Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Rising Threat of Offensive AI

Can we trust what we see, hear and are told?

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Singapore eHealth - Innovative Technologies and Security

The Author addresses the Singapore eHealth Summit. Photo: Dean Koh

Singapore faces many of the same problems affecting patient care in Europe and North America; an aging population, rising demand and increasing costs. The need to implement more value-driven initiatives to increase efficiency and improve patient outcomes will become critical here in Singapore just as it is in other countries with declining populations or unsustainable rising healthcare costs. This includes the need for wider mainstream adoption of new and disruptive technologies like data analytics, machine learning and artificial intelligence, combined with highly innovative procedures to accurately identify, diagnose and treat patients.

The recent Singapore eHealth and Health 2.0 summit was unique in that it brought together some of the best minds and best ideas from all over the world under one roof, to showcase a plethora of quality treatment ideas and disruptive emerging technologies which promise to revolutionize the healthcare industry.

As with the adoption of any new technologies, there are risks which must first be evaluated before a technology can be introduced, and in healthcare, increasingly these risks focus upon cybersecurity.

In Singapore, which suffered its largest ever breach last year with the theft of 1.5m SingHealth patient identities along with the prescription records of its Prime Minister and other V.I.P.s, security is of particular concern. Several smaller healthcare breaches this year including publication of the personal details of over 800,000 blood donors, and the exposure of 14,200 HIV patient records has compounded the need for the industry to get security right.

Confidentiality, Integrity and Availability

The ASEAN region, according to CIO Magazine, with its dynamic position as one of the fastest growing digital economies in the world has become a prime target for cyber-attacks, accounting for 35.9% of all cyber attacks globally in 2017. The targeted attack against SingHealth is perhaps a wake-up call for the region to do a better job of securing Confidentiality, Integrity and Availability (CIA) its healthcare and other critical services.

But the risks impacting healthcare are way more nefarious than just the disclosure of confidential patient information. Far more worrying is the threat to the INTEGRITY of health records and other clinical data, and the AVAILABILITY of HIT systems needed to treat patients.
  • What happens when a patient's blood type, allergies or past treatment records are altered by a hacker?
  • What happens when a ransomware attack locks up all Health IT systems as it did to many hospitals in the British NHS with the WannaCry attack? 

Patient Care suffers and Patient Safety is placed at risk

The growth of medical devices and other Healthcare IoT (HIoT) is prolific and already outnumbers traditional computing systems. Compound growth in medical devices has reached 20% per year by some estimates. Furthermore, most are connected now to hospital networks and talk directly to core HIT systems like the Electronic Health Record. Hackers know this and have used the fact that HIoT systems are by and large unprotected against cyber-attack to launch their infiltration campaigns.

Many legacy medical devices can only connect to hospital WiFi using insure WEP encryption, which means any teenager with the right tools could gain access to core systems in most unsegmented healthcare networks with little more than a SmartPhone from a hospital waiting room.

Medical devices and other HIoT systems now pose the single greatest risk to patient safety according to many in the industry because of their lack of inherent security, inability to be patched or secured with AV or a host firewall as even a Windows PC can. What is more worrying is not that these devices are incredibly easy to hack or topple over, but the fact that they are most often connected to patients at the time providing critical life-sustaining care or telemetry.

On-stage demonstrations at security conferences like DefCon, Black Hat, and KiwiCon often feature the hacking of some sort of medical device that if connected to a real patient, would undoubtedly result in that patients death. Yet, the US FDA, Australia TGA, UK MHRA, and EU EMA, device manufacturers, and hospitals all downplay the risks, knowing that devices have a 15 to 20 year lifespan and few if any, are ever updated with security patches once sold.

The fact of the matter is that we have almost no idea if, and how many patients have died as a result of a medical device being hacked. No one currently is required to forensically investigate a failed medical device. Instead when is device is suspected of failing, all data is wiped to comply with HIPAA, GDPR, SPA, and other privacy rules and the device is shipped back to the manufacturer to be re-imaged, tested and put back into circulation. This is a subject I have written about in the past and one perhaps best demonstrated by Doctors Christian Dameff, MD and Jeff Tully, MD from the University of California Health System, in their realistic yet alarming presentation at the RSA Conference last year.

The need to better understand and evaluate risk in this growing sector of healthcare has reached a tipping point, as OCR in the United States and the TGA in Australia, starts to ask questions about risk analysis of these devices many of which are covered under the HIPAA Security Rule and the APA. However healthcare IT and Security teams face several daunting challenges before they can mitigate security risks and chase compliance.

1. In most hospitals, medical devices are owned and managed by Bio-Medical or Clinical Engineering, while other groups also outside of IT, manage building management and other hospital IoT systems. Consequently, there is limited security visibility, if any at all!

2. An accurate inventory of what HIoT assets are connected to the network is almost impossible to accomplish manually as devices change all the time and manual spreadsheets and traditional IT asset management systems have proven inaccurate.

