This past year, we witnessed twists, turns, and even chaos in the realm of cybersecurity. In summary, we are finding that, while the healthcare sector is improving its healthcare cybersecurity practices – as a whole, much more needs to be done. Indeed, the asymmetric threat still exists. Cyber-attackers –especially those with some level of sophistication – may have superior technical knowledge and skills compared to the many of the defenders out there. Fortunately, though, both healthcare providers and vendors are pushing the envelope with innovation solutions, training, processes, mock exercises – and, yes, more penetration testing.
So, here is a rewind of cybersecurity events and developments in 2017 through the lens of our HIMSS healthcare and cross-sector cybersecurity reports.
January 2017: Many servers, accessible via the internet, are vulnerable to TLS/SSL attacks such as Drown, Triple Handshake, SMACK, FREAK, Logjam, and SLOTH (Vol. 8, item no. 8 in Threats, Vulnerabilities, and Mitigation Information).
While weak or misconfigured TLS/SSL is not a new problem, so many websites and other services –accessible via the internet – are insecure. Many academics have called for a revamp of internet architecture to ensure better security. Some researchers have even suggested a new way to map the internet.
February and March 2017: We saw waves of attacks by cyber weapons such as Shamoon 2.0 and Stonedrill and increases in malspam attributable to botnets such as Necurs (Vol. 9, items 1, 2, and 4 in Threats, Vulnerabilities, and Mitigation Information).
It is likely that we will see the rise of offensive cyber maneuvers, including the use of cyber weapons (wiper malware and otherwise), by nation state, non-state, and other actors in 2018 (and beyond). But, one does not need to be a sophisticated cyber-attacker to access and use such technology. Indeed, many of these resources are easy to use and hiding in plain sight.
April 2017: Many entities have been failing to address SMB vulnerabilities (even instances in which a patch was readily available), thus making things such as remote code execution a fairly trivial endeavor. On a related note, research continued to show that the Conficker worm was alive and well after all of these years. (Vol. 10, item no. 1 in Threats, Vulnerabilities, and Mitigation Information).
While the state of healthcare cybersecurity is improving, there will continue to be many entities with vulnerable machines to SMB attacks (yes, even Conficker).
May 2017: The most significant event this month was WannaCry, which exploited an SMB vulnerability (CVE-2017-0144), in a global cyberattack campaign. However, SMB vulnerabilities are not just a Windows problem. We also took note of SambaCry (CVE-2017-7494) which allows for remote code execution via a writable SMB share. (Vol. 11, item nos. 1 and 2 in Threats, Vulnerabilities, and Mitigation Information).
If you have not already patched these SMB vulnerabilities, the time is now. Exploits such as these are reportedly still quite effective. (A cyber-attacker could get privileged level access to your systems and networks in as little as a few minutes.) If you are not vigilant about patching, then the security of your systems and infrastructure may look something like Swiss cheese.
June 2017: While WannaCry was still somewhat of a problem in June, NotPetya surfaced as a new issue and yet another global cyberattack campaign. Although WannaCry was a ransomworm, NotPetya was characterized as a destructive wiper malware. (Vol. 12, item no. 1 in Threats, Vulnerabilities, and Mitigation Information). In addition, NotPetya was largely attributed to a supply chain software problem.
What we saw in May and June of 2017 was perhaps a “flexing of the muscle” to observe what happens in the face of a global cyberattack campaign. The damage to the healthcare sector and other critical infrastructure sectors could have been much worse, in the face of a coordinated attack on our sectors. While we have improved in regard to information sharing and other proactive measures, we are nowhere near where we need to be (yet) vis-à-vis a hypothetical coordinated cyberattack in a global scale against our vital industries and sectors.
July 2017: Analysts anticipated a rise in malware specifically targeting specialized types of industrial control systems. One such example is known as Industroyer (Vol. 13, item no. 3 in Threats, Vulnerabilities, and Mitigation Information). According to analysts, such malware is designed with what almost appears to be “insider knowledge” of the exact workings of these industrial control systems. Yet others state that such malware has been around for quite a while and is not new. There is general consensus, however, around the fact that such targeted, specific malware for pinpointing specific types of industrial control systems will continue to increase over time.
If you have not taken a look at your supply chain disaster preparedness response and procedures yet, now may be the time to do so. Just as we all have taken a closer look at our contingency plans, backup procedures, and such in the face of ransomware, we also need to take into account the anticipated problems of supply chain disruption. In other words, we may not be always able to rely on the “just in time” and “on demand” approach to getting what we need when we need it.
August 2017: The telnet protocol is not new, nor should it be “news” that telnet communications are not encrypted and that credentials can be easily stolen. However, with the rise in the Internet of Things (IoT), we noted the work of a researcher that had disclosed information about this problem and thousands of credentials to IoT devices having been uncovered through the course of such research (Vol. 14, item no. 4 in Threats, Vulnerabilities, and Mitigation Information).
