When we think about hospitals, we usually don’t think about IT. But there’s a huge digital infrastructure behind healthcare. From digitized patient records to early diagnosis neural networks: modern medicine is at least as dependent on computers working properly as any other industry.
Cybercriminals know this too and repeatedly target healthcare providers, impacting their ability to treat patients:
Amid the pandemic, telemedicine adoption surged. For example, telehealth adoption in the US increased from just 11% to 46% in 2020. The shift to remote healthcare happened at a time when hospitals were battling Covid, the strain was at its highest and their staff was exhausted.
Cybercriminals took advantage. According to a report by Protenus, there was a 44% year-over-year increase in incidents involving healthcare organizations in 2022. Over 50 million patient records were leaked in 905 attacks.
As it turned out, a combination of common and unique security challenges meant that hospitals were unprepared for the rapidly rising cyber threat.
5 hospital cybersecurity challenges
Here are some of the reasons that make hospitals especially susceptible to hacking:
1. Personal devices
Doctors and nurses access confidential information on personal devices. This boosts productivity and convenience, but also creates cybersecurity risks. Without a unified security policy, each gadget is a potential attack vector.
2. Vulnerabilities in medical equipment
McAfee researchers found troubling vulnerabilities in B. Braun infusion pumps that can allow attackers to hijack them and deliver doses of medication remotely. Some cardiac devices are also susceptible to cyberattacks.
3. Bad Practises
CISA identified the use of bad practices in hospitals. Standard or known passwords, end-of-life software, and lack of 2FA are all examples of bad cybersecurity practices.
4. High impact of attacks
Attacks directly impact the ability of hospitals to provide healthcare. A study by CISA found that there is a direct correlation between hospital cyberattacks and mortality rates. Cyber incidents disable testing and diagnostic equipment and increase staff workloads. This makes healthcare providers ideal ransomware victims, as the pressure to resume operations is extreme.
5. High value of patient records
Patient records are worth a lot of money. These files contain confidential information like social security numbers and medical history. Sources don’t agree on the exact price, but they sell from $10 to $1000 with an average of around $100. And whole databases can go for hundreds of thousands of dollars. Because of this, hospitals face data breaches and insider threats.
Top 6 hospital cyber threats
These are the most common threats faced by healthcare providers, but it’s not the full list.
1. Ransomware.
Ransomware attacks lock medical professionals out of workstations and disrupt the ability to issue urgent care by encrypting vital files. The healthcare industry is in the top 3 sectors targeted by this type of malware.
2. DDoS attacks
Criminals flood hospital servers with junk traffic, disrupting access to patient records and disabling medical equipment. Sometimes DDoS is combined with ransom attacks and other malware. Roughly 75% of all multi-vector threats are concentrated in healthcare, government, education, and finance.
3. XSS attacks
In cross-site scripting invasion, hackers create fake internal login pages and steal credentials of medical workers to access confidential data.
4. Phishing
Attackers use email or messaging apps to trick the victim into giving away credentials or downloading malware. One study found that nearly 3% of email traffic to National Health Service trust is potentially malicious. This represents 100,000 phishing emails per year for just one organization.
5. Zero-day exploits
Zero-day exploits are previously unknown vulnerabilities that hackers use to gain entry into a system. They exist in IoT medical devices and end-of-life or unsupported software.
6. Insider threats
Medical workers can cause data breaches by accidentally or intentionally accessing and copying databases. Confidential files can be taken off-site on digital hard drives or leaked from personal devices that can access patient records.
What can hospitals do?
Here are a few methods you can use to protect your hospital against malware and prevent breaches:
- Track emerging cyber threats. Malware is constantly evolving, and one of the best ways to defend against it is to be proactive and know what’s out there. CISA, Imperva, and ANY.RUN have malware and vulnerability databases that update frequently.
- Hold regular risk assessment meetings. Heads of departments should periodically hold meetings to analyze potential attack vectors.
- Plan for a breach, so you know what to do when it happens. You don’t want to be caught off guard during an incident. Prepare a response plan that outlines ownership and responsibility, communication, containment, eradication, and recovery.
