved in the data transfer.
Ransomware and Botnet
While many healthcare organizations experienced ransomware attacks in recent years, the report found that ransomware threats were not as prevalent in the second half of 2018. Besides this statistic, it is still important to detect and intercept ransomware attacks early before files are encrypted and clinical operations are disrupted. On the other hand, while botnet attacks persist everywhere, their rate of occurrence in healthcare is lower than in other industries. Botnet attacks are opportunistic and are not targeted at specific organizations.
Can We Decrease Human Error?
Commenting on the report findings, Christos Sarris, CISO for a prominent healthcare organization in Greece with more than 15 years worth of experience in the field, said that machine learning and AI can assist healthcare organizations in better securing networks, workloads and devices and provide data security by analyzing behaviors across systems. Although the integration of AI and machine learning in the healthcare industry can improve the visibility to quickly and accurately detect threat behaviors on and between all devices, it isn’t the sole option to consider. In fact, technology isn’t a panacea when it comes to solving security problems. Technology has to be supplemented by processes and people. In the case of the healthcare industry, the security problem can be alleviated by providing simple organizational measures, such as the development and adherence to policies and procedures on the proper handling of medical devices and medical information.
In order to support the successful implementation of any cybersecurity plan, and prior to checking out security solutions, healthcare organizations must consider providing knowledge. This can be done through proper awareness programs, which will cater for involvement and participation of employees in security awareness activities. These awareness programs can be one of the most cost-effective components of an overall healthcare protection program. The protection level of a medical care facility is directly related to the extent to which employees participate in the security effort. And to achieve that, healthcare personnel needs to be educated, stimulated and motivated.