Getty Images/iStockphoto
Is Healthcare Prepared to Respond to Cyber Threats Beyond Ransomware?
DHS alerts on increasing cyber threats from Iran and healthcare struggles with ransomware reveal providers need better recovery plans to prepare for the next wave of cyberattacks.
The last few months of cyberattacks, especially ransomware incidents, demonstrated healthcare providers aren’t fully prepared for the new age of sophisticated threats.
As the Department of Homeland Security alerts to the increased cybersecurity risk to infrastructure, it begs the question: What comes next in terms of threats and preparation for the healthcare sector?
The US Strike on Iranian military leader Qasem Solemaini prompted several DHS Cybersecurity and Infrastructure Security Agency alerts to the increased cyber threat from Iran, given the country’s historic use of cyber offensive activities to retaliate against perceived harm.
In the past, Iranian hackers have targeted a wide range of industries, including healthcare. The Department of Justice just recently indicted the Iranian hackers allegedly behind the notorious SamSam malware campaign that pummeled the healthcare sector.
“Iran has exercised its increasingly sophisticated capabilities to suppress both social and political perspectives deemed dangerous to Iran and to harm regional and international opponents,” according to the alert. “Iranian cyber threat actors have continuously improved their offensive cyber capabilities.”
The alert warns Iranian threat actors have engaged in conventional malicious activities, including distributed denial of service (DDoS) attacks and data theft. But they’re also known for leveraging more impactful, destructive malware – including what’s known as wiper malware.
In June, DHS warned that Iran hackers were targeting US organizations with wiper malware through targeted phishing attacks to disrupt operations and destroy data.
In response, organizations are being warned to adopt a heighten state of awareness, while ensuring security leaders monitor security capabilities and understand how to identify abnormal activity. Those leaders also need to confirm reporting processes and ensure there’s an incident response plan in place.
The New Threat Landscape
But for Caleb Barlow, CynergisTek CEO, the threat of Iran should not be a moment of panic, thinking that nation-state actors are out to get the US healthcare sector. It’s about acknowledging that the US strike on Iran has now changed the threat landscape, and providers need to prepare for the next level of attacks.
Consider the ransomware attacks from the last few months. The majority of those providers had incident response and or disaster recovery plans in place. However, many victims paid the ransom to restore services, Barlow explained. They were “prepared,” but still had to pull the ripcord to restore patient care.
“This is not a disease you’re dealing with that can be inoculated with treatment. It’s a bar fight.”
Healthcare has grown increasingly comfortable with leveraging the fallback option of paying the ransom for these types of attacks. Consider the most recent LifeLabs breach of 15 million, where officials admit they worked with cybersecurity leaders to pay the cybercriminals to retrieve stolen patient data.
To Barlow, healthcare needs to focus on that question: What happens when the fail-safe of paying the ransom to regain access to patient data and bring operations back online is no longer an option? What happens when data is locked down or destroyed, but there’s no hacker on the other end to restore access?
In typical exfiltration attacks, data is not destroyed, although some newer ransomware variants lose or inadvertently destroy data during the attack. Barlow stressed wiper malware is a whole different ballgame. The attacks are destructive in nature, completely deleting all data on the breached system.
Entire machines often can’t be rebuilt after a wiper attack. Victims are forced to reformat or replace entire systems, Barlow said. And IBM research has shown the fallout from a wiper attack costs about $200 million on average.
Barlow, who previously led IBM’s Iran response team, explained these types of attacks are a specialty of Iran hackers. In the past, these targeted attacks were limited to Middle Eastern organizations and driven by economic means.
With the recent US strike, the likelihood of Iran shifting the use of these attacks to disrupt critical infrastructure has significantly increased. And with the onslaught of ransomware attacks in the last year, Iran would not have to do reconnaissance to find the weakest targets.
“Rather than deploying ransomware, hackers may deploy wiper malware,” Barlow said. “But this isn’t about scaring the sector: We need to think about the potential attack scenario on the sector in a different way.”
“Because of the structure of Iran forces could be opportunistic and could leverage ransomware targets, we in healthcare need to better prepared for destructive attacks,” he added.
What’s more, with ransomware, hospitals often lean on the ability to transfer or redirect patients to nearby hospitals. But Barlow posed a serious question: What happens when the attack impacts an entire region? More and more hospitals lean on shared EHRs and systems. With a destructive attack, hackers can take down, not just one hospital, but all providers connected to the network.
"The bar has moved on the worst-case scenario, what are you willing to change?”
The sector has already seen two massive cyberattacks in the last few months that mirror this “hypothetical” scenario. Hundreds of dental offices and nursing homes were unable to see patients after a cyberattack on their IT vendors.
Now providers should ask what they might do in that kind of scenario.
“This is not a disease you’re dealing with that can be inoculated with treatment. It’s a bar fight,” Barlow said. Healthcare will keep taking hit after hit until they do something about it. Those “putting off investment in infrastructure and cyber…. The bar has moved on the worst-case scenario, what are you willing to change?”
Business Resiliency Response
Wiper attacks run slowly and hackers take their time: it might take 40 or more days before the hackers hit the detonate button, Barlow explained. Hackers move laterally across an organization, taking hold of as many machines as possible. In some scenarios where the hackers are noticed by security teams, they will wait to strike.
The prevention methods for these types attacks are the same as typical threat actors: network segmentation, endpoint detection and response, security alerts, and other normal cyber hygiene aspects.
What needs to change, however, is not the preventative measures but the response to an attack, Barlow explained.
“Most hospitals’ response to ransomware is to call the insurance company and take their lead in the response,” Barlow said. “They don’t have plans in place, and they will just follow the insurance company’s lead. The thing to realize is this is a nation-state attack, which is not something the insurance company will pay out on.”
“Suffice to say, if a foreign actor gets credit for the attack, organizations are going to have a hard time getting the insurance to pay,” he added.
The response for wiper attacks is also totally different from ransomware. Organizations need a business resiliency response for when nothing works in the hospital.
With phone, email, and other systems down for weeks or even months, organizations need to ask the hard questions: how long can a provider operate without these systems? For most, the answer is not at all. And if they can operate, Barlow explained that it’s often at a degraded level.
At a deeper level, organizations also need to assess when they might run out of money because they can’t bill, or see patients because they have no patient histories. It all boils down to when it’s all gone, who’s in charge? And does the workforce know who to contact in a cyber emergency and how?
“There is a way to plan for this. It’s called incident command system (ICS),” Barlow said. “It’s a method of thinking about crisis incidents and how the organization makes decisions and communicates during a crisis. For hospitals, it’s great as they get ICS, which is used on mass casualty incidents.”
“Healthcare needs to build the same kinds of plans as they would for mass casualty incidents,” he continued. “The only difference is the disaster is that the systems don’t work. Most organizations understand it but haven’t put the plans together specific to a cyber emergency.”
For detailed IT security steps organizations can take, healthcare providers should look to the January 6 DHS CISA AA20-006A: Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad.