The healthcare sector has been under multiple attacks lately. This vulnerability is due to unprecedented modernisation. This upheaval has to take into account the integration of digital technology, connected objects, the arrival of 5G, robotics, etc. Most of the time this integration has been done in haste, without any security approach. Cybercriminals have seen this as a royal road to valuable data: medical information, social security numbers, addresses, medical history of patients and health professionals…
The health sector was until now the poor relation of digital technology, this sector is now in full digital transformation. The digitisation of the patient journey and the pandemic have not helped to ensure this transformation smoothly, and cybercriminals have taken advantage of the urgency of the situation to attack this easy prey.
Let’s take a look at the issues and threats facing this sector.
Healthcare and cyber attacks: What are the priorities?
Why is the healthcare world subject to cyberattacks? The fragility of the sector’s IT systems, reduced budgets, lack of awareness and lack of time may explain this booming criminal market.
The latest social movements and the pandemic have highlighted the obvious lack of funding in the health sector. The budgets allocated in general, and more specifically for cyber security, remain insufficient.
A cyber attack could only aggravate the already complex situation in some hospitals. These institutions have no right to stop, every second can be vital for a patient. Cybercriminals are aware of this and know that this will be additional pressure, for hospitals to pay ransoms.
Moreover, each hospital manages its cybersecurity in a non-homogeneous way from one structure to another. The means differ, as do the security policies. There is a real need for harmonisation. The French government intends to help, by releasing a budget of 2 billion euros for the digital, to overcome the deficit. The main axis is “the support to the adoption of cybersecurity by small and medium structures, including hospitals and local authorities, the strengthening of training and the doubling of the number of jobs in the sector by 2025” (E. MACRON).
In addition to this deficit, there is the absence or insufficiency of a budget dedicated to human resources and particularly to the so-called “support” functions. Yet it is important to have expert profiles dedicated to the cybersecurity business. But talent is expensive, and the shortage of these profiles does not help.
The need to accelerate training
Cyber attackers are targeting the human flaw above all else, and the healthcare sector is no exception. According to a survey by our partner Proofpoint “58% of CISOs consider the human factor as their biggest cyber vulnerability” The healthcare sector is one of the most exposed sectors and yet its actors, who are the guardians of data, are sometimes the least trained.
The famous VAPs, “Very Attacked People,” who are targeted in this sector are alumni, faculty at teaching hospitals, financial departments of medical insurers, clinical staff, executives, and directors. It is important that this target group understand the role they have to play in data protection, and this requires awareness, which we will discuss later.
The need for more time
There is no doubt that urgency is a constant in this sector. The Covid crisis has highlighted this state of emergency, the work under pressure, and the lack of time. The staff must react quickly and well. However, in an emergency, human beings do not have the capacity to make the right decisions. Cybercriminals know this, and medical staff will be the victims.
Technological transformation required
Healthcare services are undergoing a technological transformation. Technology means security. Yet the IT structure of these organisations is mostly obsolete, not adapted in terms of standards, and security, thus becoming the eldorado of security breaches and criminals who rush in.
When it comes to IOT, “IV (intravenous) pumps account for 38% of a hospital’s IoT footprint and (…) 73% of these pumps have at least one vulnerability. Updating devices is crucial, and all of them must be on an isolated network. Indeed, according to a study conducted by Cynerio, 53% of IOTs present cybersecurity risks, as they run on outdated versions of Windows or Linux that have not been updated. These connected medical devices need more attention. The question obviously arises as to what would happen if tomorrow a surgical robot was under the control of an attacker.
The expansion of the attack surface also plays an important role in the increase of risks. We have just seen the impact of IOTs, but health-related services have also multiplied: the development of telehealth, telemedicine, remote medical monitoring, appointment scheduling platforms or chatbots… and we must not forget the services of third parties.
The complexity of the supply chain in this sector creates new opportunities for cybercriminals looking for vulnerabilities. Indeed, external organisations, medical analysis firms, social organisations, billing, and insurance services, all this ecosystem connected and create an enlarged attack perimeter. The entire chain must be secured from end to end, and this is a real challenge.
The complexity of the infrastructure also plays a role, in fact on certain software specific to the health sector, the editors ask not to apply antivirus, or to deactivate it under penalty of not being able to ensure their maintenance, yet such risky behaviour, unfortunately, encourages attacks.
Finally, the difficulty of identifying all the connected equipment adds an additional difficulty, which TEHTRIS is well aware of. This is the reason why our solutions bring new visibility to CIOs and allow them to reduce the exposure surface.
The accumulation of these deficiencies added to all these new technologies, and these environments, make IT infrastructures more complex and weaken the security of this sector.
Healthcare and cyber attacks: What are the threats?
Phishing attacks are very common and especially in the health sector and the pandemic has not helped. In May 2020, security researchers detected “more than 300 campaigns related to the theme of COVID-19 spread online. The goal is to disrupt the operation of institutions and steal data. Cybercriminals are adapting to current events. Thus, many sites of health organisations have been imitated such as non-governmental organisations (NGOs), the World Health Organisation (WHO), the Internal Revenue Service (IRS), the Centers for Disease Control (CDC), etc.
