Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Rising Threat of Offensive AI

Can we trust what we see, hear and are told?

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Beverly Hills Healthcare Security Forum

California Healthcare Cybersecrity Forum in Beverly Hills. Photo: Pat Lambert.

An esteemed panel of biomedical and security leaders discussed "The Biomedical Elephant in the Room" at the California Healthcare Cybersecurity Forum today in Beverly Hills.

Healthcare IoT (HIoT) now extends from one side of healthcare delivery to the other and today that includes an increasing number of medical devices, robots, health automation systems and building management systems none of which hospitals can easily do without.

Most of these connected devices however are not traditionally managed by IT, many don’t appear in any asset management database, most are not patched against vulnerabilities regularly (if ever), and the vast majority are highly vulnerable to cyber-attack and extortion. Very few have effective compensating security controls like micro-segmentation to protect patients from being the subject of the attack rather than just the device attached to them.

A large number of network and implantable medical devices, pose a significant patient safety risk if not secured and could cause patient harm or even fatalities.
Dick Cheney, former Vice President of the United States, had the wireless interface to his own pacemaker disabled because of fears that me might be hacked or assassinated by a political opponent or foreign government via manipulation of the cardiac defibrillator keeping him alive. This scenario was the basis of an episode in the TV series Homeland, in which the Vice President of the United States was hacked and killed.

Edited: Homeland, Se2Ep10

The panel which discussed what can be done to mitigate security risks and protect patient safety comprised of the following experts:

Chad Wilson CISO at Standford Childrens' Health,
Dr. Benoit Desjardins MD, Ph.D. Associate Professor of Radiology at Penn Medicine,
Harb Singh Security Program Manager at Cedars-Sinai Medical Center,
Richard Staynings Chief Security Strategist at Cylera, and panel moderator

For those that missed this highly informative and educational session, Richard will be moderating a similar panel in Boston at the Healthcare Innovation, Healthcare Cybersecurity Forum, on Oct 4th.

Nation State Cyber Thieves Target Healthcare Research and Patient Data

State sponsored cyberattacks against Healthcare and the wide scale theft of PHI, PII and IP are increasing, putting the whole sector at increased risk a new report claims.

Not Petya (Nyetya), WannaCry, Stuxnet, Sony Pictures, Yahoo, US Office of Personnel Management (OPM), SingHealth, and Anthem breaches are all recent examples of nation state attacks. Some are indiscriminate, some target other nation states, and some are focused towards intelligence gathering of mass or targeted individuals. Some are thinly disguised criminal theft of intellectual property and trade secrets, or monetary theft and extortion to supplement what hackers get get paid by their government puppet-masters for 'official business'. They all have one thing in common, a well-funded and well-trained team of cyber warriors with the patience of saints, and the tenacity to get the job done. These are the advanced persistent threats (APTs) that mark a nation state adversary. They are usually stealthy and stay hidden till the last moment, or go unnoticed entirely as Yahoo eventually discovered after a subsequent attack.

Although WannaCry took out a large number of healthcare systems around the world including a significant number of UK NHS hospitals and healthcare trusts, it was by and large a broadcast extortion attack to generate money for the highly sanctioned government of North Korea (DPRK). The SingHealth and Anthem breaches were however highly targeted at healthcare institutions, and these are just the tip of the iceberg. Like the OPM breach, these attacks are thought to have originated from Peoples Republic of China (PRC).

Chinese fingerprints are all over many recent healthcare attacks.

A recent report by FireEye has indicated that state-sponsored attackers from the PRC have for some time been targeting medical data from the healthcare industry. This includes not only PII, PHI and in some cases even the prescription information of patients, but a broader focus upon the theft of academic and clinical research, drug and clinical trial data, research studies, formulary and procedural data, as well as plans for medical devices. Pharmaceutical companies, universities, hospitals and biotech / biomedical engineering companies have all been targeted according to FireEye’s “Beyond Compliance: Cyber Threats and Healthcare report”. In particular there has been a strong focus on the theft of research data into cancer treatments and artificial intelligence, both of which are top priorities for Chinese manufacturers the report adds.

