Hospitals Targeted by Cyber Attack During Covid Crisis




Few things elicit the question of ethics than a lawyer chasing an ambulance leaving a road traffic accident or a hacker targeting a hospital during a global crisis, but the latter is precisely what has been happening since February.

The public and government officials alike, are outraged that cyber criminals would target health systems during a time of global pandemic crisis.


Increase in Cyber Attacks
According to the FBI, the number of reported cyber crimes has quadrupled for the period December - April compared to the same period last year. The FBI’s Internet Crime Complaint Center, known as the IC3, has been swamped with 3 to 4 times the usual number of calls each day as the COVID-19 pandemic spread across the United States.

According to Tonya Ugoretz, Deputy Assistant Director of the FBI Cyber Division, "there was this brief shining moment when we hoped that, you know, 'gosh cyber criminals are human beings too,' and maybe they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale. Sadly, that has not been the case," she reported.

The US FTC has reported that approximately $12 million has been lost due to Corona-virus-related scams since January. But it’s not just the US that has been targeted either. One man in Singapore tried to abscond with €6.64 million from a European pharmaceutical company after taking an order for surgical masks and hand sanitizer that he had no intention of delivering. Thanks to the quick actions of Interpol and Singapore authorities the money was returned and the man arrested.

Hundreds of fake domains have been registered by criminals with names to entice the unsuspecting to click a link to a coronavirus news site, health and well-being site, to a charity site supporting everything from animal shelters for abandoned pets to food banks for the suddenly unemployed. At least one has even attempted to purport to be part of the Centers for Disease Control in Georgia otherwise known as the CDC. And there have been a whole range of scam sites setup to supply N95 masks, rubber gloves and other personal protective equipment (PPE) where users place an order never to see any goods – only fraudulent transactions on their credit cards. Many hospitals have also been defrauded in similar ways, receiving sub-par equipment from mainly Chinese manufacturers or none at all.

Intellectual property theft especially at hospitals and research institutes working on investigation of the virus or potential vaccines for COVID-19 has also been rife, especially from so-called international partners, some of whom may have been already compromised. Nation-state-actors are focused on gathering information about the response of US states to the ongoing pandemic and the progress of the research on vaccines with more than one nation state appearing to be involved.



Healthcare & Medical Research Targeted
Most alarmingly though, is a spate of targeted ransomware attacks against hospitals. Last month a number of Czech hospitals and medical research centers were attacked, by as yet unknown perpetrators in what is thought to be a combined infiltration-theft and ransomware attack. The attack breached one of the major Czech COVID-19 testing laboratories at Brno University Hospital in the city of Brno in Moravia. According to Reuters,“The country’s NUKIB cybersecurity watchdog said the attacks, designed to damage or destroy victims’ computers by wiping the boot sector of hard drives.” The similarity with Russian FSB and GRU attacks against Ukrainian and other targets last year would tend to indicate nation-state involvement as would the boot sector wiping first attributed to the Russian GRU's 'Not Petya' attacks.

Colorado Medical Center Hit
But ransomware attacks against hospitals have hit closer to home. At least one US hospital has been hit in the past week by ransomware that encrypted its entire EMR system and its local backups. This was not a random broadcast attack but one carefully crafted against a known Pueblo, Colorado hospital with a un-patched perimeter. The hospital and many of its IT systems are still off-line at the time of writing this post and patient care is still being impacted by the attack. Its website came back up as we were about to post this article with the following message to the community.




This represents a daring escalation by cyber extortionists and risks a very real response by the United States. A mere two days before Parkview was hit, Mike Pompeo, US Secretary of State warned that there would be "zero tolerance" for such attacks.

"As the world battles the COVID-19 pandemic, malicious cyber activity that impairs the ability of hospitals and healthcare systems to deliver critical services could have deadly results," Pompeo said. "Anyone that engages in such an action should expect consequences," he added.

This marks yet another escalation in government response to cyber attacks against national critical infrastructure. Back in May 2019, Israeli Defense Forces dealt a very firm blow to nefarious cyber actors planning an attack on Israel with an air strike that wiped out HamasCyberHQ flattening the building and all inside.

The US has also taken out a number of cyber security adversaries with drone launched hellfire missile attacks in Syria over the past few years. In fact, the US has reserved the right to retaliate against cyber-attacks with military force since 2011. The prospects therefore, for those cyber criminal elements that deliberately target US hospitals and medical research facilities obviously don't look too good.


Recovery from Attack
In order to turn the lights back on and restore systems following a cyber attack, a hospital must first eradicate all traces of the ransomware and other malware, then carefully restore data from off-site backup tapes or cloud storage. First however, the malicious exploit and ransomware code must be identified, forensically preserved by law enforcement for later prosecution of perpetrators, and systems cleaned up and formatted. This can be very time consuming, taking many days and of course will impact patient care and safety.

Perpetrators also know that thanks to better backup procedures following WannaCry, victims have comprehensive and disconnected backups of their data to avoid paying ransoms which would be illegal in many jurisdictions. Hence they are now executing combined infiltration-theft extortion attacks, as was seen in the Czech Republic. Non-Public data is exfiltrated as part of the attack and when the ransomware clock runs out without a payment being made, a perpetrator will release some protected data to the public internet with a second extortion payment demand threatening to release more regulated PII and PHI data. By further upping the stakes against the healthcare delivery systems of the United States and other countries, cyber criminals have perhaps unwittingly invited a kinetic military response for their actions, especially if they reside in parts of the world that lack effective law enforcement or means of extradition.

Containment and Risk Mitigation
While adoption of a Zero-Trust security framework and the implementation of network segmentation will severely limit the lateral spread of malware across a hospital network, one of the greatest recovery problems is the identification of sleeper malware or extraneous communications by that malware to command and control severs. That's where Cylera’s MedCommand software comes into its element by quickly identifying suspicious network traffic, and tracing that traffic back to infected code that can then be eradicated from the network so that restoration of Health IT systems can commence.

Its just one more use of the Cylera MedCommand system in addition to its primary objective of identifying healthcare IoT (HIoT) connected assets, profiling and risk assessing them for security group tag allocation and for network micro-segmentation under Zero Trust. Its also in addition to a recent feature that was added to the software that allows those who are responsible for managing medical devices and other HIoT assets to observe device utilization for better allocation of patients to available devices - something that has become critical when medical devices are short on supply and stretched to capacity under a global pandemic.




More about Cylera MedCommand
Many healthcare IT and Security teams are yet to even gain a full understanding of which medical and IoT devices are connected to their network, much less an understanding of their level of risk and susceptibility to different forms of malware. Cylera’s MedCommand is an agent-less solution designed to fill this capability gap. MedCommand provides organizations with a complete, real-time inventory of all connected HIoT devices, an understanding of the vulnerabilities affecting them, information on their configurations and patch levels, and real-time threat detection tailored to each device. Teams can then make use of Cylera’s actionable recommendations and automated micro-segmentation policy generation to proactively protect HIoT devices and provide a missing layer of security to the devices that need it most.

To learn more about MedCommand and how it may help you identify suspicious traffic on your network contact us to request a demo.

This article was first published here.



Subscribe to our periodic posts via email me to new posts so I don't miss them please.

Original stories and articles may be republished without charge provided that attribution is provided to the source and author. Articles written for, and published first elsewhere, are subject to the republishing terms and conditions of the host site.


0 comments:

Post a Comment

Thanks for your message. We'll be in touch.