- Educate employees about phishing. Teach staff about the dangers of malicious links and files and how to identify phishing.
- Filter spam emails. This won’t block 100% of malicious emails, but it will reduce their amount — and risk associated with phishing — significantly.
- Use 2FA. Two Factor Authentication requires users to provide an OTP code sent to a different device during login. This simple measure is often enough to prevent unauthorized access.
- Log privileged activities. For example, giving an account additional rights is a privileged activity. Monitor these actions to identify insider threats or system breaches early.
- Disable USB ports. Flash drives can be used to smuggle patient records from hospital grounds. Disabling USB ports on workstations ensures that copying data to a hard drive is impossible.
- Control what applications can do. For example, configure workstations so that Excel can run, but can’t access PowerShell. This will protect against backdoor malware.
- Disable credentials caching. Many applications and web browsers store login credentials locally, which allows hackers to steal them without admin rights.
- Backup data to a dedicated server. Set up a server that isn’t part of the main network and use it to store backups. This will secure it from any damage and ensure that data won’t be lost in ransomware attacks.
- Restrict employee permissions. A good rule of thumb to go by: if an employee doesn’t need this information for their work, they shouldn’t be able to access it.
- Implement an offboarding process. Limit which data departing employees can access.
- Clear suspicious files with ANY.RUN. Cybersecurity staff can identify threats with ANY.RUN in a matter of minutes. It is easy to use and can reveal dangerous links and files.
Helping hospital staff identify malicious files and links
In 2020, over 400 healthcare facilities operated by Universal Health Services (UHS), a Fortune 500 company, were attacked by a ransomware strain known as Ryuk.
The incident happened overnight, causing a complete shutdown. Ambulances en route had to be redirected to other hospitals, and patients awaiting surgery could not receive treatment. Financial losses amounted to $67 million, and it took almost a month to restore all systems to working condition.
Ryuk is known for targeted attacks against organizations. It is often dropped by an Emotet trojan, which arrives in phishing emails. All Emotet needs to infect a system is for a user to interact with the Microsoft Office file and follow on-screen instructions to enable macros.
A simple step can prevent this infection. ANY.RUN can detect both Ryuk and Emotet in 2 minutes. Let’s say, we received a suspicious email. It’s something about billing, but it’s littered with spelling errors and there’s a Microsoft Office file attached. These are all telltale signs of phishing. Our spidey sense is tickling, but it could still be legit, right?
So against our better judgment, we open the file. Everything seems fine. But it really isn’t. We might not immediately know this, but Emotet is already dropping its payload in the background. Soon all our files will be encrypted, we will be locked out and the only option to restore lost data will be paying a ransom.
Or, instead of guessing, we can just upload this file to ANY.RUN and check if it’s malicious.
If there’s a payload, ANY.RUN executes it in a safe virtual environment and records all activity for us to see. Playing the video on the task page makes it clear that as soon as Excel is opened, there’s an attempt to drop an executable file — which in this case, is Emotet. This behavior is instantly flagged as malicious.
And in this example, ANY.RUN automatically identifies the executable as Ryuk.
Ryuk has its own peculiarities: it stops the Windows Audio Endpoint Builder that leads to audio services malfunctioning on an infected system. And it also stops the Security Accounts Manager. In the case of Ryuk, the extortion amount can reach $200,000.
Like most other ransomware, Ryuk deletes shadow copies to prevent the restoration of files. Ransom notes are created in each folder with encrypted files during the encryption process.
By the way, ANY.RUN can also check links in the same way.
Conclusion
Computer viruses may pose a direct danger to people’s lives. At least when they attack a hospital and prevent patients from receiving urgent care. Unfortunately, cybercriminals don’t care, and healthcare remains one of the most targeted industries for ransomware and data breaches.
It won’t be a day, a week, or a year until many cybersecurity challenges plaguing healthcare providers are solved. But it is possible to reduce risks by following best practices. Sure, some malware is sophisticated. But many tactics used by attackers are basic. They exploit negligence and carelessness. We can avoid these threats with a little effort.
Isn’t it our responsibility to first do no harm?
0 comments