Who'd want to be a CISO?

Challenging job, but increasingly well paid

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Australian Cybersecurity Outlook

Aussie healthcare scrambles to catch up

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Just keeping its head above water

New Zealand Healthcare steams forward with minimal security

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

Cyberespionage, and the Need for Norms

Harvard Political Review (external link)

Ransomware Gang Demands $10m to restore French Hospital

The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located in Corbeil-Essonnes 28km SE from the center of Paris, has been virtually paralyzed by a cyberattack. Nearly all IT systems appear to have been taken off-line by a ransomware attack discovered on August 21, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries. Non-critical services have had to be directed elsewhere, and staff are now working with limited resources.

"Each day we need to rewrite patients' medications, all the prescriptions, the discharge prescriptions," said Valerie Caudwell, the president of the medical commission of the CHSF hospital. "For the nurses, instead of putting in all the patients' data on the computer, they now need to file it manually from scratch."

Medical imaging has been particularly impacted resulting in all PACS and other imaging services currently being off-line. Many medical devices were highly susceptible to the cyber-attack and may have been at the core of the ransomware attack. Like most hospitals, patching of medical devices against known security vulnerabilities appears to have been lax, making them an easy target for hackers to establish a foothold on the medical network.

“Without security enclaving or segmentation of vulnerable medical devices, these systems wouldn’t have stood a chance,” claims Richard Staynings, Chief Security Strategist at healthcare security company Cylera. “It’s impractical or impossible to patch devices where manufacturers have not released a patch, so you really need to isolate high-risk systems as a form of compensating security control,” he added.

CHSF serves an area of 600,000 inhabitants, so any disruption in its operations can endanger the health, and even lives, of people in a medical emergency. Unlike a similar ransomware attack in 2020 against Düsseldorf University Hospital, where a 78 year old woman suffering from an aortic aneurysm died after being redirected to a different hospital 32km away, no deaths have been reported at CHSF.

The hospital has refused to pay a ransom demand of ten million dollars and is rebuilding its IT systems from scratch while restoring patient data from backup, a process which it expects to take many days.

Police specializing in cybercrime are investigating. Cyber-attacks targeting hospitals in France have been increasing recently, with 380 last year, a 70 percent rise from 2020.

"An investigation for intrusion into the computer system and for attempted extortion in an organized gang has been opened to the cybercrime section of the Paris prosecutor's office," a police source told Le Monde, also specifying that "the investigations were entrusted to the gendarmes of the Center fight against digital crime (C3N)".

While police and cybersecurity experts continue to investigate this attack, “the Tactics, Techniques, and Procedures (TTPs) indicate a LockBit 3.0 infection,” according to Jordan Rogers, head of cyber threat intelligence at Cylera. However, if LockBit 3.0 is responsible for the attack, it will violate the Ransomware as a Service (RaaS) program's rules, which prohibit affiliates from encrypting systems of healthcare providers.

At this time, the attribution to the particular threat group hasn't been confirmed yet, and LockBit 3.0's extortion site contains no entry for CHSF yet, so their involvement remains a hypothesis. Gang affiliates using this RaaS are known to operate primarily in Russia and Belarus. 


This article was first published here:


NHS 111 Services Held to Ransom by Cyber Attack

NHS 111 services are down for much of the UK following a cyber-attack Thursday morning against the infrastructure of software vendor 'Advanced'. The company's Adastra system is used by call handlers to dispatch ambulances, to book urgent care appointments, and for out of office hours emergency prescriptions. It’s Caresys software is used extensively across more than 1,000 care homes, while Carenotes, Crosscare and Staffplan are used extensively by providers. Advanced supplies software to NHS facilities and doctors nationally, including hospitals, doctors’ offices, care homes and mental health services, so disruption has been widespread.

The systems outage is causing significant delays as call handlers are forced to use other systems or to revert to paper. Emergency ambulance dispatch is taking priority it has been reported, meaning that everyone else has to wait. Meanwhile, applications managed by Advanced have been isolated to prevent lateral spread of malware to other NHS systems.

According to the Telegraph, the cyber-attack appears to have been conducted by an organized criminal ransomware group looking to shut down crucial systems rather than a hostile state-actor as had been originally feared. Healthcare and other critical national infrastructure services have been on high alert since the start of the war in Ukraine given heightened tensions with Moscow. The UK’s National Cyber Security Centre is working with the NHS as it attempts to recover systems from backups and restore services.

