Threats and Response to Healthcare Cyber Attack

Nearly everything is now connected.

We live, work and treat patients today in a world of inter-connectivity; where almost every thing, business and person is connected more or less all of the time. A world where in 2008, the number of ‘things’ connected to the Internet surpassed the global human population. A world in which by 2020 there will be in excess of 30 billion smart 'connected' devices.

It should be no surprise then to any of us, that this interconnected world that we have built for ourselves, presents not only a shifted paradigm in health treatment practices, but one that presents unique new challenges to secure hospitals and other healthcare services.

The 'Internet of Everything': - connected hospitals, connected cities, connected cars, and other ‘things’, has changed the face of security. No longer can we build walls around our business and IT systems; today the security paradigm is one of controls without absolutes, without well-defined boundaries and perimeters; walls which were once easy to secure.

Attacks by opportunist cyber criminals, are increasing in size and scope as they search to maximize their impact. Thanks to greater reliance on technology in our hospitals, the impact of a cyber attack on a healthcare provider is now enormous. The lack of clinical systems availability to treat patients (because of a ransomware or denial of service attack), threatens the lives of patients in our hospitals and clinics. Healthcare is part of our critical infrastructure and as we add IoT devices inside and outside of the hospital, we need to be extremely vigilant in making sure that every precaution is taken to secure and protect critical health IT systems.

This includes addressing widespread problems in our hospitals, some of which have been responsible for the recent spate of ransomware attacks against health systems. These include  slow patching of IT systems with known critical vulnerabilities, retirement of old no-longer supported platforms and applications, daytime-only security operations, and lackluster poorly practiced security incident response procedures.

Ransomware is a current favorite among attackers, but this appears in its latest iterations to have evolved into DeOS or ‘destruction of service’ offering no return for those not equipped with full off-site and disconnected backups. Even then, the time to restore and rebuild for most organizations is prohibitive, certainly not if a patient's well being depends upon the availability of an IT system.

Improved visibility, comprehensive 'round the clock' security operations and effective security incident response has become key to business continuity and keeping hospitals open. The first step however, is understanding what you are up against, how both exploits and defenses work, and what tools and technologies are available to bolster your security people and processes.

This was the subject of an hour long webex presentation given last week to healthcare IT and security leaders across Canada by Sean Earhard and myself. To watch the recording, open the link below to the Webex player.

Watch the WebEx recording

Healthcare in Canada is just as vulnerable to IoT.  Photo: Kai Oberhauser.

Read More

2017 Midyear Cybersecurity Report

Cisco released its 2017 Mid Year Cybersecurity Report today, outlining security trends over the past six to twelve months, and providing valuable research into the antics of cyber criminal elements.As in previous Cisco annual or midyear security reports, threats and attack vectors continue to evolve, with bad actors adding new and ever-more sophisticated spins to their exploits.

The report identifies a new trend of what Cisco has coined 'DeOS' (destruction of service), where attackers destroy data under the auspices of thinly-veiled ransomware demands. This is accomplished in such a way that the attacks prevent defenders from ever restoring systems and data.

Perpetrators continue to employ new methods to evade detection by rapidly pivoting campaigns and changing attack vectors, the report states. This is accomplished using both new tools and exploit kits, while combining attack vectors with old favorites like business email compromise (BEC) and social engineering to by-pass sandbox defenses.

As expected, exploitation of IoT devices continues to grow as attackers defeat grossly inadequate security of these appliances. Compromised devices are then used in Botnet networks for IoT-driven DDoS attacks or “1-TBps DDoS” as Cisco describes them. If big enough these attacks can significantly disrupt almost the entire Internet. Furthermore, these large Botnets are increasingly being used to provide highly lucrative “DDOS-as-a-service” engagements by the hacker community.

Malware continues to develop in its sophistication and is evolving in ways that can help attackers with delivery, obfuscation, and evasion. Cisco also notes the growth of “ransomware-as-a-service” (RaaS) platforms that allow adversaries to quickly enter the lucrative ransomware market.

Overall, MttD (mean time to detection) is improving across Cisco security tools and services, down now to an average of 3.5 hours. Cisco security appliances and services are identifying known threats quickly such that attackers are under more pressure than ever to find new tactics to avoid detection.

The report also includes a new section. Cisco’s Security Capabilities Benchmark Study. This provides useful advice to customers in pinpointing how key verticals can reduce complexity in their IT environments and embrace automation.

The report concludes by highlighting the need for defenders to fully understand the risks in their environment, and to devote well-trained and practiced resources to swiftly respond to threats, in order to minimize the potential damage of an attack. Furthermore, it recommends that the community of defenders should share research and ideas across the industry so we’re not in the dark about successful security approaches.

Read or download the full report here.

Read More