3. Evaluating the risks of medical devices is difficult since most are connected to patients and cannot be scanned with normal security tools. Larger equipment like X-Ray machines, MRI, CT and PET scanners are in use 24/7 and cannot usually be taken out of service for regular security scans.

4. Inherent weaknesses in some HIoT protocols like DICOM allows a malicious actor to embed weaponized malware into a legitimate image file without detection, as researchers at Cylera Labs discovered recently.

5. Lack of internal network security allows a hacker to intercept and change a PACS image with false information during transmission between a CT scanner and its PACS workstation, adding a tumor to an image or removing one as security researchers at Ben Gurion University recently discovered.

Fortunately, new AI security tools from Cylera, created especially with healthcare in mind, are able to automate the entire risk management process to identify, profile, assess, remediate and manage HIoT assets in line with NIST SP800-30 standards. Just as healthcare delivery is moving towards disruptive innovative technologies, so are the security risk management tools being used to support the adoption of new technologies and new procedures.

Cylera’s 'MedCommand' solution, empowers healthcare providers to protect the safety of their patients, assets, and clinical workflows from cyber-attacks. 'MedCommand' provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT,
and operational technology.

The 'MedCommand' solution is built on Cylera’s 'CyberClinical' technology platform, which incorporates machine learning, behavioral analytics, data analysis, and virtualization techniques. Cylera has partnered with leading healthcare providers, experts, and peers to develop the most comprehensive and integrated HIoT security solution for healthcare.

Learn more about Cylera's innovative AI based approach to medical device and other HIoT endpoint management or contact us to schedule a conversation.

This blog was originally published here.

When Cyber Attacks Go Too Far

News today that Israel has responded to a cyber-attack with a kinetic reply is perhaps a first but, in many ways, to be expected, given a rising tide of global cyber-attacks by those who cause increasing levels of damage, yet hide from attribution by use of proxies or through assumed anonymity.

According to Forbes:

The escalating global threat of cyber-attacks against nation-states took a turn yesterday when Israel's military announced that it had "thwarted an attempted Hamas cyber offensive against Israeli targets. Following our successful cyber defensive operation, we targeted a building where the Hamas cyber operatives work….HamasCyberHQ.exe has been removed," the tweet concluded.

Now that the precedent has been set, it should serve as a very real warning to cyber criminals everywhere that just because they reside in a state that turns a blind eye to international lawlessness, they are not immune from being brought to justice.

This may not be the first kinetic response to an act of cyber warfare but its certainly the first one mass-publicized. The US has reserved the right to retaliate against cyber-attacks with military force since 2011, and in 2015 it launched a hellfire missile attack from a drone to assassinate British born Islamic state hacker Junaid Hussain as he walked down a street in Raffa, Syria.

Many people have been expecting a kinetic response to a cyber attack for some time and talking about the advent of hybrid warfare, but can either of these bombings be seen as the turning point?

The fact is that Hamas had recently launched over 600 missiles at Israel and Israel had conducted over 250 air strikes of Hamas targets in retaliation. In the case of Junaid Hussain, he was known to be actively planning terrorist attacks in the west. Both were thus legitimate targets in existing kinetic conflicts, and both appear to satisfy the UN Charter for 'National Collective Self Defense'. But will this latest attack be used to justify a kinetic response to a future cyber attack or the perceived threat of one by a credible adversary? Maybe!

The Israeli Defense Forces (IDF) certainly considered the threat real enough by Hamas hackers planning an attack on Israel to warrant dropping a very large bomb on top of their building, reportedly with them in it!

Iran should certainly watch its back, where we are told, there has been a steady escalation in threats against the United States over recent months. The recently announced positioning of the USS Abraham Lincoln Strike Group to the Persian Gulf together with a Bomber Strike Group may be seen as a strong warning to Tehran. It may also be considered as positioning for future retaliatory kinetic attacks for recent wave of cyber and other attacks against the United States. This may mark the return of more aggressive US policies against terrorists and others who attack the west with assumed impunity. Just as Reagan’s bombing of Libya in 1986 signified a line drawn in the sand for Qaddafi’s support of terrorism against United States citizens, with hawks like John Bolton and Mike Pompeo advising Trump things could escalate very quickly.

But Iran is not alone on the 'Bad Boy' list of cyber-attacks going too far. According to the Center for Strategic and International Studies most of the world’s cyber-crime is originated in four countries – the Peoples Republic of China, the Russian Federation, the Islamic Republic of Iran and the Democratic People's Republic of (north) Korea, as the chart below shows:

Russia has been using cyberwarfare arguably against its own people since the first Chechen war, but in 2008 the Russia military is attributed to blowing up the Turkish Baku-Tbilisi-Ceyhan (BTC) oil pipeline at Refahiye in eastern Turkey after hacking CCTV cameras to gain access to pipeline valves that were then used to super-pressurize the line until it blew up. The BTC pipeline, which links Baku in Azerbaijan to Ceyhan on the Mediterranean coast of Turkey, gives additional energy independence to oil-rich states on Russia's southern border at a time when Russia is seeking to reassert its control over former Soviet states.

