Nation-State Cyber Attacks on Healthcare? Basics First, Then Prepare for the Worst
Notable chief information security officer (CISO) Stephane Nappo once said, “One of the main cyber-risks is to think they don’t exist. The other is to try to treat all potential risks…Fix the basics, protect first what matters for your business and be ready to react properly to pertinent threats. Think data, but also business services integrity, awareness, customer experience, compliance, and reputation.”
As we begin 2020, businesses are faced with two very different threats, both of which are exacerbated in the healthcare sector. One we have known about for more than four years and is core to our basic technology. However, the problem has not been fully addressed and falls into the “thinking they don’t exist” category. The other sprang (almost) from nowhere: the result of geopolitical actions and a threat not yet seen in the U.S., although it has been used across the globe for over ten years. It is much more difficult to prepare for and no one knows if it will ever be unleashed in the U.S., let alone targeted at healthcare. This falls into the “try to treat all potential risks” bucket.
If you identified Windows 7 EOL as the first threat (and Windows Server 2008 R2) you are correct. You likely could tell that threat number two was about potential Iranian “wiper” attacks aimed at the U.S. While the hyperbole has seized on how ill-prepared we are for a wiper attack (and it is true), there appears to be less concern about our failure to prepare for something we knew was going to happen. As in the case of Windows 7 EOL, we have had years to plan, budget and prepare, but now the focus has shifted to a real threat (wiper attacks); the basic protections to thwart that will fall back, partially, to our continuing failure to fix the basics.
The state of healthcare cybersecurity
Healthcare as a sector lags in cybersecurity best practices. We still do not do upgrades or patches when we should. We still do not invest in basic security best practices or proper staff training to tackle the hyper-connected world we live in.
We have only just begun to address connected devices that are on our production networks and in many cases are directly touching patients. We don’t run healthcare with cybersecurity as a strategic function of the business. We are just beginning to figure out that information and information technology are strategic to the business. At the same time, we are constantly developing new health technology and new ways to collect and use information and we put as much of that as we can in the hands of our customers or patients.
The healthcare sector does not yet understand or act like information and information technology are what keep all the processes running (scheduling, direct care, supply chain, etc.) We are quick to ground a plane that is identified as unsafe but finding the budget for upgrading to Windows 10 or applying patches can be next to impossible. When the basics are in place and working, it is much easier to move to the next level of response and react to major breaches or attacks.
How has cybersecurity changed?
The U.S. drone strike that killed Qassem Soleimani will have a dramatic impact on how we prepare for and respond to cyberattacks in the U.S., as Iranian cyber actors have significant experience in destructive wiper attacks that have not yet targeted the U.S. mainland.
Historically, the cybersecurity threat most companies have faced is data exfiltration. Attackers break into a system and extort or sell the data for a profit or influence. The data is not lost, the systems are still operational, and the company has to deal with both the embarrassment and potential regulatory fines for the loss of sensitive data. In this type of incident, the company’s operations are not impeded.
Ransomware is a more malicious attack where data is locked or access to it is blocked. In many cases, operations are impacted briefly but a company is able to pay the ransom to the extortionist or restore data from backups and resume its operations. In the past few years, particularly 2019, these types of attacks have increased in frequency with targets focused on local governments and healthcare, both of which lack the sophistication to prevent such attacks.
. . . and for healthcare?
Hitting state and local governments is a solid political target. It gains significant attention, and their defenses are not as mature or robust as the federal government or finance. If you consider the similarities and frequency of attacks in our industry, healthcare could be another target.
When an attacker takes down a hospital or care provider, they must often divert patients to other facilities for care and it can have a long-lasting regional impact. Healthcare organizations have shut their doors and sent patients looking for new providers after ransomware attacks. Also, keep in mind that healthcare represents almost 20% of the Gross Domestic Product (GDP), making it an even more attractive political target, which is why healthcare organizations need to prepare.
With ransomware, you may have the chance to “buy” your data back or have backups that can be restored. However, with these destructive wiper attacks, you are down to a bare metal environment – no boot sector, no operating system, no applications, etc. Everything is gone, not just the data. Organizations must rebuild or replace machines and start over. This must fundamentally change how organizations respond. Even if the attacks target the “grid,” (for example, ICS systems in energy) this will impact healthcare where power outages are usually planned for durations of around three days, not extended periods.
Which organizations are at risk?
Organizations that have previously classified ransomware as a “high risk” must either reclassify it lower to make room for cyberwar or create a new risk tier of “very high risk.” Preparation and response will be determined by how organizations address the “basics,” define what is important to the business, and whether the business knows and acts like information and the supporting technology is critical to its operations.
First, healthcare organizations should reevaluate their cyber resilience program. Focus on the ability for all departments to function for an extended period of time without fully functional IT systems or even phones or electricity. This should include frequent incident response exercises that include all departments outside of the traditional IT participants. With this new tier of risks, investment decisions should be easier to justify. Gaps discovered during the cyber resilience exercises will likely identify new very high risks.
Until you have addressed the basics, more advanced threats will have little trouble “taking over.” First and foremost, you should implement security best practices if you are not already. Some things that should already be in place include:
· Reduce privileged accounts within the environment
· Implement multifactor authentication (MFA) throughout the environment
· Baseline internal network activity and monitor for possible lateral movement
· Know that patching is critical to preventing exploitation of existing vulnerabilities and subsequent remote compromise
· Enact PowerShell protections
· Have backups, test backups, and keep offline backups
· Store backups apart from the primary network and only allow read-only access to the backups
· Ensure that those with responsibility for setting up backup systems should also confirm they are available not only in cases of fire, flood, and earthquakes—disaster continuity—but that they are safe from the reach of attackers who may be searching for them internally
· Consider an action plan for quickly establishing a temporary business functionality
The potential for a wiper attack in the U.S. is higher than it has ever been. It is a real threat. Trying to prepare for that problem while neglecting the basics – the investment in, the training, the staffing, the capabilities – is like building the roof before laying a foundation. You may have a fine roof but there will be nothing to hold it up and no way to put anything under it.
Security in healthcare has come a long way but it is not where it needs to be. If we cannot fully prepare for a known OS replacement in four years, there is not much hope for a wiper attack that almost no one has planned for, in or out of healthcare. Organizations that have laid the foundation by building a culture of security will fare much better than the others who operate as if cyber-risks simply don’t exist.
David Finn is EVP, Strategic Innovation, for cybersecurity firm CynergisTek