This post is also available in: heעברית (Hebrew)

By Or Shalom

Cyberattacks targeting the health sector have intensified following the COVID-19 crisis. The US Department of Health and Human Services and the Office for Civil Rights report published recently has unveiled hundreds of information security events during the last 24 months (attacks that caused harm to systems, information leak, ransom attacks, and more). The attacks targeting the health sector have reflected the capability to cause damage, shut down critical systems, and steal medical records and patient information. These trends require an evaluation and security-bound thinking regarding the assailant and his goals in order to minimize the attack surfaces in this sector.

The requirement to keep operations going on alongside the need to secure the information security triangle (CIA) in order to prevent risks regarding the information integrity, availability and confidentiality raises quite a few planning challenges. These will be elaborated on from various aspects and arenas.

Air gap networks for minimizing risks

The installation and expansion stage (according to the Cyber Kill Chain attack model and the like) can have implications for the organization’s cross-cutting functioning ability. As per this method, an attack on an emergency ward receptionist’s computer might have cross-cut implications for the management networks. Implications may include patient acceptance processes, and expand to operational networks and critical systems (such as the robotic systems at operating rooms, structure systems, or even systems supporting operating rooms). Air gaps should be planned for dedicated zones as part of the preparedness for cyber crises and in order to ensure the continuity of other wards. Balancing between the convenience of use and user experience and operational security needs requires the use of a range of technologies to support work processes in air-gapped environments. 

For example, updating a large number of air-gapped systems could be cumbersome. A solution and a more convenient operational response are required. A one-way diode can offer more flexible operation while monitoring the information direction (one-way), authorized file types and protocols, and transfer timing.

Controlling communication-based components (OTA – Over the Air)

Purchasing advanced technological systems and robotics in the health sector means better medical services. These systems are based on analytics, AI, and ML (as part of the optimization processes), quicker processing, and the optimal use of the big data space. These systems have OTA connectivity in various channels, such as IoT.

This fact enables operational flexibility and mobility of systems within and outside the hospital without using complex cables and connections. During the COVID-19 period, systems can be easily transferred from one ward to another for treating or diagnosing COVID patients that can not reach the specific ward.

On the other hand, from the point of view of cyber, it becomes hard to monitor, manage and control these systems, as each ward can purchase an autonomous system independently of any computing resources or stakeholders (sometimes without their knowledge). There is also the challenge of managing different components from various manufacturers and with a variety of protocols.

The key to minimizing risks in this arena lies in the capability of new technologies to detect systems in IoT-based communication (and others), to acquire capabilities in order to obtain control, monitoring, and management (e.g. controlling the processes, timing and mode of communication, protocols, etc.)

Manipulation of medical systems and devices

A Ben-Gurion University research conducted two years ago has proved a threatening attack capability. The researchers showed that hackers can interfere with medical 3D scanning processes by deceiving radiologists and falsifying cancer diagnostic results. The research demonstrated the ability of a hostile actor intervening with communications as man in the middle (MITM) in order to maliciously add or withdraw some radiological findings in 3D images, thus influencing the process of cancer metastasis diagnosis.

Moreover, the research demonstrated the preparations of the attacker at the hospital in a way that enables him to take advantage of access points to the computer infrastructure for secreting a component that allows the attack. This demonstration stresses the need for suitable balance and synergy between the physical access security teams and the cybersecurity teams. They should collaborate in defining the critical computing infrastructure by analyzing the manipulation opportunities also at the physical space (which is even more important in the case of public places, that are more attractive and easy to operate for the attacker).

Records cybersecurity and privacy risks

The attacker is driven by various goals, including commercial espionage, crime, and ransom, as well as the drive to steal organizational data and information, mainly patents, formulas, customer lists, patient lists, and medical records. Attacks are also motivated by the desire to harm research companies (especially developers of medical technologies for COVID), medical startups, etc. The information collection efforts include the internet network as a whole (e.g. using FOCA tools, etc.) as well as focused attacks that cause information leaks from within the organization. A major challenge characterizing the digital organizational environment is the fencing of the risk and the prevention of sensitive information leaks.

Planning the controls against such a threat should be based on the understanding that information that leaked is not anymore under the organization’s control. Therefore, DLP solutions and prevention controls should be applied. The maintenance of DLP systems in large organizational systems with the various digital patterns, such as using mobile devices outside the organization, poses a genuine challenge. In addition, the need to index information, change it and adapt it for categorization and classification turns the event into a dynamic and complex one. There are currently some intriguing technologies, based on AI and ML and automation in mapping sensitive information (on the basis of known patterns from other environments) that can save the organization costs, time, and human resources.

As part of the processes of organizational efficiency, flexibility, and rapid response, health sector organizations and suppliers use mobile devices for storing, processing, retrieving and transferring information, including regarding patients. This mode of operation can be targeted for attacks and exposes the organization to cyber attacks. Of course, this state of affairs has implications for future judicial risks (possible lawsuits), insurance issues, and the organization’s reputation.

A NIST publication from 2018 elaborated on securing electronic health records on mobile devices. The publication was accompanied by lab tests (NCCoE) simulating possible realistic attack scenarios and evaluating controls and defense methods. According to one scenario simulated by the researchers, a medical doctor uses her private mobile device for transferring a patient’s clinical data. They also simulated an incident in which a patient or a physician send an electronic prescription to the pharmacy. Using private devices opens the way to quite a few manipulations in cyber-attack and fraud.

NIST’s publication also referred to encryption requirements in the application of technological controls based on zero-trust architecture regarding the device, entity, and of course, the network.

Sources

ocrportal.hhs.gov

usenix.org

nvlpubs.nist.gov

Or Shalom Security and cyber expert and consultant to government ministries and defense industries, international business development consultant for companies in the fields of HLS and cyber and leads centers of excellence and advanced training programs in Cyber and HLS for various organizations in the civilian, security, industry, and academic sectors. He holds a master’s degree, as well as civil and national qualifications in the realm of HLS and Cyber Security. He has experience in security, innovation, planning and characterization of technological security systems, HLS, and Cyber preparedness.