In 2014 a massive cyber attack was launched against Sony Pictures Entertainment that involved the theft and release or destruction of a huge amount of data. It was the first destructive cyber attack conducted against the United States and the first time the US attributed a cyber attack to a foreign government. The attack was claimed by 'Guardians of Peace' and was eventually attributed to North Korea to a group of hackers known as 'Shadow Brokers'.

The 2017 'WannaCry' ransomware attack that brought down hundreds of organizations worldwide including the effective closure of a large number of British hospitals and other critical facilities, has also been attributed to the Shadow Brokers, an outfit that works in the PRC and PDK for the Kim regime of North Korea. According to an Op-Ed in the Wall Street Journal, Tom Bossert, then Homeland Security Advisor to President Donald Trump, firmly attributed the attacks to Kim Jong-Un who gave the order to launch the malware attack, he claimed. "We do not make this allegation lightly. It is based on evidence." Bossert stated. Canada, New Zealand, Japan, and the UK all independently agreed with the US attribution.

Right on the heals of WannaCry, the 'Not Petya' attacks of June 2017 were an act of cyber warfare instigated by the Russian GRU (ГРУ), according to a CIA analysis of the attack reported by the Washington Post. Not Petya or Nyetya as it is also known as, was disguised as a new variant of ransomware, but with no way to recover information or the hard drives storing the data, it destroyed millions of dollars of computer equipment and cost businesses the world-over, somewhere between $4bn and $8bn according to Wired at the time, but now widely regarded to be closer to $12bn. Not Petya thus became known as a broadcast 'wiperware" and as a cyber weapon by many.

According to the CIA, Russia's GRU created NotPetya, as an escalation of its existing kinetic and cyber war against Ukraine ongoing since popular revolution there ousted the pro-Russain former Ukrainian President and CCCP Communist Party Member Viktor Yanukovych. The attack which initially targeted Ukrainian accounting tax software company M.E.Doc, brought down virtually all of Ukraine’s government along with Ukrainian hospitals, power companies, airports, and banks. Since then there has been a steady stream of cyber attacks directed by Moscow against Ukrainian critical infrastructure and power utilities knocking them off-line, constant attacks against Ukrainian businesses, and various kinetic attacks including the military occupation and annexation of Crimea, the instigation of Russian nationalism, ethnic unrest and military support of separatists in Eastern Ukraine. This direct support culminated in the July 2014 destruction of an airliner and deaths of all 285 passengers and 15 crew aboard as MH17 as it flew between Amsterdam and Kuala Lumpur when it was hit by a Russian surface to air missile.

The impact of Not Petya spread far beyond the borders of Ukraine and caused massive damage across the world. First investigated by the Ukrainian security agency, known as the SBU, it was quickly attributed to Russian security services, a fact reflected in other countries subsequent investigations into the cyber attack including all of the Five Eyes nations of the United States, UK, Canada, Australia and New Zealand. This was reflected by a White House statement issued February 15, 2018:

"In June 2017, the Russian military launched the most destructive and costly cyberattack in history, NotPetya "quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine, and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences."

Putin's Russia has continued to push the boundaries of acceptability with each new attack from the hacking of the US Democratic Party and former US Secretary of State and presidential candidate Hillary Clinton, to influencing of the US and German presidential elections and the Brexit referendum via its social media bots, to literally hundreds of attacks against think tanks and NGOs according to Microsoft, most of which have been attributed to a group called 'Strontium' - otherwise known as 'Fancy Bear' or 'APT28'.

Meanwhile in the east, The Peoples' Republic of China has kept up a relentless attack against businesses the world over, in its quest to steal the intellectual property and commercial business secrets of the leading global companies. Despite agreements between US and Chinese presidents in 2015, to stop the wholesale cyber-theft of intellectual property, the attacks continue as China tries to surpass the rest of the world with its home-grown companies, using stolen patents and trade secrets invented by others.

The big question is, "how far is too far"? At what point does it become necessary to send a loud and clear message that cyber-attacks will be met with real consequences? Israel certainly deemed it necessary to deal with a group in Hamas that was responsible for cyber attacks against its country and citizens.

Countries may not readily invade one another today as they once did in the nineteenth and twentieth centuries leading to major global conflicts and massive loss of life. That is, perhaps with the recent exception of China's building of military islands off the coast of the Philippines and Vietnam in international waters - an apparent land grab of most of the South China Sea. But we know from history, that if you don't stand up to a bully at least once, then the bullying will continue. Hitler's military occupation of the Rhineland in 1936 is perhaps a good example of what happens when you ignore a problem for too long.

Sometimes we forget that cyber warfare is after all just another form of warfare!

Now that the precedent has been set, those involved in cyber espionage, wholesale theft of IP, extortion, and cyber attacks against businesses and critical infrastructure of countries might want to consider a new profession, or be on the lookout for things falling from the sky!