UK businesses have been warned about paying ransoms and incentivizing extortionists. According to the Telegraph last month, the head of the UK’s National Cyber Security Centre (NCSC) and the Information Commissioner warned businesses that they risked “incentivizing” attacks by cybercrime gangs by paying ransom demands.

According to Sky News, Advanced, said the issue was contained to "a small number of servers" representing 2% of its health and care infrastructure. Chief operating officer Simon Short added: "We continue to work with the NHS and health and care bodies as well as our technology and security partners, focused on recovery of all systems over the weekend and during the early part of next week."

This latest cyber-attack against the NHS is an unwelcome test of its resiliency and preparedness for various outages including cyber-extortion. As a critical infrastructure industry, the NHS is a target for pariah nation state attack, although in this case evidence appears to suggest that the attack was orchestrated by a Russian criminal gang. Given the known close working relationship between the Russian government and the country’s organized crime gangs, the Kremlin may not be entirely off the hook in this case. A forensic investigation of the cyberattack will take time and a positive attribution of the attackers may be many months away.


NSH 111 services previously known as ‘NHS Direct’ is used for non-emergency Urgent Care services and puts callers in touch with highly trained advisers supported by healthcare professionals. It was designed to reduce the call volume on the UK’s 999 Emergency services (similar to the US’s 911 call system) for non-critical healthcare issues, or to force patients to have to wait several days for an appointment with their general practitioner / primary care provider. The free 111 service is widely used and can be accessed by anyone dialing the number from within the UK.

Advanced is owned by Vista Equity Partners and BC Partners.

Meta sued for violating patient privacy

Facebook’s parent company Meta is facing two proposed class-action lawsuits for using the Meta Pixel tracking tool on health system websites to target ads.

This is not the first time that Meta-Facebook has been dragged through the courts and sued for a breach of privacy. In this case the problem stems from the company’s wholesale vacuuming up of all kinds of metadata whenever a user visits a web page containing its Pixel tracker functionality.

Pixel is contained in a few lines of JavaScript code and is found widely embedded into various web applications. It appears unlikely that the providers using these web applications were aware of the code contained in their portal pages, or that highly confidential HIPAA protected information is being sent to and used by Meta-Facebook without patients' express written permission being obtained. This is especially so because Meta is not a duly authorized HIPAA Business Associate, a requirement before HIPAA Covered Entities (CE) can share protected health information with a third party, nor is Meta a HIPAA CEin its own right. Based upon recent research, it’s probable that hundreds of healthcare portals contain the Meta Pixel code unbeknownst to most providers and that millions of patients could be affected.


The big question is whether Meta Corporation failed to realize that it was illegally being sent PHI data from Pixel, as it continued to monetize this data to sell directed advertising to unsuspecting patients. This point may become a pivotal argument in pending lawsuits and any regulatory enforcement actions. Based upon previous privacy violations, Meta-Facebook is supposed to have implemented business tools to identify sensitive health data and to filter this out from its advertising revenue generating systems. 


In what will likely be a double blow, the collected data was not just innocuous de-identified medical information. “The data Meta received reportedly contained medical symptoms & conditions, prescription information, doctors’ names, IP addresses, and other data defined as HIPAA identifiers. It would therefore be relatively easy to reverse engineer this PHI data to determine the patient identity. It all comes down to the number of data points held in the Meta advertising database,” claimed Richard Staynings, Chief Security Strategist with Cylera. “This could end up being labeled as a massive breach of highly sensitive and confidential regulated HIPAA data.”


In addition to the recently announced class action it seems likely that the Office of Civil Rights (OCR), the enforcement division of Health and Human Services (HHS) is spinning up a task force to investigate this breach and will be assigning a large team to examine potential violation of  HIPAA, the 1996 federal Health Insurance Portability and Accountability Act.

Not only does Meta Corporation likely face HIPAA regulatory concerns, but it also seems likely that various states Attorney Generals (AGs) will be looking very carefully to determine if the Pixel code is present in their jurisdictions on web pages where there is an expected right of privacy. This is especially so on healthcare portals. Finally, it also seems likely that OCR and AGs will be looking carefully at healthcare providers to examine their policies, standards, procedures and guidelines around due-diligence for acceptance of web application technologies and enabled functionality.


“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” said Nicholson Price, a University of Michigan law professor who studies big data and health care. “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view.