These attacks are extremely effective, especially in this environment under emergency, where manipulation is easy. These social engineering attacks are designed to deceive users (nurses, doctors, trusted third parties, etc.) more and more pressed, less attentive, to obtain information, money or access to the IS.
The University Hospital of Montpellier, was a victim of phishing in March 2019, in total more than 649 computers were affected, fortunately, the Wi-Fi network was not infected and allowed the nursing staff to continue medical procedures.
DNS (Domain Name System) attacks and phishing are the most common attacks in this sector. TEHTRIS DNS FW is a security solution that collects DNS resolution requests and analyses them to remove or redirect requests related to suspicious or malicious domains.
It protects your systems from external and internal threats.
One of the most common threats to healthcare organisations such as hospitals is ransomware.
In case of an attack, all vital systems are compromised: from IS, to communication systems, but also hardware, such as scanners, MRIs, infusion pumps etc. The whole system is paralysed in a few seconds, and the life of the patients is at stake. This was notably the case in Germany, where a patient died in September 2020, following the impossibility to perform an emergency operation because of ransomware.
We all have in mind the Wannacry attack that hit the British public health system hard. France is also a victim, for proof the hospital of Villefranche-sur-Saône, that of Dax, has unfortunately experienced this situation, being paralysed by a cyberattack in February 2021. The hospital in Saint-Gaudens had to shut down its IT services in April 2021 because of ransomware; the list of victims is long, and the examples that illustrate it abound.
Hospitals are not the only victims, patients are too, as evidenced by a case in Finland. In October 2020, the company Vastaamo, which manages 25 psychotherapy centres, was the victim of thefts of patient files that were published, with blackmail as a background. Patients had indeed received emails demanding 200 euros in Bitcoin to prevent the release of the data.
Weak IS infrastructure is the reason for the rise in attacks, but we must not forget another factor of interest to criminals: rich data. Hospitals manage information that is of interest to attackers. They have in their possession sensitive information such as personal data, social security numbers, intellectual property information, research documents, login credentials, etc. Cybercriminals are fond of this data, feeding industrial espionage, allowing resale to insurance companies, on the dark web market.
In March 2020, the Assistance Publique Hôpitaux de Paris (APHP) suffered an attack: 1.4 million people who came for a Covid-19 screening test had their data compromised. This data included: full name, date of birth, gender, social security number, postal address, email address or phone number, and test results.
Denial of service attacks are just as devastating as ransomware. Indeed, a service interruption even for a limited period can be terribly frightening, especially for surgery departments. Some hospitals that have suffered this kind of attack have had to transfer their patients in an emergency. This was the case at the University Hospital in Brno, Czech Republic in 2020. The hospital was forced to shut down its entire computer network during the incident.
DDOS attacks in this environment are usually targeted and aim to cover a second attack. Therefore, one must remain vigilant. Similarly, if a provider’s computers are compromised, they may be part of a botnet, again vigilance is required, as service performance on the local network will be slowed.
Protecting our health infrastructure with TEHTRIS
The healthcare sector, like industrial systems, needs specific cybersecurity solutions. As we have seen, patching is complex for IoT devices for different reasons, by their origin on the one hand; it can be proprietary software or come from different vendors, and because of production “imperatives” where lives are at stake, on the other hand. Stopping production to patch is not an option. Technology must adapt to these networks.
TEHTRIS has understood this and offers adapted security solutions. We provide security for some hospitals in Europe as well as for public administrations in the health sector. Moreover, we have experience in the industrial and OT environment and this since the creation of the company, so we are able to meet the expectations of this specific sector.
The TEHTRIS XDR solution allows this adaptation.
- TEHTRIS EDR is an ideal solution because this technology can be used for detection only or for remediation. The solution can be à la carte, configured according to the criticality of the machines, such as servers, computers, printers, and phones (MTD). It provides visibility on all possible threats: ransomware can be remediated automatically, and intrusions detected. Faced with a particular threat, we are able to reinforce the protection of IoCs. Moreover, all the modules of the EDR allow managing the whole chain (update with the audit module, detection of shadow IT, etc)
- TEHTRIS SIEM provides insight into operational activity and helps identify anything unusual. Our hyper-automated solutions without human intervention are a guarantee of efficiency for teams that are already under stress. Our offering provides asset-based protection and remediation using machine learning; all without disrupting healthcare service, reception and patient care. It’s our solution that fits your infrastructure.
- TEHTRIS Deceptive Response, our honeypot, detects malicious activity on a subnet such as a network scan. Thus, if a machine is infected, the attacker’s first reflex is to scan the network and connect around it (in order to pivot to continue the attack). But thanks to the honeypot, defence teams know immediately if a machine has attempted to scan the network or attack it. The attack can be immediately prevented.