State-sponsored hackers seek to manipulate the global market by targeting major healthcare organizations.
Cyber attacks are on the rise across the board during the COVID-19 pandemic, and attacks on healthcare infrastructure by both state and non-state actors can be especially devastating even without considering the potential geopolitical agendas behind them. Though the Internet of Things (IoT) brought better interoperability, flexibility, and convenience for patients and providers in healthcare, the integration of IoT devices also opened up new risk pathways.
Cybersecurity experts Richard Staynings, Martyn Gill, and an analyst who wished to remain anonymous, broke down how the healthcare industry is vulnerable to cyber attacks, what sorts of havoc hackers can wreak upon their victims, and who benefits from stolen COVID-19-related research.
From a cybersecurity perspective, the healthcare industry is largely under-funded and constantly under attack, according to Staynings, who is the Chief Security Strategist at HIoT company Cylera and a board member of Wembley Partners. Healthcare facilities themselves are particularly vulnerable to cyber attacks that can manipulate or bring down critical life saving devices.
“The network has grown from the citadel model of healthcare delivery 10 years ago to one of firewalls that are like Swiss cheese essentially, with the number of holes that are punched into them,” said Staynings.
And there are too many insidious ways in which hackers can make Swiss cheese out of healthcare cybersecurity defenses, especially in the realm of IoT. IoT-linked devices in hospitals and clinics are one area where cyber criminals can poke mortally-wounding holes in cybersecurity, with the results leading directly to patient death.
“We’re talking about cyber assassination. You no longer need to be MI6 and issued a Walther PPK in order to assassinate someone; you just need to gain access to the medical devices that are keeping that individual alive,” Staynings explains.
As a real world example, former US Vice President Dick Cheney had the WiFi disabled on his pacemaker because he feared a terrorist attack on his life. If a state-sponsored hackers or a criminal organization were to gain access to a medical device used by a high-profile target, the hackers could use it to easily assassinate their target.
Medical devices that are directly connected to the patient aren’t the only part of healthcare IoT that remain vulnerable to attack. Staynings also provides many scenarios in which something like this could happen through other access points:
- What would happen if the airflow were to stop, or were to be reversed in a hospital emergency room or COVID ward, so that patients were spreading the disease throughout the building versus being evacuated out through the roof?
- What would happen if elevators stopped working because they were attacked and patients could no longer be moved from floor to floor?
- What would happen if there were a mass attack against a network connecting infusion pumps, or X-ray machines were compromised?
It is a common misconception to consider healthcare IoT to be just healthcare devices like pacemakers and wearables, but inside hospitals there are all kinds of devices that are being affected by attacks.
“We’re talking about network switches and printers that are not directly connected to patient health, but they’re still critical to the workflow of providing medical care,” said the anonymous analyst.
These types of disruptions can make patients miss their appointments, or put hospitals in a panic because they can’t access any of their data and operations are disrupted.
Why is Healthcare Targeted?
Last year, 48% of all security breaches in Canada were in the healthcare industry. Stolen patient information can be used for fraud, impersonation, or held for ransomware attacks, depending on the hacker’s motives. Non-state healthcare IoT hackers are mostly motivated by money and are not out to physically harm patients, but rather steal their data for ransomware, because “health data can fetch a higher price than credit card numbers.” There is nothing more valuable than lives.
If your credit card information is hacked, you can cancel it and get a new number. It’s a bit more difficult when your medical records are hacked. Oftentimes, patients aren’t even aware that they’ve been compromised, and they are the ones that truly suffer from these attacks.
“This is more than just cybersecurity; it’s about ensuring that we as patients are not harmed or inadvertently put at risk due to a lack of security controls.”
As if these reasons aren’t enough, there are other nefarious motivations for hackers to exploit healthcare data, especially state-sponsored hacking of research related to COVID-19.
State-sponsored hackers seek to manipulate the market by targeting major healthcare organizations and intellectual property (IP) theft related to COVID-19 research.
You may be thinking, who cares if COVID-19 research is being stolen? Shouldn’t this research be shared with everybody anyway in order to eradicate the virus in the quickest way possible?
And the answer would be, yes, a solution could be developed more rapidly, but then whomever gets to it first will dictate and control the global market share, create a monopoly, and set international standards. Considering that the crisis is global, there is massive leverage for the country who controls market share.
“It virtually grants them early market entrance and essentially a monopoly in setting the prices, so there’s a massive financial benefit to that as well. “And last but not least, there’s reputation. Needless to say, this would be a massive breakthrough, so whichever country gets there first, they will enjoy major benefits,” said the analyst.
How do we know who to blame?
If we know that all this hacking is going on, and that it comprises national security, the economy, and the health of all citizens, how do we hold bad actors accountable?
Each nation state actor or faction has their own interests, alliances, sabotage plots, and potential plans to implicate others. This makes it exceedingly difficult to track and pin down the perpetrator.
“It’s so difficult to attribute attacks to a certain country. You see so many false flags,” Wembley Partners Managing Partner Martyn Gill said during the discussion. “If you get it wrong, you’re going to get it really wrong if you point the finger at the international level”
Gill iterated how difficult it was to filter through the noise and the false flags. He added that previously, Russian actors used Iranian infrastructure to carry out an attack, so it looked like it was an Iranian state-sponsored attack, but in reality it was the Russians.
America’s own CIA is perfectly capable of these types of false flags, too, as documented by WikiLeaks back in 2017. WikiLeaks’ release of Vault 7 “Marble” revealed that the CIA could cover its hacking tracks by implementing a secret anti-forensic malware named Marble that was capable of faking cyberattacks from other countries.
In the face of such challenges, what can be done to combat the rising number of cyberattacks, particularly in the healthcare industry? We can start by educating organization leaders about the true cost of these very real attacks, so they may begin to consider cybersecurity within their organizations more seriously. Assassination by hacking medical devices, inciting geopolitical instability by sabotaging infrastructure and stealing research, and holding patient data for ransomware are just some of the ways cybercriminals attack healthcare.
Join Richard Staynings, Cylera's Chief Security Strategist, at the upcoming Managed Security Services Forum DMV for a panel discussing the challenges of securing healthcare from nation-state attacks with Esmond Kane, CISO at Steward Health Care, and Derek Gilbert, CISO at DXC Technology.
Date: Thursday, April 15th, 2021
Time: 12:50pm Eastern Time
Medium: Zoom conference
Register Here: https://dmv.mssconference.com/
Read more about Targeted Cyber Attacks on Healthcare