2015’s Anthem and Premera breaches made the general public more aware of the importance of security in healthcare organizations. 2016 brought fewer instances of massive healthcare breaches, but sadly this does not suggest that the problem has been solved. In fact, 2016 brought a surfeit of successful ransomware attacks in a variety of industries, and medical facilities were a particularly juicy target for this type of threat. This, coupled with an upsurge in internet-connected medical devices and fitness trackers, indicates that the future of healthcare is likely to continue to bring significant challenges.
Ransomware is the tip of the iceberg
One might think of the swelling tide of ransomware as a problem in and of itself. While it is causing huge headaches and monetary loss, the success of ransomware is symptomatic of a greater problem. Ransomware is a type of threat that can generally be mitigated by following minimum security practices for endpoints and the network. In fact, in the wake of the discovery of the first ransomware variants, security experts may have taken it somewhat less seriously because it can be so easily thwarted, even when the malware file itself is not detected before execution: a victim need only restore from backups to get around the ransom demands.
Except that when it comes to practical, real-world protection, security measures are often not implemented in the way that the security community would hope. It may appear initially that it is costlier to restore from backups than to accede to ransom demands. Some businesses may not make regular backups at all. Security products designed to detect malicious emails, files, links or traffic may be improperly configured, or simply absent. Backup strategies may not be properly implemented so that backups are also vulnerable to ransomware attacks or other risks. Users may disable or go around security products if they feel those measures are preventing them from doing their jobs.
“WHEN IT COMES TO PRACTICAL, REAL-WORLD PROTECTION, SECURITY MEASURES ARE OFTEN NOT IMPLEMENTED IN THE WAY THAT THE SECURITY COMMUNITY WOULD HOPE.”
Whatever the root cause, the end result is that affected businesses may feel they need to pay criminals in hopes of getting their data back. In healthcare, where quick access to data can be a matter of life and death, the cost of being hit with ransomware is significantly magnified.
Criminals know this and are deliberately targeting medical organizations. It will take some simple but powerful action to reverse this trend. But by setting in place a solid base of security, we may be able to decrease both the effects of future malware threats and the risk posed by new technology.
The importance of assessing and remediating risk
We’ve discussed on WeLiveSecurity the importance of risk assessment in healthcare. By regularly categorizing assets and transmission methods, you can pinpoint possible vulnerabilities and risks. When you take into account the likelihood and potential cost of those risks, you can get a sense of which things you should address most urgently.
In the case of ransomware, there are a few ways that risk assessment could help address the situation:
- What assets are at risk of being encrypted by ransomware?
- What transmission methods allow the ransomware to enter your network?
- What methods allow the threat to receive commands to encrypt your files?
- What is the likelihood of being hit by this threat?
- What is the potential monetary damage caused by a successful attack?
The assets at risk of being encrypted are, unfortunately, almost any data or systems that are accessible on your network or by the internet. The origins of ransomware attacks are often phishing emails containing malware files or links via which to download malicious files. So the transmission method in this instance would be considered email, with a focus on social engineering. The malware typically needs to be able to call back out to a command and control channel to receive instructions, which many variants do through common protocols like HTTP or HTTPS. While the specifics of monetary damage vary from one organization to another, the likelihood of being attacked is currently very high for all industries and sizes of business.
“THE ORIGINS OF RANSOMWARE ATTACKS ARE OFTEN PHISHING EMAILS CONTAINING MALWARE FILES OR LINKS VIA WHICH TO DOWNLOAD MALICIOUS FILES.”
To reduce the risk, there are a variety of things you can do. For example:
- Backups performed regularly and then verified are a very effective way to mitigate damage once a system or network is affected.
- Network segregation may limit the effects of malware once it’s on your systems.
- Filtering email for spam and phishing, as well as blocking popular file-types used by malware authors, can help decrease the risk of the malware ever reaching your users.
- Educating users early and often can decrease the odds of the malware being executed.
- Encouraging your users to submit suspicious emails or files to IT or security staff can help increase the effectiveness of your filtering methods.
- Anti-malware software used on the gateway, network and endpoint can help identify and prevent malware from entering your network, or decrease damage done if it should succeed in getting past initial defenses.
- Firewalls and intrusion prevention software may help identify unknown or unwanted network traffic. These steps would not simply mitigate the risk of ransomware; they could also help reduce the likelihood of a variety of other types of attacks. Thoroughly assessing risk and improving an organization’s overall security posture can significantly decrease both the frequency and severity of all types of security breaches.
