Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Isn't it about time we secured BGP?



Border Gateway Protocol or ‘BGP’ as it is more often referred to as, has been a staple of internet routing since the heady days of 1989 when TCP was finally getting into its stride, and the internet as we know it, was in its infancy.

BGP enables routers to determine the most efficient paths for data to travel across networks to ensure scalability and efficiency. The protocol allows network backbone providers to announce routes across networks and is the primary routing protocol used to exchange routing information between different autonomous systems on the internet. The trouble is that like many things to do with the internet it was never really designed to be secure and this leads to all kinds of problems as we shall see.

BGP has been abused multiple times, since Al Gore claims to have invented the Internet. Joking aside - it was actually Vint Cerf and Bob Khan who are credited with the accomplishment, but BGP has suffered some pretty high-profile attacks that have caused outages, or even more alarmingly, to route traffic through a specific country – one known for its prolific cyber espionage practices.

In 2008, a Pakistani ISP wanted to block access to YouTube within Pakistan but accidentally announced a BGP route that led to all of YouTube’s global traffic being redirected through Pakistan. This caused a worldwide outage of YouTube for several hours, although YouTube has probably never been faster in Pakistan before or since.

Then in 2010, China Telecom “accidentally” advertised incorrect BGP routes that caused a significant amount of global internet traffic, including that of U.S. government and military sites, to be routed through China. Naturally, neither the US government nor the Department of Defense was very happy about that little so called “error”, especially considering at the time, not all government network traffic was being encrypted.

More recently in 2018 cybercriminals hijacked BGP routes for Amazon’s Route 53 DNS service to redirect traffic intended for MyEtherWallet, a popular cryptocurrency wallet service, to a malicious server owned by the perpetrators. The attackers then stole users' cryptocurrency by tricking them into entering their credentials on the fake site.

The White House naturally has been considering options to replace or upgrade BGP with an improved authentication scheme to remove opportunities for abuse and cybercrime, including any cyber espionage that nation states may be considering. Its proposed solution is the Resource Public Key Infrastructure (RPKI) - a security framework designed to enhance the security of BGP by providing a way to cryptographically verify the ownership of IP address blocks and the authorization of networks to announce specific routes.

To that end, the White House has released a guidance document for ways of improving upon BGP in a proposed roadmap to enhance internet routing security. This includes the adoption of new technologies including RPKI. As a government press release stated today, “these recommendations are of particular importance to the networks used by critical infrastructure owners and operators, state and local governments, and any organization dependent on internet access for purposes that the entity considers to be of high value.”

The press release went on to say that “by the end of the year, it is expected that over 60% of the Federal government’s advertised IP space will be covered by Registration Service Agreements (RSA), paving the way to establish Route Origin Authorizations (ROA) for Federal networks.”

The White House is obviously taking the risks of major BGP attacks very seriously and is looking to protect against these apparent threats immediately.

“Internet security is too important to ignore which is why the Federal government is leading by example by pushing for a rapid increase in adoption of BGP security measures by our agencies,” said White House National Cyber Director Harry Coker, Jr. “ONCD, along with our public and private sector partners, are guiding a risk-informed path forward towards our communal objective. We aim for this roadmap to mitigate a longstanding vulnerability and lead to a more secure internet that is vital to our national security and the economic prosperity of all Americans.”

The full roadmap can be read or downloaded in PDF here.


The Growing Rural Healthcare Cybersecurity Crisis


Rural America and Urban America can seem like two different worlds. Just look at the political map, or the disparity in wealth between ‘country folks’ and ‘city slickers’. Perhaps the most alarming difference, however, is the availability of basic healthcare services.

If you live in rural America, you could be 2- or 3-hours’ drive away from the closest renal dialysis center, or radiotherapy and chemotherapy clinic. You may also be several hours away from the nearest stroke or trauma center which in an emergency, could mean the difference between life and death.

As for many other medical services, rural Americans must make do with what is available in their community - a local midwife rather than a maternity hospital or ‘new life center’ staffed with neonatal experts and incubators in case they are needed. Go into labor early or present as a high-risk pregnancy and be prepared to be ambulanced or worse, air-ambulanced at huge expense, to a city hospital where you and your infant can be cared for. Today, anything other than basic medical services usually means a long drive to the nearest city.

The trouble is, that what remains of rural health services is rapidly declining. Rural hospitals and entire rural health systems are closing, and those that remain open, are continuously reducing their specialist services, which may not be used enough to remain profitable or cover costs.