In the healthcare arena, almost everything is “connected” (even if the device does not necessarily need to be). If a device is connected to the internet for ease of administration, then that device could potentially be open for access to the world. When there is a will, there is a way. So, perhaps we need to take a step back and scrutinize our inventory and our procurement processes. Does that light bulb really need to be connected to the Internet? What is “cool” or “convenient” may not necessarily be good for you (or your organization) in the long run.
September 2017: Just about every organization has a website, and web technology is always changing. But, as we have noted previously in this blog post, website security is not something that everyone has mastered. Thus, while entities may patch their back-office systems and in-house IT infrastructure, their websites (and web technology) may be ignored. Web applications may have significant vulnerabilities such as directory traversals (Vol. 15, item no. 1 in Threats, Vulnerabilities, and Mitigation Information), which may result in unauthorized disclosure of potentially sensitive files. In addition, if you have a back-end database which your web application can query, you need to keep in mind problems such as, but not limited to, SQL injection vulnerabilities (Vol. 15, item no. 2 in Threats, Vulnerabilities, and Mitigation Information).
With vulnerabilities such as directory traversals, a cyber-attacker may be able to discern the users on a system and potentially even passwords (or password hashes) on a system as well. It may be possible to execute shell commands by way of SQL injection, and/or dump the entire database contents, erase the contents, create privileged users, and more.
October 2017: Wireless-connected devices are quite ubiquitous. Yet, many do not give much thought to the insecurity of such devices. Researchers disclosed a method for attacking the WPA2 protocol (Vol. 16, item no. 4 in Threats, Vulnerabilities, and Mitigation Information). In addition, advanced persistent threat actors continued to target critical infrastructure sectors with ongoing campaigns (Vol. 16, item no. 1 in Threats, Vulnerabilities, and Mitigation Information).
As we can see from ongoing research and findings, there is no such thing as 100 percent security. This would mean that we would never ever make a mistake in configuration, design, installation, implementation, or even post-implementation activities (such as patches, including patches which may introduce newly exploitable vulnerabilities).
We need better predictive analysis in the cybersecurity realm so that we can gain more foresight into what may be coming down the road — instead of what is already here.
November 2017: We saw significant vulnerabilities affecting products that many thought, once upon a time, were far more secure than their counterparts. (Yet, we now know that—just like any other technology—there have been significant flaws in MacOS, Linux, and other platforms (Vol. 17, item no. 4- 6 in Threats, Vulnerabilities, and Mitigation Information).) Furthermore, medical device security remains problematic with significant insecurity found in connected infusion pumps and other types of medical devices (Vol. 17, items 1-3 in Threats, Vulnerabilities, and Mitigation Information).
When we evaluate products for procurement, we rely, in part, on brand names and reputations. But, one cannot necessarily make assumptions on good security (or bad) just based upon this “goodwill” analysis alone. It pays to do more due diligence and gauge, as well, what the track record is of the vendor in terms of reported and discovered vulnerabilities, as well as vulnerabilities which the vendor (hopefully responsibly) has addressed.
December 2017: While the healthcare sector has been in the news in regard to cyberattacks and reported breaches, some analysts have found that the healthcare sector is not the worst in terms of sheer numbers of breaches (Vol. 18, item no. 2 in Reports and Tools). We all find challenges in cybersecurity – regardless of one’s sector or industry. Indeed, insecure websites (of all types) are still a problem (Vol. 18, item no. 4 in Reports and Tools). We also noted the fragility and susceptibility to attack of undersea cables, which, as reported, support 97 percent of global communications (Vol. 18, item no. 5 in Reports and Tools.)
Many providers focus on incident detection, but not necessarily incident response and recovery. Fewer still take into account our supply chain dependencies and the security of our supply chain. Perhaps we need more of a multi-dimensional approach to how we understand and address cyber risks. Cybersecurity and healthcare both touch virtually everything—these are things that we cannot afford to ignore. The clock is ticking.
Summary: While cybersecurity is not for the faint of heart, we all can do our part by raising awareness and taking action. As I have said over the course of this year, cybersecurity should be and is for everyone. Whether as individuals, businesses, or organizations which help save people’s lives, we all need to do our part. More people in healthcare – and indeed, the world – are getting more informed about cybersecurity. But, we also need to educate people about the other side of things – how attacks occur and what the impact of these attacks can be. Perhaps, then, fewer people will use passwords such as “123456” and “letmein.”
Dig deeper into recent cybersecurity events and developments inside the December 2017 Healthcare and Cross-Sector Cybersecurity Report (Vol. 18)