Medical and fitness devices
As the healthcare industry becomes more computerized, more healthcare practitioners and patients are utilizing medical and fitness devices. These devices are often full of sensitive information, yet security and privacy are often an afterthought.
As we’ve seen with the ransomware trend, the risk of having highly sensitive information without a solid base of security can lead to significant problems. But since this technology is fairly new, now is a good time to focus on how to secure these devices.
Medical devices in healthcare networks
Medical devices used within hospital networks can be large and expensive machines, which are often run on common – and all too often very outdated – operating systems (such as Windows XP Embedded). These devices often provide easy access to the rest of the hospital network where many different types of sensitive information are kept: financial information for billing, identity information for insurance purposes, as well as health-related information generated by patient visits.
“IF A DEVICE IS USING A SEVERELY OUTDATED (AND POTENTIALLY UNSUPPORTED) OPERATING SYSTEM, IT MUST BE GIVEN SIGNIFICANT ADDITIONAL PROTECTION.”
From a criminal perspective, this is a wealth of lucrative data – potentially more than ten times as valuable as credit or debit card details alone. Medical devices in a hospital often use a similar operating system to desktop machines, so you may be able to use the same technology and techniques to secure them. Though if a device is using a severely outdated (and potentially unsupported) operating system, it must be given significant additional protection. It might be preferable to keep the machine completely disconnected from all network connections, though care must still be taken to protect against threats spread by removable media.
Medical devices and trackers at home
Medical devices and trackers used at home are typically very small, so that they can be worn or implanted without being obtrusive. Most use either proprietary or Linux-based operating systems. They may be connected to the internet or they may be able to sync with a mobile device or desktop computer. And like hospital-based devices, they may also be updated infrequently, if at all.
A device used by a patient at home doesn’t usually store payment card information, but there may be other data on these devices that criminals could find useful to steal or modify, such as email address, username and password, GPS data including home or work address. In addition, it could indicate when the user is away from home or asleep. An attack on an implantable medical device could allow criminals to make a variety of changes to prescribed measures, which could cause serious (or even fatal) medical problems.
“FITNESS AND MEDICAL DEVICES ARE OFTEN FULL OF SENSITIVE INFORMATION, YET SECURITY AND PRIVACY ARE OFTEN AN AFTERTHOUGHT.”
On a personal medical device, it is most important to keep the machine from being used to harm users or to compromise their privacy. An attack on an internet-enabled insulin pump or pacemaker will naturally be significantly different from one on a fitness tracker. The security measures needed to protect the devices will be the same, though an insulin pump or pacemaker may need to have more stringent settings enabled by default.
Securing medical devices
Manufacturers of both personal and hospital-based medical devices have the opportunity to lead a shift towards better security by giving it serious consideration, starting in the design phase. There are a variety of things device makers should be doing to make devices more secure:
- Design for privacy – Learn the seven principles of Privacy by Design.
- Encrypt data – Protect data both on disk and in transit with strong encryption, when sent via email, web or IM, or when synced with the user’s computer.
- Clarify data storage options – Give users the ability to store tracked info locally, rather than just in the cloud.
- Authenticate account access – Verify that users are who they say they are. It is especially important to authenticate before allowing the viewing, sharing or modifying of information on implanted devices, as the consequences of misuse are significantly higher. Provide multi-factor authentication for online account access.
- Create a fail-safe state – Errors and malfunctions happen. Devices must default to a state that maintains access to critical functionality and does not endanger users when problems occur.
- Assume code may be used maliciously – Legitimate code may be used in a way that forces the device to execute unauthenticated code. It is vital to handle errors in a way that takes into account this possibility so that devices cannot be used maliciously.
- Prepare for vulnerabilities – Establish and openly publish a responsible disclosure policy for vulnerability reports.
- Prepare for breaches – Create an incident response plan so that you can react appropriately in the event of a data breach. This will both save time and allow you to choose your words wisely, in the event of an emergency.
- Prepare for government scrutiny – The FTC and FDA are both watching the medical device space closely, so making changes now can help avoid legal problems and hefty fines down the road. The security of the healthcare industry is likely to be in the spotlight for the foreseeable future. Despite the current troubles, the opportunity exists to make a significant transformation that could serve as a model of positive change for other industries, as the Internet of Things makes its way into our homes and workplaces.
This article is an adapted version of the corresponding section from ESET’s 2017 trends paper, Security Held Ransom.
by Lysa Myers, ESET We Live Security