Getty Images
The Risk of Nation-State Hackers, Government-Controlled Health Data
Throughout the COVID-19 pandemic, an increasing amount of health data is being controlled and stored by the government. As nation-state hacking increases, the risks to privacy will follow.
The COVID-19 pandemic has driven a rise in targeted, sophisticated cyberattacks designed to take advantage of an increasingly connected environment. In healthcare, it’s led to a rise in nation-state attacks, in an effort to steal valuable COVID-19 data and disrupt care operations.
The primary culprits? Nation-state hackers with ties to the governments of Russia and China.
While threat actors actively targeted all sectors and users with phishing lures and fraud scams tied to the pandemic, the healthcare sector has faced unique challenges given the rush to find a coronavirus vaccine and the need for uninterrupted care access in the face of the pandemic.
Beginning in May, multiple reports from the National Security Agency, the FBI, the Department of Homeland Security Cybersecurity and Infrastructure Agency, and the UK National Cyber Security Centre shed light on these targeted efforts against the healthcare, pharmaceutical, academic, and research industries.
These concerns have significantly increased as the Trump administration signaled a shift of COVID-19 data from the Centers for Disease Control and Prevention to the Department of Health and Human Services, as well as efforts to build both state and federal contact tracing apps.
As these reports signal a shift in the threat landscape for the foreseeable future, HealthITSecurity.com spoke with Jake Olcott, vice president Communications and Government Affairs at BitSight; Saif Abed, MD, founding partner and director of cybersecurity advisory services of the AbedGraham Group; and Tom Pace, vice president of Enterprise Solutions at BlackBerry; to better grasp the risk and what healthcare providers need to be doing to reduce vulnerabilities and bolster defenses.
Nation-State Targeting
Stymied by serious system vulnerabilities, Russian- and Chinese-backed hackers have already successfully attacked several pharma and healthcare firms amid the crisis.
The Department of Justice recently indicted two Chinese hackers for stealing more than 1 terabyte of data from a range of US organizations, including those in healthcare. Netwalker ransomware has dominated targeted healthcare attacks in recent months and is also rumored to have ties to Russia.
Meanwhile, the University of California San Francisco paid Netwalker threat actors $1.14 million in June, after a ransomware attack locked down several servers of its School of Medicine.
To Olcott, the threat landscape has drastically escalated amid the crisis, which means these organizations must prepare to “continuously identify weaknesses and vulnerabilities, recognizing that anything can potentially be exploited. Further, these attacks are specifically designed to steal intellectual property and trade secrets from research firms working on the COVID-19 responses.
"Security doesn't have to hinder development or progress. It doesn't have to be a tax on the business."
While system vulnerabilities should be remediated and monitored given the heightened traffic, phishing campaigns continue to be the leading infection vector, Pace explained.
“These organizations are especially susceptible to targeted phishing attacks as a result of the research they are doing,” said Pace. “These organizations are rarely properly equipped to handle these kinds of attacks, especially when they become the focus of multiple groups of adversaries.”
Leading Vulnerabilities, Entry Points
The latest Fortified Health Security report showed that malicious attackers caused 60 percent of healthcare data breaches during the first half of 2020, while Interpol warned that hackers have ramped up phishing efforts amid the crisis.
It begs the question: How are hackers getting into healthcare networks?
Importantly, nation-state actors aren’t necessarily targeting specific types of vulnerabilities, although DHS and others have shed light on some of these attacks. Pace explained that rather, hackers are relying on certain scans to identify system weaknesses they know they can exploit at targeted organizations.
“But what typically differentiates nation-state level groups is taking the attack surface provided to them and finding a way in, even if there are no known vulnerabilities,” said Pace. “Externally exposed services and devices are targets that are often desirable as well as the ever-prominent phishing email.”
“DHS has identified some of the vulnerabilities associated with major campaigns, but the reality is that any unpatched vulnerability can be exploited by a malicious actor seeking to gain a foothold,” Olcott added.
The Risks of Contact Tracing, Government-Controlled Health Data
When Google and Apple announced a collaborative effort to build the API for contact tracing apps across the US, a host of security stakeholders flagged a range of security and privacy implications. Many were tied to a lack of transparency and Bluetooth vulnerabilities, as well as concerns the data would not be sunsetted after the pandemic ended.
But to Abed, privacy is only one concern behind state and federal contact tracing apps. As the success of these applications relies on interoperability and larger platforms to support usage, these apps that interconnect hospital and local government systems have inadvertently expanded the threat landscape.
