In what ways can we combat the increasing number of cyber criminals taking advantage of situations caused by the pandemic?
Whether the pandemic cyber-attacks are just highly opportunistic criminals with no moral compass, or are a deliberate escalation of the hybrid warfare executed by a few pariah nation-states, perpetrators are treading on very dangerous ground. Many have certainly been pushing the boundaries of acceptability over the past few years.
Colorado Medical Center Hit
Ransomware attacks against hospitals have now become brazen enough to hit close to home. At least one US hospital was hit recently by ransomware that encrypted its entire EMR system and its local backups. This was not a random broadcast attack but was instead carefully crafted against a hospital in Pueblo, Colorado that was behind on some of its patching of perimeter devices.
This represents a daring escalation by cyber extortionists and risks a very real response by the United States. A mere two days before Parkview was hit, Mike Pompeo, US Secretary of State warned that there would be "zero tolerance" for such attacks.
"As the world battles the COVID-19 pandemic, malicious cyber activity that impairs the ability of hospitals and healthcare systems to deliver critical services could have deadly results," Pompeo said. "Anyone that engages in such an action should expect consequences..."
Attacks against national critical infrastructure risk a very different kind of response from governments the world over. Just over a year ago, the Israeli Defense Forces (IDF) dealt a very firm blow to known perpetrators of cyber-crime who were planning an attack on Israel with an airstrike that wiped out HamasCyberHQ flattening the building and all inside before the attack could take place.
The US has also taken out a number of cybersecurity adversaries with drone launched hellfire missile attacks in Syria over the past few years. In fact, the US has reserved the right to retaliate against cyber-attacks with military force since 2011. The lifelong prospects therefore, for those cybercriminal elements that deliberately target US hospitals and medical research facilities obviously don't look too good.
Alternative Cyber Attack Response Options
Whether and how the US and other countries decide to respond to attacks against life-sustaining critical infrastructure like hospitals and healthcare research is a topic of hot debate. One issue is the problem of attribution. It's difficult to concretely attribute an attack to an individual or a group especially when sophisticated attackers cover their tracks or leave breadcrumbs that point to others. Its also time-consuming venture, it may take years before the culprit of an attack can be identified and dealt with.
Once identified, however, there are a wide range of options open to governments, extradition being only one of them. The international rule of law is opaque at best and needs to meet different standards and evidentiary bars in each country's legal system. Even then, some people are considered beyond the law due to personal connections. Some countries, notably Russia and the former USSR states, lack extradition treaties with the rest of the world. Going after perpetrators via legal means in the Peoples Republic of China or North Korea is also futile as they usually operate at the behest of the state. The Russian state is also very active in cyberattacks, directly via its FSB, SVR or GRU, but additionally via freelance criminal proxies in order to claim plausible deniability.
As a result, governments sometimes need to employ other methods. Bobby Chesney, the co-founder of the Lawfare blog and a very highly respected figure in US national security circles, explained during a recent podcast that there are many perfectly legal avenues for US government agencies to pursue in the apprehension of cybercriminals. According to Chesney, criminals who dare go after critical US Infrastructure, especially at a time of declared national emergency, may face swift retaliation.
"There is an unpublished line in the sand that if crossed could mean significant consequences for those that do," Chesney claims.
These include a wide range of punitive measures available for implementation, including the dispatching of black ops. In 2017 such action was taken against Roman Seleznev, the son of a close Putin ally who was widely regarded as being beyond the law. Renditioned to the USA, tried, and convicted of cybercrimes in at least two different states, Seleznev has the next 27 years to look forward to as a guest of the US prison system.
A Change of Focus
Recognizing that not all cyber attacks can be prevented, many CISOs are focusing more of their attention on the Detect, Response and Recover segments of the NIST CSF. Their focus is limiting damage and restoring functionality as quickly as possible to minimize impact.
"Every minute a critical hospital system is down could mean patient lives, so speedy restoration is critical," claimed Esmond Kane, CISO of Steward Health. "The fact that a breach occurred or a perpetrator was able to gain access to the network and HIT systems, is of secondary concern once systems are back up and running. We have to deal with that later" he adds.
Recovery from Attack
In order to turn the lights back on and restore systems following a cyberattack, a hospital must first eradicate all traces of the ransomware and other malware, then carefully restore data from off-site backup tapes or cloud storage. The malicious code must be identified and forensically preserved by law enforcement before the systems can be cleaned up and formatted. This process can be very time consuming, often having a negative impact on patient care and safety.
Containment and Risk Mitigation
While adoption of a Zero Trust security framework and the implementation of network segmentation will severely limit the lateral spread of malware across a hospital network, one of the greatest recovery problems is in the identification of sleeper malware or extraneous communications by that malware to command and control (C2) severs.
"That's where Cylera’s MedCommand software comes into its element" claimed Michael Archuleta, CIO of Mt. San Rafael Hospital in Trinidad, CO, "It can quickly identify suspicious network traffic and trace that traffic back to malware that can then be eradicated from the network so that restoration of Health IT systems can commence."
It's just one of Cylera MedCommand's many functions working to achieve its primary objective of identifying healthcare IoT (HIoT) connected assets, profiling, and risk assessing them for security group tag (SGT) allocation and for network micro-segmentation under Zero Trust. This is in addition to a recent feature added to the software that allows those who are responsible for managing medical devices and other HIoT assets to observe device utilization for better allocation of patients to available devices - something that has become critical when medical devices are short on supply and stretched to capacity under a global pandemic.
More about Cylera MedCommand
Many healthcare IT and Security teams are yet to even gain a full understanding of which medical and IoT devices are connected to their network, much less an understanding of their level of risk and susceptibility to different forms of malware. Cylera’s MedCommand is an agent-less solution designed to fill this capability gap. MedCommand provides organizations with a real-time inventory of all connected HIoT devices, an understanding of the vulnerabilities affecting them, information on their configurations and patch levels, and real-time threat detection tailored to each device. Teams can then make use of Cylera’s actionable recommendations and automated micro-segmentation policy generation to proactively protect HIoT devices and provide a missing layer of security to the devices that need it most.