FireEye has seen a “prevalence of multiple Chinese groups over the last several years, and continuing in what we see today, targeting medical researchers in particular," says Luke McNamara, a principle analyst at FireEye who worked on the research. The company says the Chinese-linked APT41, APT22, APT10 and APT18 have all been seen trying to obtain medical data in recent years. Additionally a group linked to Vietnam (APT32) and a group linked to Russia (APT28) also dabble in healthcare, the latter of which has so far targeted sports medicine providers responsible for ant-doping tests of Russian athletes.

Targeting medical research and data from studies may enable Chinese corporations to [patent and] bring new drugs to market faster than Western competitors,” FireEye said. The country’s ‘Made in China 2025’ campaign intends to replace all imports from multi-nationals with locally produced products.

In particular, the report added, China has exhibited a “growing concern over increasing cancer treatment and mortality rates, and the accompanying national health care costs.” With massive levels of ground and water pollution in China that has poisoned the food supply with dangerous levels of cancer-causing heavy metals, and air pollution which in some cities is hundreds or thousands of times WHO safety limits, it’s no wonder that the costs of treating cancer is such a growing concern for a country which plans to have universal healthcare coverage for all of its 1.5bn citizens by 2025.

If things weren't bad enough already for hospitals and health systems outside of China, then they just got a whole lot worse!

Photo: Markus Spiske.

Nation State Attacks
Nation state sponsored cyberattacks have been on a sharp rise over recent years with North Korean attacks against Sony Pictures in 2014 in retribution for its movie “The Interview”, followed by the ‘WannaCry’ ransomware attacks of 2017, thought to have been designed to generate foreign currency for the hermit kingdom. Also of grave public concern, were Iran’s DDOS attacks against the US banking sector between 2011 and 2013 and an attempted hijacking of the Bowman Ave. Dam in New York, thought to be in retaliation for the US Stuxnet attack against Iranian uranium enrichment centrifuges.

Russia too has been a major perpetrator in more direct cyber-warfare attacks going back as far as the first Chechnya War in 1996, to literally hundreds of attacks against its neighbors - from the cyber attack against the Turkish-Georgian-Kazakh BTC oil pipeline in 2008, to the most recent attack against the Ukrainian power grid. However, it is the ‘Not Petya’ wiperware attacks of 2017 attributed to the Russian GRU that currently takes the prize as being the most destructive and most expensive cyberattack in history. Not Patya targeted companies doing business with Ukraine and resulted in approximately $8bn in damages to multi-nationals from all over the world. Not Petya destroyed tens of thousands of computer systems and shut down hundreds of companies, including some in Russia. Not only did the GRU open Pandora's box but they accidentally let Pandora out to run amok! Russia is also responsible, via a network of proxy groups who engage in simple criminal theft, for many attacks against retail merchants and financial institutions, and of course for the Yahoo breach of a billion users – the largest attack to date.

But it is the People Republic of China’s insatiable appetite for the theft of commercial intellectual property and trade secrets, combined with its wholesale theft of PII and PHI that is most notorious when it comes to nation state cyberattacks. The OPM breach of 21.5 million federal employee records between 2013 and 2014, and the 2015 Anthem Health breach that resulted in the theft of PII of 79 million people – healthcare’s largest, are typical of PRC attacks. While cyber espionage against military-defense secrets appears to be common across all states today, what differentiates China is its cyberespionage activities that plainly target non-military-defense commercial organizations and research universities. In China everything of significance is owned by or beholden to the state, and after 70 years of communism and isolationism, the peoples republic has had a long way to catch up with the rest of the world. It is not only China's intention to catch up, but also to surpass the rest of the world by whatever means are necessary. In China, that ambition is abbreviated as 赶超 or ganchao in Chinese. What's more, China fully intends to surpass the west within the next five years under the central government’s ‘Made in China 2025’ initiative. Unfortunately, given the tight schedule, that may involve the theft of ideas and trade secrets from nearly every major company on the planet.

This blog was originally published here