In 2019, the Federal Trade Commission (FTC) imposed a $5 billion penalty on Facebook and required it to submit to new restrictions and requirements to hold the company accountable for its data privacy decisions. This included the promised use of a sensitivity filtering mechanism.
 


Systemic Problem

Many of these privacy issues stem from a fundamental imbalance between the rights of individuals in the United States to remain anonymous and their data kept private, versus the rights of large corporations to collect and mine data for profit. This is a balance that has been addressed in Europe through GDPR - the 2016 General Data Protection Regulation which has quickly become a global standard for Privacy outside of the United States.
 
The federal nature of the US however has resulted in 50 very different and separate state privacy regulations that make it hard to enforce privacy standards for individuals given so much cross-state commerce. Attempts by the federal government to catch up to other OECD nations with a revised national privacy act have met with opposition from some states concerned that a federal law will dumb down their existing provisions, while other state representatives oppose the imposition of something similar to GDPR which they regard as an undue constraint on businesses. 
 
The latest in a long line of attempts to update US privacy laws is currently working its way through congress. It remains to be seen whether the highly fractured nature of US law making results in national privacy changes or goes the way of prior attempts.

 
 

Challenges for UK Life Sciences


The Challenges for UK Life Sciences Companies

Excerpted from Business Innovations Magazine UK May 2022

How Concerned Should we be about a Russian State Cyberattack against the US?


Russia’s invasion of Ukraine appears to be bogged down if the reports coming out of the country are to be believed. Indeed troops around Kyiv are currently reported to be withdrawing back to Belarus to regroup and re-arm. The surgical Blitzkrieg to take over the country and replace its elected leaders with Putin-friendly surrogates has failed, and now Russia has been forced to re-evaluate its military objectives and to focus on liberating Donbas and Luhansk from Ukraine and the Ukrainian people who live there. The area is one of many across the former Soviet Union seeded by Stalin with Russian diaspora after annihilating much of the indigenous population in one of many genocidal purges of opponents. In this case, it was a mass purge of Ukrainians.
 
Indeed the Holodomor (Ukrainian: Голодомо́р) in which 4 million Ukrainians were purposely starved to death by Stalin between 1932 and 1933 in order to suppress Ukrainian desires for independence, is perhaps one of the reasons why Ukraine has been so vociferous in its defense against Russian invasion.
 

An Invasion Falling Apart

But as casualties mount, and in particular the deaths of a large number of Russian General Officers, Putin’s hold over the military and therefore political power, looks to be increasingly tenuous. Reports in the media of tanks being driven over commanding officers by unhappy starving soldiers who were misled and lied to by their leadership, poorly trained and led troops shooting unarmed civilians indiscriminately, and a growing realization by Russian troops that they are pawns in an illegitimate conflict with neighbors most of whom speak their own language, is drawing into question the abilities of the Russian military and its leadership.
 
As the Russian body bag count continues to rise and a growing number of funerals are announced back home in Russia of all kinds of senior military officers, so the public will increasingly be aware of the costs of Putin’s folly. The closure of most foreign stores, the inability to fly anywhere as planes are grounded, and a Ruble which has structurally lost 40% of its value since February will be sure to reinforce concerns that Putin is engaged in a conflict much bigger than he has led on.

 

But military power is not all that Putin can muster in his battle with the west. As President, Putin has at his disposal the considerable state cyber forces of the Russian FSB and GRU. These are groups with no shortage of highly destructive cyber weapons, many of which have been used against Ukraine since 2015, and some of which date to the cyber-attacks against Georgia, Estonia, Azerbaijan, and Chechnya,  all the way back to the 1990s. 
 
Putin also has access to the considerable forces of Russian organized cybercrime in return for historically turning a blind eye to their lucrative criminal activities. Indeed, some investigators have concluded an even tighter more collaborative relationship between the Russian President and mob bosses. Putin in other words, has many options open to him for direct and indirect cyber-attacks, though few would believe any claims in current times that Russian organized crime totally operates outside of the influence of Putin and the Kremlin.
 

Russia and Cyberwarfare

The west has in fact been in an ongoing cyberwar with Russia since the turn of the millennium when Russian gangs realized that they could operate their craft of cyber theft and extortion with total impunity from within the bounds of the Russian Federation. Putin and the almost ineffective forces of Russian law enforcement simply turned a blind eye to the gangs and their activities. Perhaps the reported back-handers to police officers helped. Perhaps the sheer power of these gangs was enough to intimidate law enforcement officers. Either way, the illicit foreign exchange inflows of untraceable cryptocurrency continues to boost the struggling Russian economy.