A new report from the American Hospital Association (AHA) states that 136 rural hospital closures have occurred between 2010 and 2021, and a record 19 closures in 2020 alone. Beckers, in a recent article reviewed a larger period claiming that nearly 200 rural hospitals have closed since 2005. What’s even more alarming is the pace of closure is accelerating. Eight rural hospitals closed in 2023, as many as in 2022 and 2021 combined, according to the Center for Healthcare Quality and Payment Reform's latest report.

As recently as this month, the Eastern Plains Healthcare Consortium (EPHC) stated during its annual conference that 20% of rural hospitals in Colorado are at risk of closing. They require a 4% operating margin to replace equipment and maintain existing services, however, nearly all are currently running in the red, some as much as -17%. EPHC estimates that some 30 rural Colorado hospitals will be forced to convert to emergency only services as Emergency Rural Health Hospitals to save closing altogether.

Some of these hospital closures are the result of cyber-attack and in particular, one recent Illinois hospital closure is blamed upon a 2021 ransomware attack that prevented it from submitting claims to payers for months, killing its cashflow and financial viability. Another small hospital had its entire payroll stolen in a cyberattack preventing it from paying any of its staff and placing it in financial peril.

The Change Healthcare cyberattack earlier this year has exacerbated the plight of small providers and in particular rural clinics and physician practices. Many physicians are struggling to keep their practices afloat according to the American Medical Association (AMA) and even though UHG, the owner of Change Healthcare, has publicly said it will provide relief in the form of Temporary Funding Assistance to impacted providers, this is very selective, one-sided and fraught with caveats according to Richard Pollack of the AHA in a letter to UHG.

Challenges for Rural Healthcare Providers

Rural providers face many challenges: finances, through rural depopulation and a disproportionate number of rural patients on Medicare and Medicaid, general resource constraints, and huge difficulty attracting and retaining nursing, physician, and other staff. Most notable of these is the lack of trained and experienced cybersecurity staff to protect rural providers from an increasing volume of cyberattacks.

These hospitals run on a small number of IT generalists and often find it difficult to patch systems in a timely manner, let along obtain the budget or expertise to implement the latest security tools and services. Many operate on end-of-life computer hardware and medical devices no longer supported by vendors. Compared to urban providers these hospitals are an easy target for criminals and are frequent victims of PHI breaches, ransomware, and other attacks.

Like their urban cousins, rural hospitals are undergoing a digital transformation to new clinical and IT systems. This involves the addition of more medical and other IoT systems including connected building management systems for HVAC, elevators, proximity door locks, CCTV cameras, and Pyxis drug cabinets. These systems dramatically expand the cyber threat surface and unless secured and maintained, can significantly elevate the risks of attack. But rural providers often lack the specialist skills to safely manage these systems. That is perhaps why, many are turning to a combination of Managed Services Providers (MSPs) and Managed Security Services Providers (MSSPs) to effectively outsource security and much of IT.

MSPs and MSSPs will manage a large number of hospitals at the same time and through a leveraged model can provide point expertise as needed in more or less any technology or vendor system. They can also implement advanced SaaS tools from Cylera and others to identify the growing number of connected assets and evaluate and prioritize risk remediation. Indeed, the incorporation of SaaS services is rapidly helping to drive improvements in rural provider cybersecurity, especially in medical device security, a growing problem for all healthcare providers.

The advent of managed services has become particularly important given a new assistance program for rural hospitals orchestrated by the White House and the AHA in June of this year. Microsoft and Oracle have agreed to provide free and heavily discounted cybersecurity resources to assist rural hospitals with access to many of their security tools and technologies. However, so far, relatively few rural hospitals are taking advantage of a free program designed to thwart ransomware attacks according to the White House this week. Only 350 of the 1,800 small and rural US hospitals are currently leveraging this assistance program.

It appears that without MSP or MSSP help, many rural providers are simply unable to accept or implement these discounted tools or utilize the free security assessments because they don’t have the manpower bandwidth to do so. This is the Catch22 of providing security assistance to rural health providers. Thankfully, for some, the MSP/MSSP buffer is helping to facilitate this today.

While near term improvements to rural hospital cybersecurity will be of great assistance in helping to reduce cyberattacks, there are still long-term structural problems of maintaining the continued presence of rural providers and access to healthcare services for rural communities. The healthcare industry faces many problems, not least of which is unmitigated cybersecurity risk. While urban providers can rely upon numbers to maintain services and a plentiful supply of cybersecurity talent nearby to avoid the worst of the attacks, rural providers face almost insurmountable challenges. This is undoubtedly a larger political question of healthcare reform that the next administration will need to prioritize.



