Carbon Black has published a report into the shocking state of security in the healthcare industry entitled Healthcare Cyber Heists in 2019. Enterprise Times spoke to Tom Kellermann, Chief Cybersecurity Officer, Carbon Black, one of the authors of the report.
The report contains a mix of information from a survey conducted with just over 20 healthcare CISO’s and information from the Carbon Black. It also explains how data stolen from organisations delivers monetary value to criminal organisations. The reports findings are further backed by data collected by CarbonBlack from its endpoint security platform.
Kellerman explained the scope of this data collection as: ”We have over 112, soon to be 114 incident response firms who use our hunt capability in the wild. Which allows us to be informed from the telemetry from roughly 60% of the worlds cyber investigations.”
The report has some disturbing figures and demonstrates the woeful state of the cybersecurity stance of the healthcare industry. However, while the report shows up disturbing statistics, some of the findings can be questioned due to the low number of survey respondents and the mix of organisations that they responded from.
Around 40% of respondents were hospitals, according to Kellerman. They were mainly based in North America, but others include other surgical centres and pharma companies. More than 70% of respondents placed their stance (on a scale of A to F) as C or below according to the report. Only two, Kellerman said, graded themselves as an A on their cybersecurity stance.
Cyber attacks are increasing in healthcare
The report highlighted twelve key findings. ET discussed four of them with Kellerman.
The report stated: “83% of surveyed healthcare organizations said they’ve seen an increase in cyberattacks over the past year.”
Enterprise Times asked Kellerman whether this was backed up by the data. Specifically, whether the 17% were wrong that it hadn’t increased and why?
Kellerman replied: “I would say they are wrong. The dark web has commoditised information for two different reasons. One of which is healthcare data (patient data) can never be destroyed or changed by law. That puts them at a disadvantage when you compare them to a bank. If your bank records are compromised right now the bank can change your account number, they can change your profile.
“Which is why healthcare data roughly sells for $70 per record. With health you can set up lines of credit much like you can with bank information, so you can monetise that experience as well, beyond the lucrative nature of extortion schemes.”
The report also states that healthcare customers saw an average of 8.2 attempted cyberattacks per endpoint per month according to Carbon Black’s data. While this is the first time this report was produced, Carbon Black does have historical data. ET asked Kellerman what the data showed last year as the report did not show any trend analysis. Kellerman answered: “Last year it was marginally less.”
An attack, according to Kellerman is one that actually penetrates the environment.
How are the attacks evolving?
Two thirds of the respondents also believe that cyber attacks are becoming more sophisticated. ET asked Kellerman in what way.
He responded: “One would be island hopping where 66% are noting that their environment was used to attack other environments and other individuals. This is taking new forms. It is not just network-based island hopping nor it is merely watering hole attacks but also reverse business email compromise. That’s when they take over the mail server and they leverage fileless attacks against your board, your most important doctors, etc.”
Nearly half (45%) of surveyed healthcare organizations said they’ve encountered attacks where the primary motivation was destruction of data over the past year. Why? Kellerman said: “We see a surge in counter incident response, where the adversary does not like being reacted to by the incident response teams and they choose to burn the evidence and damage the environment post breach.”
The inference is that sometimes this is collateral damage from trying to remove evidence rather than a deliberate destruction of data. However, if the data has been exfiltrated its deletion could have advantages for the perpetrators. Who is deleting the data though?
Kellerman said: “The question we are continuing to ask people is: Is this due to geopolitical or due to an increased punitive nature of the sub culture of hacking? Because hackers have demigod complexes now and they refuse to be pushed out of environments they have commandeered. We don’t know the answer to that!”
Why is healthcare under attack?
If the attackers are nation states and criminals, why are they launching these attacks?
Kellerman commented: “There is evidence that the largest healthcare provider in the US was compromised by a nation state from Asia. The purposes of that attack was to ascertain button downs, compromising information regarding individuals health that could be used against them. That could be used to force them to do something for that nation state. In terms of tradecraft or spying on people it is incredibly useful.”
Examples that Kellerman gave were if an individual is dying or has a sexually transmitted disease it can be used against them.
Carbon Black has also published Modern Bank Heists in 2018. ET asked Kellerman what is different about Healthcare:
“Ransomware. The healthcare sector is experiencing a systemic disease of ransomware. It is much more common. One more thing, the healthcare industry has not adopted hunter compromise assessments. They believe in plausible deniability. This is in contrast to the Financial Services industry where 48% are doing hunter exercises.“
Kellerman also noted that governance is also more advanced with Monetary Authority in Singapore. Soon, the US regulators will mandate regular hunt exercises.
Kellerman neatly summed up his opinion on the findings by saying: “The irony of all of this is while they do a good job of taking good care of your physical health they are doing a terrible job of taking care of your digital health. A metaphor I have used is that currently they are only assessing blood pressure and temperature when it comes to digital health. They are not using MRI machines or doing blood tests. That is why you are seeing such an epidemic as a whole.”
He then added: “They are far too focused on compliance exercises and checking the boxes. This is due to the culture of hospitals and the healthcare industry. You have former practitioners who sit around in cabals and boards that say we should adopt technology left and right to improve patient care and to improve efficiencies. They are not fully trained as to the externalities or the risks associated that adoption.”
That opened up the question though about whether hospitals treat cybersecurity at the highest level. Kellerman believes they do not. They often place the responsibility junior to the CTO or CIO. If that is the case, how do they look at the crossover between physical and digital security?
Kellerman replied: “In the incident response threat report we produce twice a year it was noted that 28% of time the attack vector is through Operational Technology in the facilities. That was then used as a gateway to target the network. This is because the head of facility security just deploys technology without hardening it.”
As an example he then added: “The latest Maria botnet, released 2 weeks ago, has 8 different zero day exploits for hard coded devices including CCTV systems, heating, cooling and door locking systems.”
What should be done about it?
How would Kellerman address the issue within a health organisation?
“There is a governance problem. It should begin at the top. The boards of the hospitals themselves and the administrators should be trained regularly not just on security awareness but the unintended consequence of deploying technology whether it is robotic surgery or the latest drug infusion devices.”
Why those two? If compromised, a drug disposal unit, or units could be adjusted to enable a mass murder. Adjusting the location of a robotic arm in surgery would enable a targeted assassination, according to Kellerman.
The report lists six recommendations that CISOs should follow. ET asked Kellerman what his approach would be should his budget be constrained to do only two comprehensively.
“It really depends upon the systems that they care most about. They need to do an immediate classification of the most interdependent systems out there. The one recommendation is that they need to immediately improve visibility. This means employing EDR capabilities that have behavioural anomaly detection and suppression capability on all significant end points and/or devices.
“The second thing is they are dealing with a challenge of too many administrators and too much privileged access. They should be leveraging just in time administration to those devices.”
He then added a third, acknowledging, without saying so, the challenge that budget constrained CISOs often have. “For sensitive systems involved in surgeries and life saving care those systems like insulin pumps and robotic surgery systems, they should be using application control to protect those systems to make sure they do not deviate from those patterns.”
Enterprise Times: What does this mean
If Carbon Black produce this report next year, one would hope that it will have a larger survey set. As it stands, however, the facts from the data and the findings of the survey are worrying.
ET asked Kellerman what he was hoping to see from the survey, he replied: “I wasn’t hoping or looking to see these results. It really speaks to this convergence between physical well-being and digital well-being. It demonstrates how shows like Black Mirror and others that are pushing the envelop on that convergence are not far off anymore.”
Kellerman can see a future where individuals may start to select a hospital based not just on how well they are likely to be treated medically but also how secure their data is at the establishment.