Matt Walmsley, EMEA Director at Vectra, discusses how security teams within the healthcare industry lack visibility into and control over medical devices connected to the network
With its vast stores of private personal information, the healthcare sector is a popular target for cyber criminals looking for an easy payday. Medical records are a mainstay commodity of the criminal black market and are sold to other criminals in their tens of thousands.
As such, there has been a steady stream of data breaches suffered by healthcare organisations around the world, with recent research finding that 67% in the UK suffered some form of security breach in the last 12 months.
A challenging environment
Alongside being a lucrative source of sensitive data, the healthcare sector is regarded as a soft target by the criminal community. The scope and complexity of the average organisation means that keeping the environment secure is a serious challenge, particularly with the need for 24/7 access to patient data.
NHS trusts face significant budget constraints, with most relying on ageing legacy technology and few attaining the investment required for optimal security. They are also under pressure to adopt the latest connected medical technology. These Internet of Things (IoT)-enabled machines, such as automated insulin pumps, add further complexity to the IT network, and are often hastily installed without a full understanding of their impact.
Healthcare providers also have a large number of patients, visitors, specialists, medical students, and other third-party contractors constantly connecting their smartphones and other devices to the network, with each one potentially introducing a new threat.
How do criminals start their attacks?
Vectra’s Spotlight Report on Healthcare explored attacker activity and behaviour to determine the latest trends in tools and techniques, revealing that:
- Many unsecured legacy systems still exist
- Downtime for patching is a challenge in environments that run 24/7
- Healthcare networks have a 3:1 ratio of devices to people
- There is a low prevalence of network access controls – any device with an IP address can connect to the network
A prevalent detection was the use of hidden HTTPS tunnels to hide command-and-control communications (C&C), which criminals use to issue directives to compromised devices, such as spreading malware further into the network or exfiltrating patient records and financial information. C&C communications are often hidden within common, legitimate traffic such as HTTP, HTTPS or DNS as those services are unlikely to be blocked. The average hospital will have a huge amount of outbound web (HTTP / HTTPS) traffic such as communication with independent labs and imaging centres, as well as IT support remotely accessing machines.
Locating the target and moving into strike
Once they have established a point of persistence, criminals will scout the environment to locate potential targets and plan their next move. We found this is most often accomplished with internal darknet scans and SMB account scans, which can be masked behind legitimate network activity such as IoT devices searching for a new IP address, or security vulnerabilitiy scanners at work.
Next, the intruder will seek to move laterally through the network to broaden the scope of their attack. The most common signs of lateral movement detected were Kerberos and SMB brute-force attacks, which acquire credentials and enable the attacker to escalate their network privileges, and search through file shares.
Executing medical data theft
Finally, the criminal will be in position to access and exfiltrate the organisation’s data. The most common type of exfiltration behaviour is the use of hidden DNS tunnels. This indicates that an internal host device is communicating with an external IP using DNS while another protocol runs over the top, obscuring it.
The second most common method is a “smash and grab” tactic where huge quantities of data are exfiltrated in a short space of time. Even this more overt spike in network traffic could be attributed to a legitimate source, such as a medical imaging system uploading video data to a cloud host.
Visibility is key
With most cyber criminal tactics relying on normal network activity to mask the attack, organisations must be able to analyse traffic and activity closely if they are to have a chance of stopping attackers. This is especially important in healthcare, where the large and complex IT environments provide ideal cover, and routine security maintenance is limited by budgets and 24/7 patient care.
Against such a challenging security landscape, organisations must ensure they are aware of the most common and dangerous types of attacker techniques, and the behaviours that can be used to identify them. Further, detecting malicious activity is no longer a binary good or bad evaluation – contextual understanding is key.
AI plays an increasingly important role here, as the technology can automate important analytical and detection tasks and compete with much greater speed and reliability than a human practitioner. Automating these processes as much as possible will enable the human security experts to shut down an attack before it escalates.
Detecting the subtle signs of malevolence hidden in the background noise of their networks will enable healthcare organisations to identify intruders and stop them before they steal sensitive patient data.