When is Enough, Enough?


This week marks yet another dark moment for healthcare with yet another Russian cyber-attack against a supplier of critical services for two major London hospital trusts where over 200 life-saving operations and hundreds of other appointments have had to be cancelled, while ambulances have been placed in divert.

Impacted are King’s College Hospital, Guy’s and St Thomas’ - including the Royal Brompton and the Evelina London Children’s Hospital – along with their associated primary care services. This includes GP services across Bexley, Greenwich, Lewisham, Bromley, Southwark and Lambeth boroughs. All have had to revert to paper for blood tests and transfusions thanks to a ransomware attack against Synnovis, a provider of pathology services.

“This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families,” said an NHS spokesperson in statement.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics. On Monday it was hit with a cyber extortion attack, evidently the work of a Russian criminal group known as Qilin, which has demanded a $50 million ransom payment to be made within 120 hours. As a result, an emergency was declared, the National Cyber Security Centre notified, and the Cyber Operations Team called in for assistance. All of Synnovis's IT systems are believed to be affected.

The incident follows a separate case at Synlab Italia, which in April involved a different Russian group known as Black Basta forcing the company's services offline. The group has been linked to the Conti ransomware group, an even more infamous Russian organized crime syndicate. Following this attack, it took the provider nearly a month to restore the majority of its systems. It appears Synlab Italia didn't pay whatever ransom was demanded of it as Black Basta claims it has Synlab's data available for download in its blog. Black Basta is also thought to have been responsible for the attack last month against US healthcare provider Ascension Health.

The attack this week against Synnovis however, appears to be the work of yet another Russian crime group known as Qilin. This ‘Ransomware for rent’ group has targeted IT firms, medical organisations, courts, the 'Big Issue', and appears to operate with Vladimir Putin’s blessing. 'Qilin', also known as 'Agenda', has hacked hundreds of victims over the two years it has been operating under its known identities. Qilin’s 112 known victims span 30 different countries, with Russia and the Commonwealth of Independent States – (ex-Soviet satellite countries) - being the notable exceptions. No need to wonder why!

According to a recent report by Bloomberg, while responding to questions about the breach through a messaging account long associated with the gang, a representative for the hackers said that they were very sorry for the people who suffered, but refused to accept responsibility for the human cost. They suggested 'the attack was justified because it was in retaliation for the British government’s involvement in unspecified wars'.

The Guy’s and St Thomas’ and the King’s College Hospital NHS Foundation Trust attacks are not unique events. In fact it's the third such attack in the past 12 months against NHS trusts. In June of last year, a Russian cybercrime gang called BlackCat hacked the Barts Health NHS Trust. Then earlier this year yet another Russian gang, INC Ransom, attacked NHS Dumfries and Galloway stealing 3 TB of protected health data.

The Russians have certainly cornered the cyber-extortion market, a criminal industry worth $14 billion as of 2022 and one growing rapidly at 73% according to SANS. Indeed, the growth of this industry appears to be directly linked to the number of ransoms being paid by victims, which in the first half of 2023 were estimated to have been more than $590 million. Cyber-extortion is according to the NCA and FBI, a form of cyber-terrorism. So, in effect, those who pay extortion payments could be breaking the law by giving money to wanted terrorists, yet many still do so and few of those who are directly financing this trade have been arrested or prosecuted thus far.


$590 million is also a valuable source of income and hard currency for Russia given all the trade sanctions the country is under following its partial invasion and ongoing war with Ukraine. What’s also apparent, is that no one in a criminal oligarchy like the Russian State is going to make $20 million a pop in ransom payments without sharing at least some of that new-found wealth with others all the way to the Mafia Don at the top, i.e. one Vladimir Vladimirovich Putin, reportedly the richest man in the world today.

But the costs of a ransom attack are far greater than merely the ransom payment (if payment is made), or the costs of forensic investigation, incident response, fines, lawsuits, and punitive damages. The costs when healthcare is attacked is measured in lives. How many patients die as a result of not receiving timely intervention and treatment (mortality), how many will die earlier than expected or are made to suffer for longer periods of time (morbidity), and how many patients are placed at risk thanks to critical IT and IoT systems being down and whose safety maybe compromised as a result.

Attacks against healthcare are not only an attack by a foreign adversary against a critical national infrastructure industry of a nation state, but also an attack that threatens the lives and wellbeing of its citizens. Attackers therefore run the risk that the full power of the state they attack might be used against them, kinetically, when all legal avenues fail to bring them to justice, or to stop their attacks. Russia does not regard cyber-attacks against other countries as a crime, nor does it honour extradition treaties with the rest of the world. Even then, its criminal justice system is irrevocably compromised and corrupted by money, power, and influence.