 

The connection between Russian organized crime syndicates and the Kremlin in recent months looks to be a lot less deniable, with evidence suggesting that crime gangs are acting on instruction from the Kremlin and perhaps maybe receiving payment for the acquisition of intelligence gained in their attacks. Take for example the SolarWinds Orion attack, which was attributed to ‘Nobelium’, a group reportedly being directed by the Russian intelligence to infiltrate US federal agencies, while another Russian cybercrime group, ‘DarkSide’, was busy at the exact same time with a high profile and distracting ransomware attack against the Colonial Pipeline cutting off fuel supplies to the southeast of the entire United States.
 

Is Putin likely to respond to increasing western military support of Ukraine?

So far at least, Putin appears to have held back his arsenal of cyber weapons. Supposition is that Putin is concerned that any massive cyber-attack against the west would be sure to result in a powerful response from the west against Russian critical infrastructure including the power grid. It would then be almost impossible for Putin to continue to dupe the Russian people with propaganda stories of an almost insignificant special military operation to rid Ukraine of Nazis. The cat would be out of the bag regardless of whether conscript bodies are returned to their mothers or not, and Putin would be facing enemies from within as well as abroad. It was the unpopularity of the wars in Georgia and Chechnya back home that forced a Russian withdrawal, and the unpopularity of the war in Afghanistan that eventually bankrupted and lead to the collapse of the Soviet Union before it.
 
Indeed, this is perhaps what Putin fears most – a popular uprising against his rule by the very lumpenproletariat he claims to represent. So far however, the Kremlin propaganda machine still appears to be working well and Putin can claim wide-scale popular support at home from the babushkas that believe everything they are told by the state media outlets.

 

While Russia may have some devastating cyber weapons up its sleeve, the NSA is widely regarded to have bigger more devastating cyber weaponry in is arsenal. These include weapons able to effectively take Russia back to the nineteenth century and presumably include the capability to turn off Russia’s power grid, its water, oil, and gas systems, its flight control systems, transportation, and a heap of other critical infrastructure. This would deny Russians, and the Russian war machine with the ability to operate at anything other than at minimal levels and could wreak havoc on military resupply and other logistics.
 
The NSA is not alone however, other Five Eyes nations are thought to have comparable cyber capabilities and would no doubt respond as a group if attacked by Russia. The EU is thought to also have some offensive cyber capabilities, while Israel, less involved in the support of Ukraine against Russian invasion, would likely join in to support the USA and its other allies, despite its current free pass from Russia to attack Hezbollah terrorists operating inside Syria in return for staying neutral. Israel is thought to have some very nasty tricks up its sleeves and based upon its past performance, is less inclined to hold back if ever attacked.
 
So with cyber armies lined up against each other, perhaps we have reached the modern day equivalent of Mutually Assured Destruction (MAD). This was a principle that ensured the global peace between totalitarian east and liberal democratic west, around the use of nuclear weapons from the late nineteen forties to the present day. Given the impact to all of us of an all-out cyberwar between Russia and the west, let’s hope that MAD will keep the cyber weapons firmly locked up.

 

Can Healthcare Tackle IoT, Medical Device Security Challenges?

Join SCMedia Editor Jessica Davis and Cylera's Chief Security Strategist Richard Staynings for a FireSide Chat at VIVE2022 -  the new CHIME / HLTH conference in Miami Beach FL, as they explore the challenges of medical device security.




Could Russia orchestrate cyberattacks against the west?

As concerns rise about the likelihood of increased cyberattacks against the west by Russian cyber forces, so the west is attempting to ready itself. Both the UK and US governments have this week issued warnings to citizens of the rising threats of an attack and urged increased diligence.

Many consider a cyber attack almost inevitable given continuing western military support for Ukrainian defense, a growing army of hackers joining forces with Anonymous that have very successfully and daringly taken down or defaced critical Russian web sites including that of the Kremlin, and a proclivity by Putin to use grey or hybrid warfare against those who dare to challenge his supreme authority.

