The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

The ‘TRUE’ Cost of a Cyber Attack

It seems that every year the negative impact of a cyber attack reaches dizzying new levels – overlapping regulatory fines, restitution and identity / credit monitoring, punitive damages, and of course incident handling and clean-up costs for fixing what should have been fixed in the first place, had the organization understood the risks and not chosen to ignore them.

But it’s not just as simple as writing off some vast sum of operating profit and having to explain that loss to shareholders or governing boards. Longer term damage to reputation can take years to recover from – if at all. I know of many firms and individuals that will never do business again with an entity that lost their data and caused them so much pain. Do executives and their governing boards even consider the long-term costs of the loss of their reputation?

And what happens when someone dies as a result of a cyber-attack as happened recently at University Hospital Düsseldorf where prosecutors opened a homicide case against the Russian perpetrators of a ransomware scheme? What will be the long-term impact to the university hospital’s funding, to its patient numbers, its standing in the academic and local communities, and how many medical students, doctors and other medical professionals will want to study or work there?

Medical malpractice suits already run to tens of millions of dollars in the US. What is going to be the financial and reputational costs to a healthcare provider when patients expire on the operating table, or while connected to a medical device that is hacked by cyber criminals? Criminals seeking extortion payments or simply trying to expand their foothold on healthcare networks, while inadvertently breaking critical life-sustaining medical devices?

At this point many executives might be accusing me of raising fear uncertainty and doubt or FUD as its also known. But am I? Doesn’t the German woman who died in Düsseldorf when hospital IT systems were attacked with ransomware make this very real? I would wager that the recent German case is not alone and that many other deaths caused by hackers or weak cybersecurity have simply been reported in a different way, conveniently covering up failures in IT and IoT equipment so as to absolve providers from potential legal liability from families and regulators.

Ethical hackers like Barnaby Jack were demonstrating how easy it is to hack a medical device nearly a decade ago. Ever since, security conferences have featured numerous hackathons of medical equipment, and on-stage demonstrations how to hack an infusion pump, XRay machine, or other piece of medical equipment.

Researchers at Ben-Gurion University of the Negev demonstrated last year how easy it was to intercept medical PACS images and change them to add or remove tumors fooling the majority of radiologists and AI software alike. While Cylera last year, discovered an attack vector that can change the content of a medical DICOM image to include malware that can be used to infiltrate the healthcare network, simply by sharing or viewing a PACS image, something that happens thousands of times a day in every hospital.

This is not science fiction or FUD. This stuff is out there in the public domain and working exploits are most definitely in the wild. Another hospital or an entire health system the size of UHS could be attacked tomorrow and rendered unable to treat patients by a cyber attack against vulnerable IT or IoT assets. 

Healthcare providers the world over need to gain a better understanding of what assets they have connecting to their networks and what risks each of those assets represents not only to any patients which may be attached to the device, or being treated by such a system, but also to the broader healthcare network. Any endpoint asset could be used as an infiltration vector and foothold for expanding the attack. You don't need a wooden Trojan horse to get inside the perimeter of a hospital network, just access to an insecure endpoint device. Identifying and risk assessing all your assets is absolutely critical today, and preferably to NIST SP 800-30 standards, which after all is a requirement of the HIPAA Security Rule.

But it’s not just a risk analysis that is needed to protect patients, providers also need to ensure that they have put in place adequate protections and compensating security controls. This is where many HDOs come unstuck - they simply don't have the staff cycles to even evaluate the risks, let alone remediate potential life threatening problems, even though they may already have some of the tools in place to segment high risk devices from the rest of the network.

The Cylera MedCommand platform automates this entire security risk management workflow identifying and then adding assets to an asset management system, risks to GRC and risk management tools, identifying IOCs and creating alerts via an existing SIEM or MDR, while talking directly with an existing NAC to automatically isolate and quarantine any compromised endpoints before patients are put at risk. Learn more or request a demo to understand how Cylera has used artificial intelligence and machine learning to simplify and automate what would otherwise be a labor intensive and cumbersome task.




Ryuk: Protecting Clinical Engineering from Ransomware Attack


An uptick in the Russian language criminal underground in the run up to the 2020 US presidential election, suggested a massive coordinated campaign to disrupt the United States by destructive ransomware attacks against US hospitals and other healthcare delivery organizations. Whether this was party motivated by the Kremlin to weaken democratic resolve and confidence in the US election systems is so far unknown, as is any intended manipulation of results to favor one presidential candidate over another. What is known however, is that the United States government in coordination with Microsoft and other technology companies, managed to take down the majority of an extensive global Trickbot network a few weeks before this threat was first discovered, so this may have been an attempted retribution for cyber-criminals. Trickbot is used to infect computers with Ryuk and other malicious ransomware software.

The threat was considered so great, and so many prime US hospitals mentioned by name in criminal underground conversations, that the CISA, FBI and HHS held several joint briefings for hospital executives and those who support them. These briefings outlined the nature of the threat, and advised HDOs to be on the look out for anomalous activity that could be an indicator of compromise (IOC), while patching known attack vectors and other security vulnerabilities with all due haste.

The American College of Clinical Engineering in support of its members, requested that Cylera and its threat intelligence entity CyleraLabs based in Madrid, provide a deeper drive on the Ryuk ransomware family, and brief the ACCE membership on IOCs while providing advice to member hospitals how to prevent and recover from any such attack. The following briefing and panel discussion with MDs, security leaders and clinical engineers is the result of that request.


 

Safely Disposing of the Needle in the Haystack: Managing the Cyber Risks of Healthcare IoT


During the early months of the Covid-19 outbreak, healthcare professionals were overworked and under-supplied. Governments were in chaos and squabbling over even the simplest of safety measures. Frontline facilities overflowed with terrified patients.

A nurse adjusts a face mask she’s been wearing for days. The message “smile for me” that she scribbled on in marker, is now as faded and hollow in message, as she feels in her ability to help the sick. She leans against a wall and checks her phone, hoping for a message from her family. She’s too afraid to go home in case she spreads the disease to her children, so she sleeps in the staff break room, along with her colleagues. Text messages are the only tether she has to hope.

An email pops into her mailbox. The subject line reads: “ALL STAFF: CORONAVIRUS AWARENESS”. The message notifies all medical personnel of facility wide online seminars to discuss new treatment measures and safety requirements. Exhausted, she clicks the link and registers for a seminar and thinks nothing more of another pointless bureaucratic task completed.

In the hours that follow, criminals use her credentials to access patient record systems, medical imaging suites and even internet-connected patient telemetry and treatment devices. By morning, every system critical to patient care is locked down with ransomware. The hospital is rendered useless. As administrators work to relocate patients to equally overloaded hospitals, medical staff resort to 1950’s paper-and-pen communication methods, slowing patient care by minutes and even hours. Those lost ticks of the clock, cost the lives of several patients with pre-existing heart conditions. This has actually happened in a hospital shuttered after a coronavirus-themed attack.

Join Mark Sangster from eSentire and the author as they discuss the cybersecurity risks of Healthcare IoT on the CyberSec Decoded Podcast.

Listen to the podcast below: 


 

 

Listen to more CyberSec Decoded podcasts