In recent years, healthcare records have become an increasingly valuable commodity on the dark web. They contain far more sensitive, personal information than financial records, and allow criminals to create more personalised and targeted attacks using social engineering techniques, like impersonating friends and colleagues.
Compared to healthcare records, financial information has a short lifespan. Short term credit/identity theft monitoring is frequently used to allay the damage done by financial data breaches. The difference with healthcare records is persistence. Persistent data adds value to an attacker, who can repeatedly return to the stolen information. Healthcare data is not just persistent, it is also updated as patients visit healthcare providers who, in turn, share that information between fellow healthcare institutions (for example, clinics to hospitals). On top of the reliable growth of data that existing patients provide, new patients guarantee a new source of information that attackers can sell on the dark web. No healthcare provider is safe from these attacks.
But it is not advanced persistent threats (APTs) that cost the healthcare industry well over 2 billion dollars in 2018; it is its close cousin, the targeted persistent attack (TPA). Unlike an APT, advanced techniques are not required to compromise the targeted victim. Common phishing attacks, and improperly configured systems are frequently the cause of data breaches.
How do TPA attacks work?
TPAs are not random, as was the case of WannaCry. The victim of a TPA is chosen specifically for the type of data the attacker desired. Phishing if often the spearhead of a TPA, but access may be obtained by hacking unsecured network resources. Once inside, the attackers employ a variety of techniques that will keep them flying below the radar for extended periods of time. Hackers achieve this in stages:
- Break in – Attackers leverage a vulnerability, which can be found in the network, through an unsecure application, or through a phishing attack. Once the vulnerability has been exposed, hackers will insert malware into a network undetected.
- Gain a foothold – Now that the malware is in place, attackers can create backdoors which are used to navigate a network without being detected. Once in, hackers will remain anonymous thanks to the oft-seen technique of deploying file-less malware, leveraging polymorphism to trick defences and cleaning up after itself to remove any trace of existence.
- Lateral movement – Once the hacker has established themselves within the network, they will try to navigate the network. They will attempt this by employing various tools, such as a password cracker which can be used to achieve administrative control, giving criminals influence over the infrastructure.
- Data exfiltration – Sitting undetected inside the system, hackers secretly harvesting data, until they acquire everything they need.
- Continuous monitoring – At this stage, attackers may have close to unlimited control over their desired target. From here, they will collect new data as it becomes available and attempt to burrow deeper into the network.
Attackers have been known to remain within a network, often for 200 days or more, and can withdraw without a trace, ensuring an effective stealth attack. A common strategy for attackers is to leave a back door open in the network to allow re-access in the future.
Why do attackers target healthcare?
Whilst the healthcare industry is ripe for APT attacks, APT should be on the radar of IT leaders in all sectors. A recent study, commissioned by Trustwave, revealed that the mean value of payment card information on the black market is $5.40; the mean value of healthcare records however, is $250.15, and this is what makes the healthcare industry a lucrative target.
Another reason that attackers are seemingly drawn to the healthcare industry is that it is still reliant on equipment that runs on legacy software, most notably, unpatched versions of Windows XP. By targeting this operating system, criminals can leverage the vulnerabilities to their benefit, gaining a foothold into the network. From this point, hackers can deploy more advanced malware to gain access to private medical records.
Running on an unpatched version of Windows XP is critical to hackers acquiring sensitive data, but the problem is compounded by strained IT budgets across the healthcare industry, which struggles to cope with the steadily increasing number of attacks. Budgets are difficult to work out for cybersecurity in healthcare, as there is a difficulty in measuring ROI before a breach occurs. For hackers, this is ideal, as it creates a situation in which encryption, arguably the most important layer of defence, is not always identified. A situation like this highlights the benefits of training staff on security awareness, to minimise the risk of further data breaches.
Persistence in attacks
One example of a persistent threat that has been around for years, is the Conficker worm, a decade old piece of malware. To this day, Conficker is one of the most encountered threats on the internet and can be especially problematic for hospitals.
Even though Conficker is 10 years old, the unpatched Windows XP operating system that is prevalent in healthcare ensures its continued relevance to this industry. Once this relatively simple piece of malware is used to gain entry to the network, more advanced malware can be deployed to infiltrate the network.
Healthcare organisations are gradually improving their defences, with £150 million pledged to improving the NHS’s resilience to attacks. Despite this, ATPs continue to cause problems for IT professionals. To avoid repeating past mistakes, the healthcare industry needs to deploy defensive measures across the board. A vital component of this defence involves continuous education and assessments, which ensures staff across the organisation are equipped to handle information in compliance with proper security protocols and recognise potential attacks.
Training the entire organisation is a great start for healthcare, as human error permits many successful attacks across all industries through advanced phishing efforts. This, combined with an anti-malware software, can be considered an effective first line of defence. Once the basics have been taken care of, IT security professionals can turn their attention to securing the network, server, perimeter, and the endpoint. When it comes to protecting data, no organisation can afford to take a lax approach. Only a layered security offering, complemented by a threat intelligence service, can mitigate against evolving threats.
Senior Security Analyst at Webroot. Prior to Webroot Randy was a Research Director at NSS Labs. Prior to NSS Labs Randy was the Director of Technical Education at ESET. Before that he worked in several roles at Microsoft. In 1997 he designed the processes that Microsoft uses to this day to ensure that software is not released with malware. Randy has written specifications for the multiple scanner harness that was required to provide analysis and reporting and has administered the processes from 1997 to 2004 for labs in the US, Ireland, and Singapore.