So far however, all we have seen is the usual ransomware and other criminal cyber-extortion activities of Russia's extensive criminal underworld of organized crime syndicates. A proxy army in waiting that Putin can rely upon to act on his instructions, and one that he can claim any involvement with and plausible deniability when their activities are discovered.

Indeed, Putin is now a master of subterfuge being trained by the Soviet KGB in the art of spy craft and disinformation. Putin has very conveniently turned a blind eye to the criminal activities of Russia's organized crime syndicates for many decades, in part because of their usefulness and in part perhaps because of the reported illicit financial and other support Putin receives from these groups.

But should the west be worried and what steps should westerners take to shore up their own cyber defenses? These are questions that were posed by Stephen and Ellie on the UK's GB News Breakfast show this morning.




Impact of the Russian Invasion of Ukraine

The Russian military invasion of Ukraine has unified the free world against acts of aggression by dictators and autocrats who threaten the territorial integrity of their neighbors. 

After years of bullying, threats and intimidation by Putin and Kremlin against what it regards as one of its vassal states, Russian troops were ordered across the Ukrainian border on Thursday February 24th, 2022. This resulted in almost immediate global financial and trade sanctions by the west and the isolation of the Russian economy. This included a closure of the skies to Russian airlines and other aircraft across Europe, Canada and America and the freezing of Russian state and Oligarch assets all around the world and the sequester of many Russian Oligarch assets including some multi-million dollar luxury yachts. It also included agreement to supply defensive weapons to Ukrainian forces from NATO countries and as far away as Australia.

But concerns have risen sharply that such tacit support of Ukraine against Russia could result in cyber attacks against the west and in particular the United States by Russia's considerable arsenal of GRU and FSB cyber weapons, or the letting lose of Russian organized crime syndicates to launch their own cyber attacks.

In the light of such concerns, University of Denver University, College faculty leaders agreed to come together this evening to examine the impact of the Russian invasion of Ukraine. They were joined by other Colorado academics from Colorado State University and the University of Colorado. 

Join moderator Arianna Nowakowski and panelists Jack Buffington, Eric Fattor, and Richard Staynings as they adeptly navigate complex topics pertaining to the short-term and long-term consequences on security, supply chain, media, and globalization.





Cotswold Radio - The need to secure healthcare IoT


Securing Healthcare and the growing complexity of interoperable health IT / IoT systems and medical devices. Richard Staynings discusses this with James Cunningham, CEO of Core To Cloud, based in Cirencester, Engalnd, and Tony Dale host of the evening Cotswolds Radio broadcast.

Listen to a recording of the live broadcast below:




 

Russia ready to launch cyber attacks on the West in retaliation for economic sanctions

Western governments and companies need to be on a “heightened state of preparedness” for the “high probability” of cyber attacks, as economic sanctions on Russia begin to bite, a senior cyber security expert has told GB News. And it is expected Russia will soon step up its campaign against the West with cyber attacks.

Critical national infrastructure and the banking sector could be the main targets of any attack ordered by Vladimir Putin, according to Richard Staynings, chief security strategist at cyber security firm, Cylera.

He said: “I would say there's a fairly high probability, based upon the types of hybrid warfare that Putin and the Kremlin have executed in the past, that cyber attacks will be launched in this conflict.

“In Chechnya in the 90s, Russia launched its cyber weapons against opposing forces. We've seen it in Georgia and South Ossetia. We've seen it in other parts of the World, where Russia has wanted to extend its influence and to coerce and to bully its neighbours or adversaries.

“I think it's a weapon that's being held in reserve right now, but we certainly need to be on a heightened level of preparedness.

“That means we need to make sure that systems are patched. We need to make sure that we've got adequate cyber defences in place to protect our businesses, our schools and universities, our hospitals our power and oil systems and other critical infrastructure across the country.”

Experts warn although the threat from cyber warfare can seem quite abstract, it has potential real world consequences.

Recent attacks on the health service caused significant disruption. The multiple computerised systems within the West’s aviation sector are also vulnerable to attack.
Cyber security teams are already on high alert. Executives at some of the West’s leading banks and financial institutions have expressed their concern about the possibility of Russian attacks on the banking system in retaliation for being kicked out of the Swift international payments system.

Apart from an attack on some of Ukraine’s critical systems in the initial stages of the invasion, there has been no concerted effort by Russia to attack Western infrastructure in recent weeks, according to security sources.

The leadership in Moscow knows that any cyber attack on the West will be met with a significant response from Western Governments, whose offensive cyber capabilities have been significantly enhanced in recent years.

But if Vladimir Putin decides to give the go ahead for technological attacks, he can also utilise a network of organised criminal gangs to hep him out, according to Professor Ciaran Martin, from the University of Oxford.

Professor Martin, who is the former head of the the UK’s National Cyber Security Centre, said that any Russian cyber attack would come on multiple fronts.

“As well as being one of the most formidable cyber powers in terms of government capabilities, Russia also has the largest concentration by far of serious organised cyber criminals on the planet.” He said.

“In 2021, we saw those criminals disrupt petrol supplies in America, healthcare in Ireland, schools in England, food retail in Sweden, the list goes on.

None of that individually is catastrophic. But if the Russian state were to unleash its ransomware capabilities, its cyber criminal capabilities, while not catastrophic, that could get pretty unpleasant.

Although the West’s computer systems are better protected these days, there are still inherent weaknesses and vulnerabilities that adversaries could seek to exploit, according to Richard Staynings.

“There are certainly still weaknesses in the system.” He said.

“Much has been done to shore up a lot of the critical infrastructure across the UK, particularly the NHS since the WannaCry ransomware attack in 2017.

“A lot of older systems have been replaced and we have new regulations that are forcing NHS trusts and NHS digital to move forward in that space.

“The data security protection tool-kit for example is driving enhancements around IOT medical devices which are inherently vulnerable in our health system today and that is forcing health systems to improve their capabilities.

“But there are still gaps in the fabric, there are still chinks in the armour that we need to be aware exist and we need to take precautions in order to ensure that perpetrators can't get through that armour.”

For now, as Russia concentrates on conventional warfare, it is already fighting off multiple attacks from Western computer hackers, who have turned away from their traditional targets of big business and governments at home, focussing their disruptive talents on Moscow instead.

 

Reproduced from GB News. Original post 18 March 2022. https://www.gbnews.uk/news/russia-ready-to-launch-cyber-attacks-on-the-west-in-retaliation-for-economic-sanctions/250614


Ditial Health Rewired - Smart Health In Practice


Digital Health Rewired was full of highly informative presentations and discussions across many areas of healthcare, but perhaps most forward thinking were 2 days of sessions under the banner of Smart Health in Practice at the Smart Health Stage at the front of the show.

I was proud the share the stage with 4 'greats' in the space of smart health innovation: Declan Hadley UK&I Lead for Cisco, Andy Callow, CDIO at University Hospitals of Northamptonshire, Stephen Dobson, CIO at Lancashire Teaching Hospitals, and Matt Dugdale, Head of Clinical & Digital Innovation, North West Ambulance Service NHS Trust. 

Our discussions focused around a presentation provided by Matt on how the North West Ambulance Service team has transformed its ambulances and offices to become 'Smart' using new smart technology to improve efficiency and the patient experience at the same time. 

Smart hospitals are just one of many changes occurring across NHS trusts, as discrete HIT and HIoT digital systems are integrated and made interoperable by advanced new technology from Cisco, Cylera and others. But as these changes are implemented, we run the risk of gap being created between functional IT and secure IT unless cybersecurity is included from the outset. With a growing number of systems and discrete devices now 'connected' to hospital networks, patient safety and cybersecurity have become major areas of concern.

With warnings by the government to batten down the hatches across critical infrastructure industries like healthcare in the light of rising threat of cyber attack from Russia, keeping patients safe and health IT / IoT systems up and running will be a major challenge if we are to avoid another WannaCry.


My thanks also to a great audience which continued to ask questions off-stage well after our allotted time had gone and almost into the next session.

 

Should we be worried about state-sponsored cyber-attacks against hospitals?

Absolutely we should!


For the past decade and a half, the criminal underworld, Russian Mafia and other organized crime syndicates in the former Soviet Union have provided a constant reminder of both the fallibility of modern IT systems and the tenacious expertise of Russian hackers and their cyber-criminal community. In what now seems like background white noise, these highly organized perpetrators have executed a near constant campaign of cybertheft, cyber-extortion, and denial of service attacks. 

Attacks have included a long list of crippling ransomware campaigns that have disabled almost the entirety of national health systems like the Irish HSE and Irish Health System, to the near bankrupting of several large private US health systems, to causing small medical and dental practices to have to close up shop, all in the past year.  This has denied critical medical services to thousands of patients and contributed to increases in patient morbidity and mortality. Yes, Russian cyber criminals have killed innocent people, perhaps not directly or intentionally, but nevertheless their greed and lack of ethical restraint has caused great pain and suffering to thousands. But, the capabilities of these gangs pales into insignificance when compared to the resources and capabilities of nation states.

WannaCry which in 2017 crippled much of UK NHS as well as other providers of health services around the word was a (flawed) cyber weapon created by the DPRK to raise hard currency following international sanctions on Kim Jong Un’s autocratic hermit kingdom. The DPRK’s subsequent cyber weapons have been much less flawed, and have drained many cryptocurrency exchanges and large sums from the Bank of Bangladesh among a long list of other victims. With the exception of its attack against Sony Pictures, Lazarus Group and other DPRK cyber forces operate very similarly to any other criminal enterprise raising cash for the Kim family’s lavish living and to purchase rocket fuel for his pet ICBM and nuclear weapons programs.

Not Petya, a highly destructive wiperware which initially masqueraded itself as a fake ransomware attack, hit the world right on the heels of WannaCry and was quickly attributed to the Russian government, specifically the Sandworm hacking group within the GRU Russian military intelligence organization. Initially designed to target the Ukrainian MeDoc tax accounting application in a software supply chain attack, it quickly spread worldwide to any company and country doing business in Ukraine and took down many of the world’s largest companies including shipping company Maersk, FedEx, pharmaceutical giant Merck, and French firm Saint-Gobain. Each of these organizations spent hundreds of millions of dollars to restore data and systems that NotPetya had encrypted beyond repair. Not Petya destroyed tens of thousands of computer systems and resulted in losses in excess of $10bn USD globally. Already a pariah, the Russian state after this devastating attribution, became synonymous with cybercrime and cyberwarfare across the international community. In a major home goal, NotPetya ended up also wiping a large number of computer systems in Russia for organizations that also conduct business with Ukraine
 
Step forward a few years to 2022 and Russia is up to its old tricks again. A few hours before Russian tanks began rolling into Ukraine, Microsoft raised the alarm warning of a never-before-seen piece of “wiper” malware that appeared aimed at the country’s government ministries and financial institutions. ESET Research Labs, a Slovakia-based cybersecurity company, said it too had discovered a new ‘wiper’ while security experts at Symantec’s threat intelligence team said the malware had affected Ukrainian government contractors in Latvia and Lithuania and a financial institution in Ukraine. ESET has called the malware which renders computers inoperable by disabling rebooting, HermeticWiper, while Microsoft has named it'd discovery FoxBlade.

The trouble with any kind of cyber weapons, no matter how targeted they are, is that these weapons do not recognize national boundaries (just as Putin didn’t recognize Ukraine’s) and so are bound to get out into the global community of interconnected IT systems. Fortunately, and so far at least, the HermeticWiper malware does not appear to be self-propagating, whereas NotPetya was deliberately designed to spread laterally and stealthily. There are no doubt many other offensive cyber weapons being deployed against Ukraine and its allies this week as Putin escalates his attack.

But the real danger is not just in the powerful nation state weapons, but with the semi-professional hackers and organized crime syndicates. Russia has the world’s largest non-state criminal cyber infrastructure employing tens of thousands who are engaged full time in cybercrime, cybertheft, and cyber-extortion. Putin for various reasons has turned a blind eye to their criminal activities for decades allowing these groups to grow and prosper. These criminals are already using the smokescreen of conflict in Ukraine to launch fresh ransomware attacks against the west, and evidence suggests that Putin has recently instructed them to go all-out to help Mother Russia. Putin has organized a personal crusade of military kinetic and cyber offensive capabilities and paired this with an extensive criminal underground in an attempt to overwhelm the west.

On the other side, the call has gone out for Ukrainian cyber gangs to launch an all-out offensive against the institutions of the Russian Federation, and they have been joined by Anonymous and many other international hacktivists. If we are to believe the reports coming out of Russia, then many of the Kremlin’s public systems have been taken down by cyber-attacks. This tit-for-tat action risks serious escalation, and Russia which is widely acclaimed to have invented the concept of cyber-warfare during its two brutal wars against Chechen separatists, is sure to have some very powerful, very devastating cyber weapons in its war chest. Of course so too does the USA, UK, and many other countries. These weapons if ever launched would wreak devastation akin to a nuclear war and wipe out just about anything electronic. Given our reliance upon IT systems today, especially in hospitals this would not end well for patients, resulting in a significant rise in patient morbidity and mortality. The trouble for the west is, that these cyber weapons would cause far greater damage to advanced western institutions than to former Soviet ones in Russia, Belarus, Kazakhstan, and Chechnya supporting Putin where computerization is less prevelent.