“It’s the only way to do trend analysis, resource planning and stage early interventions in high risk groups,” Abed said. “This mesh will create a greater surface area to attack and laterally spread through to compromise systems whether it’s for data exfiltration or ransomware attacks. That’s why I don’t even consider these as apps, but rather contact tracing and analytics platforms.”
The threat landscape – and its appeal to nation-state hackers – will only fuel these privacy and security risks as an increasing amount of COVID-19 health data is controlled by governments. Abed explained it will come down to how the data will be used and who will be able to access it.
"This mesh will create a greater surface area to attack and laterally spread through to compromise systems whether it’s for data exfiltration or ransomware attacks."
It’s clear that data sharing is crucial during a pandemic. However, it “represents a social contract of trust.”
"But without transparency then suddenly personal demographic data, let alone medical data, could be funneled to third parties, without explicit consumer permission, and used to take decisions that compromise individual freedoms and options in the future post-pandemic,” he added.
The decision to shift state coronavirus information from the CDC to HHS will also add to these risks and overall challenges. Olcott explained that personally identifiable information is being collected at a scale that fuels huge concerns.
In particular, nation-state actors are consistently seeking to find and attack massive personal databases to financial gain, explained Olcott. In light of DOJ, DBI, and DHS CISA reports, this data would be ripe for attacks, especially as the World Health Organization has already reported a spate of cyberattacks on its workforce amid the crisis.
For example, hackers targeted and breached a database of the Office of Personnel Management in 2015, breaching the background information of 4 million individuals.
“Central databases are too tempting a target for attackers to pass up and actually a greater risk exists as these databases will likely not be siloed but have connections to a range of other organizational networks and assets allowing attackers to scale up their attacks,” Abed said.
Abed stressed that transparency will be more important than ever to help individuals better understand the shift and the protections in place to protect their sensitive information. The government will need to provide information into how the data is being gathered, analyzed, interpreted, protected, and presented, no matter what agency is in control of the data.
Given these agencies are a top target for cyberattackers, including nation-state and purely criminal enterprises, governments will need to invest in clearly communicating why this data is needed and how they intend to protect it both now and in the future, explained Abed.
The response must have a consistent, clear process, supported by accountable leadership, and the message must evolve to coincide with the pandemic, he stressed.
"Central databases are too tempting a target for attackers to pass up and actually a greater risk exists as these databases will likely not be siloed but have connections to a range of other organizational networks and assets allowing attackers to scale up their attacks.”
“When there’s a sudden shift in the agency controlling said data then it certainly raises questions about why this has happened," said Abed. “Is there a deficiency with the previous data controller? Or is there something that needs to be done with data that only another agency is willing to do? If so, what is that? And is it appropriate and solely for mitigating this pandemic? It raises a lot of questions.”
"Leveraging a third party to manage this project or at least the data component is likely wise,” said Pace. “Many government entities suffer from a lack of resources that allow them to adequately protect their assets and data. This is not an excuse, but a realization that needs to be understood so the problem can be appropriately addressed.”
Mitigation, Lasting Privacy Impact
How can healthcare and pharma entities begin closing these security gaps? For Olcott, it’s about prioritization. Enterprises must focus on vulnerabilities associated with the most critical systems, especially those supporting the development of vaccines.
“From a privacy perspective it seems that centralization of data is necessary to achieve a vaccine and other solutions to COVID, at least in the near term,” Pace said. “This is not a case without precedent however, banks store critical information, governments store secrets and credit agencies store Social Security numbers.”
“None are prefect, but we know if appropriate resources are provided to secure assets this makes the compromise and exfiltration of the data orders of magnitude more difficult,” he added.
Security leaders should also look to identify weak links in the supply chain, including third-party vendors able to access these systems, Olcott noted. And organizations must understand there’s a need to spend money on these cybersecurity issues now, much like the enterprise is investing in ways to solve the COVID-19 problem.
Email security and training will also be paramount, given the prevalence of phishing prior to and amid the COVID-19 crisis. Pace recommended healthcare and pharma organizations prioritize these risks, which will be time well spent.
Lastly, it’s crucial to properly segment and protect data, especially as nation-state actors and other hackers continue to target trade secrets and intellectual property.
“If you’re unable to manage the systems and security themselves, outsource this function to a skilled third party,” said Pace. “This comes with its own risks but is likely better than the alternative as healthcare has typically lagged behind other verticals.”
“Security doesn't have to hinder development or progress. It doesn't have to be a tax on the business,” Olcott concluded. “We need to think about how to integrate security into our efforts, not bolt it on at the end.”