Since the start of the pandemic, the healthcare sector has been under immense pressure, coping with everything from supply shortages to workforce absences.
In the midst of this crisis, ransomware operators have been particularly ruthless. Cybersecurity breaches in healthcare hit record numbers in the past three years, and, as 2022 gets underway, leaders in the sector need to think not just about daily operations and patient care, but how to safeguard computing systems, employees and patients from adverse impact due to cyberattacks.
Recent research conducted by Tenable has revealed that over 40 billion records were exposed in 2021 worldwide, healthcare being one of the most-targeted industries by ransomware operators. The pandemic has further increased the vulnerability of the sector, with trusts and hospitals forced to continue operations as work-from-home guidance was being released.
Tenable’s Threat Landscape Report has identified that the most notable European healthcare breach last year was conducted by the Conti ransomware group, and crippled operations across Ireland’s Health Service Executive (HSE). The Russian-based hacking group asked for $20m (£14m) to restore services. Because of damaging breaches like this, the global healthcare industry, and hospitals in particular, have now realised that they are an attractive target. For the past five years, attacks on the sector have increased in number and size. This trend gained visibility in 2017, when the “WannaCry” ransomware attack on 60 NHS trusts spread to more than 200,000 computer systems in 150 countries. One of the latest attacks was forged against Hillel Yaffe Medical Center, in Hadera (Israel) in October 2021, where bad actors affected hospital operations and left the centre unable to immediately restore some of its IT systems.
It is known that these security breaches have long-lasting impacts upon both operations and patient care. By not taking action to safeguard their cybersecurity operations, hospitals risk losing sensitive patient data to public domains, unable to be retrieved and active through the patient’s entire life. To prevent this, the health sector needs to make improvements to its IT and also its operational technology (OT) systems, as well as expand its cyber security and threat response.
Underestimating vulnerabilities in Active Directory
Hospitals’ corporate networks are targeted by 99% of ransomware operators through Active Directory (AD). This is because AD is used to control user permissions — aka ‘logging in’ to systems. Hospitals typically underestimate how this piece of software can be used by attackers, but AD is composed of all the applications nurses, doctors, and administration staff are using. Ensuring that it is monitored and protected is vital.
When it comes to hospitals, it is important to remember that mobility is also a key factor as staff need to be able to access patient data from everywhere — whether it is from the ER, specific wards, outpatients, and more. In addition, administration staff now have access to the shared network and, in some cases, are able to manage sensitive patient data from their homes thanks to new hybrid working initiatives adopted in response to work from home mandates. When they are working on-premises, staff are more likely to remain alert where sensitive data is involved, but the same cannot always be said for employees working within the home environment where security protocols may not be as stringent.
Lack of investment in IT department expansion
Fixated on providing exemplary patient care, hospitals have been unable to prioritise funds to expand IT departments. Today, cybersecurity and IT teams within hospitals are made up of a handful of people, heaping further pressure on these departments to monitor OT powering their critical infrastructure. Typically teams comprise a CTO and two or three other employees, which is not enough to ensure business continuity and recovery of breached data. By overlooking the need for more IT staff to monitor the corporate network, health centres are exposing themselves to more risks.
Bad actors are targeting sensitive patient data, because they can monetise their breach. While a lack of funds is mostly the reason for veering away from IT department expansion, in some cases ransomware attacks have led to hospitals falling into bankruptcy. Business continuity in the event of a cyber-attack cannot be ensured if only a small team is in charge of the data recovery and logging process.
For example, in the case of the Hillel Yaffe Medical Centre cyber security attack, the small threat response teams had to rely on “pen and paper” to log their data recovery actions. This is not a long-term solution, and healthcare centres should consider putting into place cloud systems, with no direct access to the IT structure. This way data can be stored in the cloud, and business continuity is ensured even if the main network is compromised.
The dangers of outdated medical devices in the middle of IT and OT convergence
Today, within hospitals, there are at least five devices and IP addresses active for each hospital bed/room. Usually, as these IP addresses are not part of the IT network, they are not monitored and managed by CTOs.
IP addresses should not be isolated, and embedded in a box, as they provide access to sensitive patient data. Most medical vendors do not understand the risks of a closed IP system, with a dedicated VLAN that allows connectivity between devices. These networks become an open door to bad actors, if the OS is not improved and patches and upgrades are not being deployed. Because of this, hospitals should acquire devices that are not only certified from a medical perspective, but from a security perspective as well.
It is also important to note that medical devices were introduced 20 years ago, and these embedded devices were completely disconnected from one another when they were initially released onto the market. But now, ECG machines, tablets, and screens are increasingly connected. We are in the middle of IT and OT convergence, and yet some of these devices retain very old technologies, because they have been created by medical suppliers and not by IT suppliers.
Vulnerabilities have been discovered last year in the Translogic pneumatic tube system (PTS). PTS systems are used in most hospitals today, and they transport materials and documents via a series of pneumatic tubes. PwnedPiper, a set of nine vulnerabilities that have been discovered within PTS, can lead to memory corruption bugs, privilege escalation, and unsigned firmware upgrade. Attackers can exploit this breach by rerouting or shutting down automated delivery of medication. The vulnerabilities affected Swisslog Healthcare’s Translogic PTS, used by 80% of major hospitals from North America.
The bottom line: medical devices need to be monitored
It is not only about technology, it is about the people in the process. Ten years ago, Chief Information Security Officers (CISOs) were in charge of IT security, and now they have been attached to the risk management branch. After the wave of ransomware attacks on the healthcare sectors, CISOs need to realise that the managing asset, from a data perspective, remains the main target.
Everything that was not initially under the CISO’s responsibility umbrella, meaning the medical devices, should now be part of the same programme. That is one of the big changes hospitals need to make in terms of responsibilities across IT and threat response departments.
While public hospitals are more vulnerable to risk, they are more closely monitored by national cybersecurity bodies, compared to medical centres operating in the private sector. The only way the private sector can grow from a cybersecurity perspective, is by governments imposing tougher regulations. While the framework around cybersecurity best practices is published by the National Cyber Security Agency, the organisation does not have a mandate to reinforce it. This allows cyber security best practices within private medical enterprises to slip through the cracks, and endanger the welfare and data security of patients.
We’ve seen that attackers have the healthcare sector firmly in their sights. It’s imperative that the sector recognises the risk and takes proactive steps to close the attack paths into their systems. In tandem, they need to develop strategies so that, should the worst happen, resorting to pen and paper is not the best course of action.