It is unknown to what extent the Kremlin is behind cyber-attacks against foreign critical national infrastructure, but Russia certainly turns a blind eye to it at the very least, by offering safe harbour to those engaged in this criminal activity. What is for sure, is that the criminal activities of some Russians, is helping to weaken and degrade many of Russia’s foreign adversaries. At the very least, the use of criminal proxies rather than official state assets, provides the Kremlin with some level of plausible deniability, no matter just how implausible that is now becoming, or how insincere Putin’s claims of denial are today.

Until such times as Russia finally fails as a state, and a new Russia adopts a real legal-judicial system - one uncorrupted by others so that criminals can eventually be held to account, the NHS and other providers of healthcare services including third parties, will need to seriously improve cybersecurity and operational resiliency of key systems needed by patients. The UK will also need to critically evaluate any single points of failure in application or underlying infrastructure, just as the US needs to following the recent UHG Change Healthcare attack. Relying on a single vendor or single application for critical parts of medical workflow can no longer be supported. The ability to switch out failed components of a modular architecture is already crucially needed, yet few healthcare providers have reached that level of resiliency today.

Out of all industries, health-care providers were the most targeted by ransomware gangs last year, according to a report by Cisco's Talos threat intelligence division. Cisco attributed the targeting to health-care organizations generally having “underfunded budgets for cybersecurity and low downtime tolerance.”

Given the criticality of IT and IoT in today’s digital health system and continuously rising cyber threats by adversaries, we need to focus a lot more time, effort, and money to build our healthcare services to be able to withstand all but the most destructive of attacks.



















Mitigating Medical Device Vulnerabilities

How can health systems secure smart medical devices if manufacturers don't patch them regularly? Richard Staynings, chief security strategist at Cylera, discusses how organizations can mitigate that risk using their existing tools and technologies at HIMSS24 in Orlando, Florida.

 

Lockbit Take-Down


Many of us in the cybersecurity community woke this morning to very welcome news that the infamous Lockbit Ransomware as a Service (RaaS) crime syndicate was hit with a take-down action of much of its infrastructure. This was apparently led by the UK’s National Crime Agency (NCA), and the FBI, as part of an international law enforcement task force known as ‘Operation Cronos’.

Lockbit was one of the most prolific and destructive Russian Ransomware-as-a-Service (RaaS) groups, claiming over 2,000 victims worldwide and extorting over $120 million in ransom payments. It was, to put it mildly, ruthless, launching secondary and tertiary attacks against victims who refused to negotiate with the extortionists or to pay their extortion demands.

As part of its initial seeding of compromised networks with ransomware, it exfiltrated confidential information and threatened to publish this on its websites if payments were not made by the organization. When demanded ransoms were not received, the group contacted individuals whose information it had stolen, and demanded they pressure the victim organization to pay the ransom, or sometimes offered to exclude their information from a release if a payment was received.
    
Richard Staynings, Cylera
Richard Staynings, Cylera
“Many times, corporate and individual victims paid the gang only to see their information posted publicly anyway” claimed Richard Staynings, Chief Security Strategist with Cheltenham based cybersecurity firm Cylera. “There is after all, no trust in thieves,” he added.

The group was also known to publicly taunt victims on its web site with a countdown clock when the information would be published unless payment was made.

Operation Cronos appears to have finally brought this criminal RaaS business to a halt, or at the very least slowed it down and ruined its reputation. Whether it stops the affiliates who use the RaaS to execute their attacks remains to be seem as it's likely that many of the Lockbit tools are still out there and affiliates are likely to have copies of these. 

It’s also quite likely, that many of the un-indicted perpetrators involved in Lockbit, will simply pick up and move into new crime groups to continue to ply their crafts as part of other cybercrime services. This has happened in the past when law enforcement took down other crime syndicates. It is also possible that a new Lockbit rises from the ashes and starts over again, perhaps even under the same name with some of the same people.

Some of these crime syndicates are thought to be associated with the Russian Mafia and many in the past have worked closely with the Kremlin, FSB and GRU for espionage purposes, or to punish other nations, while Mother Russia can claim plausible deniability.

Many of the cybercriminals who engage in ransomware and other forms of cyber extortion, are of Russian origin and are able to attack victims from within Russia and other former Soviet states with near impunity. This is largely thanks to a lack of extradition treaties between these countries and the rest of the world, combined with a legal system that is easily corrupted by those with power, influence or money.

The FBI has accused Russia of harboring cybercriminals for years, where as long as the perpetrators of cyber crime direct their craft against victims outside of Russia, then the Russian state will conveniently turn a blind eye. This makes it particularly difficult to bring criminals to justice so long as they don't leave the former soviet block of countries.

Of course some wanted criminals used to considering themselves above the law have traveled outside of the former Soviet states and have been arrested or renditioned back to the United States for trial and punishment. One of the more notable of these was Roman Seleznev, the son of a close Putin confident and a member of the Duma lower house of parliament, Valery Seleznev as reported some time ago by this site

Lockbit was the largest RaaS and worked by selling its criminal services, acting as a one-stop shop to customers known as affiliates. These affiliates then identified and attacked victims using the Lockbit framework of tools and services. Based upon volume, the affiliates then received between 60% and 80% of the ransom payments they were able to extort back from Lockbit. The Lockbit network consisted of hundreds of so called ‘bullet proof’ servers located all over the world. These have now been taken over by law enforcement as part of the Europol action. Copies of the Lockbit code, however, remain on PCs and servers in Russia and other countries where international law enforcement was unable to seize assets, since the crime of ransomware is not recognized in many of these countries.

It was perhaps inevitable that the NCA would lead this takedown effort following a January 2023 ransomware attack against part of the UK Royal Mail in which packages could not be mailed overseas for many weeks. The attack was identified as using Lockbit so the group must have been in the sights of the NCA ever since. The Royal Mail is a critical infrastructure industry (CII) of the UK so any attack against a CII would have garnered attention at the highest levels, just as Lockbit attacks against the NHS have done so in the past.

“While not all cyber crimes can be fully investigated, I am sure that Lockbit and its affiliates were prioritized by the NCA and the UK government following the Royal Mail attack,” said Staynings. “Lockbit ransomware attacks against NHS trusts was already sure to get the NCA’s attention, so the Royal Mail attack may have been the nail in the coffin for the group.”

“Gangs would be well advised to stay clear of national infrastructure industries if they want to avoid unnecessary attention. That goes not just for the UK, but for any law-abiding western power,” Staynings added.

While the Lockbit infrastructure was taken offline and decryption advice and keys posted on its servers, law enforcement reportedly obtained access quite some time ago. It's highly likely that they have been digging around and gaining intelligence on affiliates and those involved in building and maintaining the Lockbit service. It is also likely that they were mapping out the entire infrastructure so as to capture as much of it as possible in one go with a single legal seizure action.

This has resulted in the identification, indictment, and arrest of many of the gang’s generals. But it has also shed light on a much greater number of victims than has been reported, many of whom appear to have paid ransoms against the advice of law enforcement and national laws in their respective countries that forbid extortion payments to terrorists. Ransom and extortion are, after all, forms of terrorism.

“The cat is now out of the bag, and we could see legal actions against business leaders and their legal counsel, who made ransom payments against national laws and hid a cyberattack from shareholders, and the SEC, FCA, and others,” claimed Staynings.

Graeme Biggar, NCA
Graeme Biggar, NCA
The NCA’s Graeme Biggar, said it assessed that the group was responsible for 25% of ransomware attacks in the last year including 200 that were known of in the UK - though he added that, there may have been many more. Indeed, total losses and damages from Lockbit and its affiliates could be in the billions of dollars. Whether this surpassed losses from ‘NotPetya’, another Russian cyberattack attributed to the Russian military GRU, remains to be seen.

NotPetya is thought to have caused between $10 and $12 billion in damages to global organizations attacked, including Maersk, Mondelez, Merck, WPP, Reckitt Benckiser, Saint-Gobain and TNT Express. 

Maersk alone lost $250 million and suffered a further $300 million in damages. The 2017 cyberattack currently stands as the single most damaging and costly attack of all time. Its attack code was designed to attack Ukraine, but the malware unintentionally spread right the way across the world, impacting Russian businesses as well.

As part of the seizures, more than 200 cryptocurrency accounts believed to be linked to Lockbit have been frozen, so it seems likely that once the investigation is complete, at least a few victims may receive some of their ransom payments returned, as has been the case in other confiscations.

“It’s great to see the home team win a game finally, but there’s a long way to the finals” claimed Staynings. “The trouble is that with cybercrime it takes many months or years to properly attribute actions. That includes victims, criminal actors, and all those involved in a cyberattack.”

“Undoubtedly, law enforcement needs to do things properly in order for prosecutions to stick and to identify all those involved in a criminal act. This was one of the better days, that’s for sure!” he concluded.