Illusive Blog October 8, 2020

Healthcare Under Cyberattack - Advanced Ransomware, IoMT Devices, and Data Breaches

By Nicole Bucala

Healthcare institutions are facing unprecedented threats. We’ve all been rocked with horror at the major cyberattacks on hospitals this past week. What’s scary about these types of attacks is that they can very quickly lead to lost lives, not just lost dollars.

In late September, ransomware downed major IT systems in a hospital in Dusseldorf: drastically, a patient who needed urgent admission died because she had to be taken to another city for treatment and the delay cost her her life. A week later, another ransomware attack took down systems at Universal Health Services, which has 400 locations from Arizona to North Dakota and sustained multiple days of offline applications, majorly disrupting hospital operations and resulting in a pre-21st century pen-and-paper approach to patient operations.

Already in a very vulnerable state due to COVID, hospitals are subject to at least 3 types of attacks:

  • Criminals seeking financial gain penetrate the IT network with ransomware, locking down files, shutting down systems, and holding victims hostage to pay a fine. Unfortunately these same hospitals are raging with COVID victims, operationally already at the brink of disaster: any margin of error on hospital operations is highly likely to cost lives.
  • Nation-state attackers in the 21st century “space race” to be the first to triumph with COVID prophylaxis or therapy, seek to derive precious patient, clinical trial or other COVID-related insights from hospital IT networks.
  • Harder to do but poignantly harmful is the potential for cyber-terrorists seeking to disrupt the normal functionality of medical devices such as MRI machines, insulin pumps, and other machines. Even a slight malfunction on such a device can patient illness or even immediate death. Due to the FDA approval process they must go through, these devices aren’t able to be patched by traditional cybersecurity technologies, and a typical security solution like an EDR that is agent-based can’t be deployed on them.

Fortunately, Illusive Networks offers several solutions for healthcare institutions to protect themselves against such threats.

USE CASE: Advanced Ransomware Threats

Advanced Ransomware Threats (ARTs) combine Advanced Persistent Threat (APT) techniques with ransomware techniques. Like an APT, sophisticated ransomware attackers target and navigate to carefully selected strategic assets on the network that hold business-critical information. Attackers then take those assets hostage using advanced evasive ransomware techniques, massively disrupting hospital operations and saying they will stop only in exchange for a very high fee. Organizations without proper ART-protection have no choice but to pay the fee to avoid further disruptions, loss of money, and worst off loss of life.

  • One excellent approach is the Illusive Networks Ransomware Guard, a targeted solution for ransomware defense that provides an additional layer of security for ransomware that has successfully evaded other endpoint security controls. It protects against current and future ARTs by providing reliable encryption-based detection- tied to an immediate automatic blocking of ransomware activity before serious damage occurs. Upon Ransomware execution the malware will try to encrypt files on the Illusive Ransomware Trap server. This is done automatically because Illusive plants targeted symbolic links on production hosts that point to the Illusive Ransomware Trap Servers. The Symbolic links are planted in a way that they are the first targets for encryption. Once a Ransomware attempt was detected by Illusive’s Trap server it will notify the Management server, which will run forensics on the source host, identify the process and a Ransomware block application will be launch, suspending the process and allowing the Security team to remove the ransomware.
  • Illusive Networks Attack Surface Manager (ASM) identifies and eliminates the fuel that attackers use to move laterally between hosts- reducing the attack surface and denying ARTs easy acquisition of sensitive assets.
  • Illusive Networks Attack Detection System (ADS) uses a deceptive method to redirect ARTs away from production hosts and provides early detection of even the most sophisticated hidden lateral movement attempts early in the attack campaign.

USE CASE: Threats to FDA-approved, connected medical devices

The Internet of Medical Things, or IoMT, creates a dense web of interconnected devices that exchange convenient, precision treatment for potential cyber-risk. For example, Insulin pumps connected wirelessly to a phone can allow for easy adjustment of settings to modulate the insulin delivered according to patient status at any point in time. However, these same devices are known to carry potential risks. Consider the FDA’s warning in July 2019, the FDA that someone “could potentially connect wirelessly to a nearby MiniMed insulin pump and change the pump’s settings.” This could quickly result in death if the settings lead to too much insulin or too little insulin being delivered, causing hypo or hyperglycemia and diabetic ketoacidosis. Another example is wireless infusion pumps that connect to a variety of networks, healthcare systems and other devices. NIST recommends defense-in-depth that can be taken to protect the pump ecosystem against attack by a malicious actor that could change the pump’s function, change prescribed drug doses, or release private information.

One highly effective way to combat attackers seeking to disrupt IoMT is to leverage the use of deceptive device emulations from Illusive Networks.  These are fake devices that are designed to appear real to an attacker traversing a network looking for vulnerable systems. The emulations mimic not only the device but also its communication patterns through a network according to the manufacturer. A hospital can plant these fake devices like a minefield, so an attacker just needs to trip up a fake device for an alert to trigger. This approach is deterministic, meaning every alert is a veritable attacker that can be immediately acted upon to remove it from the network.

USE CASE: Nation-state attackers seeking commercial healthcare data

In a more typical style of attack, nation-state funded cyber-attackers may seek to penetrate hospital IT networks to steal patient data that can be a lucrative source of insights for those seeking to gain a competitive edge in the race to cure COVID-19.

Illusive Networks Attack Detection System plans deceptions on the endpoints that provide deterministic alerting when tripped up by an attacker. These types of deceptions can be fake credentials, files, applications, RDP connections, devices, you name it… and each customer network can have its own “deceptive story” unfold within it. Agentless deceptions are fast to deploy and almost no cost to maintain. Most importantly, they provide deterministic alerts – an alert means there’s something amiss – period. Then, forensics from these alerts can provide actionable insights to analysts of any level.