The healthcare sector has long been seen as a lucrative target for cybercriminals. As today’s threat landscape continues to evolve, cybercriminals are leveraging new and old capabilities to exploit network vulnerabilities as efficiently as possible. In order to maintain an effective security posture in this complex cyber ecosystem, healthcare cybersecurity teams need to be aware of the current threats most prevalent within the healthcare sector, as well as the security measures and capabilities needed to properly address them.
Given the large amount of valuable protected health information (PHI), personal, and proprietary data held by healthcare organizations and facilities, it makes sense that the sector accounted for more than half of all cyberattacks in 2017. Today, cybercriminals are looking at the healthcare sector as an easy way to leverage data, extort networks for ransom, leach off of network elements for financial gain, and more.
As our latest Global Threat Landscape Report for Q1 reveals, cybercriminals are adopting a variety of capabilities that span across the kill chain—from reconnaissance and weaponization, to post-attack command and control. Should these threats successfully exploit network vulnerabilities, the consequences can be severe.
Cybersecurity Threats Facing the Healthcare Sector
Today’s increase in cyberattack capabilities is prompting the healthcare sector to exceed $65 billion on IT security within the next five years. However, it should come as no surprise that as cybersecurity spending continues to increase, the efforts of cybercriminals to adapt and find new ways to leverage vulnerabilities grows in tandem. Recently, we’ve noticed a variety of threats that should be on the radar of healthcare IT personnel:
Fileless Malware Variants:
Unlike traditional malware attacks that require cybercriminals to install a malicious executable on disk to infect a machine, fileless malware allows a cybercriminal to leverage tools already on many computers such as PowerShell and WMI to infect directly into memory. In addition to keep persistence these scripts can be installed into autorun registry settings ensuring the malware is loaded every time the infected machine reboots. Using these techniques makes it increasingly more difficult to detect.
Cryptomining malware, also known as cryptojacking, focuses on maliciously injecting exploits into the browsers of computers or distributing malware across servers and IoT devices with the goal of leaching CPU resources. Cybercriminals then use these resources to mine cryptocurrency for financial gain. These attacks can cause system crashes, poor network efficiency, and a sharp drop in machine speed for those within the infected network.
Cryptomining malware is also showing an increase in worm-like spreading capability, leveraging the EternalBlue exploits that made headlines for its use in the large-scale WannaCry ransomware attacks. Known as WannaMine, this one form of cryptomining malware has the capability to move laterally across a network, identifying and exploiting vulnerabilities and legacy systems that haven’t been properly patched.
The threat landscape today also indicates that cyberattacks are becoming increasingly persistent, continuing to act within an infected network following system reboots. Cybercriminals are now leveraging ASEPs, Service Replacement, Scheduled Tasks, and DLL search order attacks to remain functional, making it necessary to properly clean a network following an identified attack.
Unlike many forms of cyberattacks where cybercriminals incorporate a “spray and pray” approach, usually related to a large phishing campaign hoping to find a user who will click on a link or attachment, designer attacks are highly sophisticated and target the specific network security and vulnerabilities of an organization. Cybercriminals are now doing extensive research into their targets, leveraging external vulnerability scanning and automated detection methods to identify core business information, high-value data, and areas where valuable network credentials can be obtained.
As demonstrated in the SamSam and Orangeworm malware variants, these “hands-on-the-keyboard” attacks are methodically carried out. Particularly effective at exploiting legacy systems prevalent within the healthcare sector, this malware variant has the capability to bypass hash-based detection and propagate rapidly within an infected network.
Measuring and Prioritizing Defenses to Mitigate Cyber Threats
In order for the healthcare industry to effectively secure themselves from evolving cyber threats as well as mitigate the impact of successful attacks, it’s important to practice effective cyber situational awareness. To best organize efforts for effective cyber situational awareness, it’s important to consider the following organizational pillars:
- Business Mission Goals: Identifying your critical business processes, and which of them help achieve business goals, helps you understand what is important to the daily functioning of the business. From there, you can prioritize your security efforts to effectively mitigate the chance that a cyberattack can impact them.
- Cyber Assets: Given the scope of networks within a healthcare organization, and the sheer amount of assets within the network, it’s important to have the capability to effectively understand what assets are within your network at any given time. By leveraging inventory controls and artificial intelligence, IT professionals can identify all assets—and any related vulnerabilities—especially those assets critical to facilitating business goals.
- Network Infrastructure: After all key cyber assets needed to facilitate and drive business goals are identified, it’s critical that IT professionals identify how those assets are connected within and across the distributed network infrastructure. This provides critical insights into the avenues of attack that cybercriminals may use to traverse and exploit the vulnerabilities that may exist within the network.
- Cyber Threats: Lastly, it’s important to understand the cyber threats the network environment is most vulnerable to. IT personnel should also be focused on understanding the threat actors that would be motivated to steal data within the network, and the sorts of methods and tools they generally use to accomplish their goals. This gives critical insight into not only the network areas and entryways that are most enticing to cybercriminals, but also provides a high-level overview of the scope of an organization’s security posture against these specific threats.
Once the foundations of cyber situational awareness are laid down, it’s important to actively measure your existing security posture with defensive testing. This includes security assessments that ensure that controls are properly implemented, penetration testing that examines the scope, tools, and techniques of current cyber threats, and threat hunting to determine if threats are actively present within a network.
Unfortunately, many defensive testing strategies are limited to known cyber threat strategies and procedures, and as a result, often don’t represent real world attacks. That’s because the parties performing pen testing, for example, tend to use the tools and techniques they are comfortable with, which means they may not be measuring current attack capabilities and threats against the healthcare system being analyzed.
To help fill this gap, the non-profit Mitre Corporation has released an ATT&CK Matrix resource that collects actual techniques being used by cybercriminals into a single location. This data enables organizations to check their controls against documented attack scenarios, helping provide real-world insight into the security posture of healthcare organizations and facilities.
Today’s cyber threats are growing faster than ever, while becoming increasingly stealthy and resilient. Given the variety of cyber threats facing the healthcare sector today, it’s critical that IT professionals understand the current threat landscape and cybersecurity ecosystem in order to prioritize security procedures, vulnerabilities, and network areas for optimized security posture.
In an effort to assist healthcare cybersecurity, Fortinet has released a variety of products to usher in the third generation of security, giving healthcare providers the tools they need to effectively secure themselves against today’s threats. These innovations expand on our Security Fabric architecture, bringing new capabilities to organizations running—or moving to adopt—the most widely distributed security operating system.
Check out our latest Quarterly Threat Landscape Report for more details about recent threats.
Sign up for our weekly FortiGuard Threat Brief or for our FortiGuard Threat Intelligence Service.