Sign up to our newsletter
2015’s Anthem and Premera breaches made the general public more aware of the importance of security in healthcare organizations. 2016 brought fewer instances of massive healthcare breaches, but sadly this does not suggest that the problem has been solved. In fact, 2016 brought a surfeit of successful ransomware attacks in a variety of industries, and medical facilities were a particularly juicy target for this type of threat. This, coupled with an upsurge in internet-connected medical devices and fitness trackers, indicates that the future of healthcare is likely to continue to bring significant challenges.
One might think of the swelling tide of ransomware as a problem in and of itself. While it is causing huge headaches and monetary loss, the success of ransomware is symptomatic of a greater problem. Ransomware is a type of threat that can generally be mitigated by following minimum security practices for endpoints and the network. In fact, in the wake of the discovery of the first ransomware variants, security experts may have taken it somewhat less seriously because it can be so easily thwarted, even when the malware file itself is not detected before execution: a victim need only restore from backups to get around the ransom demands.
Except that when it comes to practical, real-world protection, security measures are often not implemented in the way that the security community would hope. It may appear initially that it is costlier to restore from backups than to accede to ransom demands. Some businesses may not make regular backups at all. Security products designed to detect malicious emails, files, links or traffic may be improperly configured, or simply absent. Backup strategies may not be properly implemented so that backups are also vulnerable to ransomware attacks or other risks. Users may disable or go around security products if they feel those measures are preventing them from doing their jobs.“When it comes to practical, real-world protection, security measures are often not implemented in the way that the security community would hope.”
Whatever the root cause, the end result is that affected businesses may feel they need to pay criminals in hopes of getting their data back. In healthcare, where quick access to data can be a matter of life and death, the cost of being hit with ransomware is significantly magnified.
Criminals know this and are deliberately targeting medical organizations. It will take some simple but powerful action to reverse this trend. But by setting in place a solid base of security, we may be able to decrease both the effects of future malware threats and the risk posed by new technology.
We’ve discussed on WeLiveSecurity the importance of risk assessment in healthcare. By regularly categorizing assets and transmission methods, you can pinpoint possible vulnerabilities and risks. When you take into account the likelihood and potential cost of those risks, you can get a sense of which things you should address most urgently.
In the case of ransomware, there are a few ways that risk assessment could help address the situation:
The assets at risk of being encrypted are, unfortunately, almost any data or systems that are accessible on your network or by the internet. The origins of ransomware attacks are often phishing emails containing malware files or links via which to download malicious files. So the transmission method in this instance would be considered email, with a focus on social engineering. The malware typically needs to be able to call back out to a command and control channel to receive instructions, which many variants do through common protocols like HTTP or HTTPS. While the specifics of monetary damage vary from one organization to another, the likelihood of being attacked is currently very high for all industries and sizes of business.“The origins of ransomware attacks are often phishing emails containing malware files or links via which to download malicious files.”
To reduce the risk, there are a variety of things you can do. For example:
As the healthcare industry becomes more computerized, more healthcare practitioners and patients are utilizing medical and fitness devices. These devices are often full of sensitive information, yet security and privacy are often an afterthought.
As we’ve seen with the ransomware trend, the risk of having highly sensitive information without a solid base of security can lead to significant problems. But since this technology is fairly new, now is a good time to focus on how to secure these devices.
Medical devices used within hospital networks can be large and expensive machines, which are often run on common – and all too often very outdated – operating systems (such as Windows XP Embedded). These devices often provide easy access to the rest of the hospital network where many different types of sensitive information are kept: financial information for billing, identity information for insurance purposes, as well as health-related information generated by patient visits.“If a device is using a severely outdated (and potentially unsupported) operating system, it must be given significant additional protection.”
From a criminal perspective, this is a wealth of lucrative data – potentially more than ten times as valuable as credit or debit card details alone. Medical devices in a hospital often use a similar operating system to desktop machines, so you may be able to use the same technology and techniques to secure them. Though if a device is using a severely outdated (and potentially unsupported) operating system, it must be given significant additional protection. It might be preferable to keep the machine completely disconnected from all network connections, though care must still be taken to protect against threats spread by removable media.
Medical devices and trackers used at home are typically very small, so that they can be worn or implanted without being obtrusive. Most use either proprietary or Linux-based operating systems. They may be connected to the internet or they may be able to sync with a mobile device or desktop computer. And like hospital-based devices, they may also be updated infrequently, if at all.
A device used by a patient at home doesn’t usually store payment card information, but there may be other data on these devices that criminals could find useful to steal or modify, such as email address, username and password, GPS data including home or work address. In addition, it could indicate when the user is away from home or asleep. An attack on an implantable medical device could allow criminals to make a variety of changes to prescribed measures, which could cause serious (or even fatal) medical problems.“Fitness and medical devices are often full of sensitive information, yet security and privacy are often an afterthought.”
On a personal medical device, it is most important to keep the machine from being used to harm users or to compromise their privacy. An attack on an internet-enabled insulin pump or pacemaker will naturally be significantly different from one on a fitness tracker. The security measures needed to protect the devices will be the same, though an insulin pump or pacemaker may need to have more stringent settings enabled by default.
Manufacturers of both personal and hospital-based medical devices have the opportunity to lead a shift towards better security by giving it serious consideration, starting in the design phase. There are a variety of things device makers should be doing to make devices more secure:
This article is an adapted version of the corresponding section from ESET’s 2017 trends paper, Security Held Ransom.
Author Lysa Myers, ESET