We should be taking every precaution to patch all systems, ensuring the legitimacy of patches by examining hash values before deploying, by enforcing multi-factor authentication for all users, and by disconnecting and isolating systems which cannot be properly secured. Staff should be briefed on the need for heightened awareness and told to take extra precautions in their day-to-day activities. 
 
But first however, we need to fully understand what is connected to our networks and who is accessing our systems. In this day and age of heightened threats, we need to understand what is 'normal' so that abnormal or 'anomalous behavior' can be flagged and quickly isolated. The inconvenience of kicking a user off of a system and inconveniencing them, should be far less of a concern than the safety of a patient on life support being kept alive by a collection of connected medical devices.


Podcast: A Career in Cybersecurity

What is 'Cybersecurity', why is it so important today, and why do developed western societies need better cyber protection? Join Denver University Adjunct Professor and Chief Security Strategist for Cylera, Richard Staynings, as he describes the risks, rewards and opportunities for those seeking a career in this rapidly growing field.






Pueblo Community College Cybersecurity Lecture

 

It was great to present to the students and faculty of Pueblo Community College in southern Colorado this past week. The opportunities for those entering the profession from ICT cybersecurity and Healthcare programs like those at PCC are tremendous. My thanks to the faculty for organizing such a great event and to Mike Archuleta, CIO at nearby Mt San Rafael Hospital and fellow Health Informatics and Cybersecurity Luminary who also presented to students.



Challenges for 21st Century Healthcare

Healthcare currently faces many unique challenges. It is an industry currently undergoing the most dramatic transformation in its history. Covid-19 ravaged hospital finances and forced providers to pivot from lucrative consults and elective surgeries to pandemic emergency care. This in turn led to the need for another (long overdue) pivot towards telehealth, telemedicine and remote health services as patients were told to avoid hospitals. And of course, this all happened during an industry-wide move towards digital transformation, interoperability, a massive growth in the number of medical and other healthcare IoT devices, and enhanced adoption and deployment of artificial intelligence across the industry, each bringing its own unique security challenges.

As if these transformational challenges were not enough, healthcare is also one of 16 US Critical Infrastructure Sectors under PPD-21, and therefore a potential target of nation-state cyber-warfare attacks against the United States. Given a long history of such attacks by the Russian GRU against other countries and a proclivity by the Kremlin to give carte blanch to Russian Mafia proxies engaged in cybercrime, risks are high that an imminent attack could be launched against US healthcare.

A cyberattack against healthcare is not just an act of cyber extortion or cyber warfare, it risks the lives and safety of patients. When HIT and HIoT systems are not available because of cyberattack, patient morbidity and mortality rates increase, just as they did under the North Korean 'Wannacry' or Russian GRU 'Not Petya' attacks of 2017.

In 2022, the ability of hospitals and other providers to withstand a devastating ransomware or other cyberattack has improved, but providers are in no way impregnable. The industry lacks the material and people resources necessary to mount a full defense. It is therefore vulnerable and in need of supplementary security services. Services that are perhaps best addressed by managed security services providers (MSSPs) and others with deep security domain expertise.

Clinical, technological and security resourcing across healthcare has been stretched to the limit exacerbated by clinicians leaving the industry en-masse and a global shortage of cybersecurity professionals in which healthcare has found it increasingly hard to compete for scarce resources. There has also been a skills mismatch as re-skilling of staff has not kept up with the adoption and implementation of new technologies. 

Given the growing challenges of securing healthcare and keeping patients safe, I challenged four leading technology and security executives with these problems at the recent Denver Managed Security Services Forum. Hear their thoughts in the video recording below.



Panelists:

Mike Archuleta, Chief Information Officer, Mt San Rafael Hospital
Kevin Coston, Sr. Technical Security Specialist Healthcare, Microsoft
Randall Frietzsche, Enterprise Chief Information Security Officer, Denver Health
Howard Haile, Chief Information Security Officer, SCL Health

Moderator:

Richard Staynings, Chief Security Strategist, Cylera