A large amount of PHI (patient health information), low out dated devices, week passwords and multiple entry points make hospitals the perfect target for hacker attacks and ransomware. They have increased 45% in the third quarter of 2019.
For doctors, x-ray and the machines that produce them are powerful tools to diagnose an injury or illness.
For thieves, x-rays can be the starting point for identity theft. An x-ray includes the patient’s name, date of birth, hospital name and, sometimes, an account number. A cyber criminal can guess the city of residence based on this information and, from there, can search for property tax and voting records.
In a new report on the state of health care data security, Malwarebytes reports that cyber criminals can use patient data to create “synthetic identities, which are new and unique identities constructed from data collection taken from various records.” They can use this new identity to buy medical equipment, prescription drugs, get medical services or even “combine a patient number with an invented name of a health provider to file health insurance claims.”
Cyber criminals have even used X-ray machines to launch malware attacks. In 2018, Symantec discovered that a group called “Orangeworm” had been deploying the back door of Kwampirs on X-ray and MRI machines.
This is just one of the terrifying findings in Malwarebytes’ new report, “Cybercrime tactics and techniques: the state of medical care for 2019”.
Adam Kujawa, director of Malwarebytes Labs, said hospitals offer so many potential entry points for cybercriminals.
“People could be sitting in a hospital parking lot and establishing a false access point to the hospital’s free Wi-Fi connection,” he said. “Or you can try to break the real hospital network, just sit in the waiting room of the emergency room with your computer.”
Physical access is also easy, since all people roam hospitals with cars and laptops.
“Let’s say a doctor came in with a cart and was checking his arm and while looking at him, I’m putting a USB drive in his laptop and installing a keylogger,” Kujawa said.
In addition to physical vulnerabilities in a hospital setting, the nature of health care systems makes them ideal targets due to:
- Millions of data points
- Large number of endpoints
- Prevalence of legacy systems
- Insecure applications
- Low IT budgets for security
The new report analyzes what tools cybercriminals are using to steal personal health information and explains why health care organizations are irresistible goals.
Triple threat: Emotet + TrickBot + Ryuk
Malwarebytes reports that cyber criminals often use Trojan malware to attack health care organizations. Threat detection has increased from 14,000 endpoint detection in the second quarter of 2019 to more than 20,000 in the third quarter, an increase of 45%. Emotet was the biggest problem at the beginning of the year, while Trickbot has been more active in the second half of the year.
The report found that not only many hospitals have not patched the SMB vulnerabilities that WannaCry used, but that many of the Trojan attacks deliver ransomware loads. Malwarebytes analysts discovered that “emotet not only launches TrickBot as a secondary load, but that both Emotet and TrickBot usually release Ryuk ransomware in a combined attack.”
The authors of the report analyzed regional differences in malware activity. The West had the highest number, with almost 24,000 threat detections in the last year, or 42% of total health care detections in the US. The Midwest had 36% of health care detections in the US. The top five western states he addressed were: Idaho, California, New Mexico, Nevada and Colorado. In the Midwest, Illinois, Ohio, Wisconsin, Michigan and Kansas had the most attacks.
Regardless of location, health care organizations share the same vulnerabilities that make them main objectives: high PHI, low security and multiple entry points.
A treasure of personal health information.
When hackers steal patient data, they get more than the standard set of personal identification information (PII): full name, date of birth, Social Security number, address and telephone numbers. Thieves also obtain data that is only available from health care providers: health conditions, tests, blood test results, family and / or genetic history, prescription medications and doctor’s diagnoses. As the report authors point out, “unlike credit card information, the date of birth, the SSN and the medical history are irreplaceable.”
Legacy systems everywhere
The authors of Malwarebytes are blunt in this regard: the sustained use of legacy and unsupported systems is considered one of the main reasons why medical care remains an easy target for cyber attacks.
A component of this problem is the slow process of updating the systems. Another element is the fact that many devices are not PC and cannot be updated, due to hardware limitations or at the end of firmware support.
Kujawa said the biggest barrier to better security is the IT budget. “The biggest problem is that they don’t have the funds to do what they need to do to protect themselves,” he said.
The report is also clear on this topic:
“… the main decision makers in the field of medicine, especially their board of directors and chiefs of staff, should divert some funds for security personnel, equipment, training and defense software and services, of otherwise they will continue to be chosen by opportunistic threat actors. “
If hospitals do not begin to find more money for IT staff and security budgets to accelerate the update process, “… patients, staff and the company itself will continue to receive the worst part of cyber attacks.”
Large number of endpoints
The generally accepted approach to “bring your own device” is bad enough to ensure a hospital environment. The security risk worsens even more when the devices for patients and visitors and the medical devices of the Internet of things are added to the mix. Malwarebytes believes that IoT devices, especially those belonging to staff, are inherently insecure because:
- They are often created by developers who are not trained to produce secure code.
- They have not incorporated security into the design of the product itself.
They cannot be protected with security software because they are too specialized.
- They are a personal device not protected by the network or endpoint security.
While medical IoT has the potential to improve patient care, connected devices such as Wi-Fi-enabled infusion pumps to smart MRI machines represent a substantial risk to a network containing EHR and personal health records . These devices dramatically increase the attack surface.
This is another instance in which increasing comfort for patients and doctors also increases safety risks. Malwarebytes reports that applications expand the attack surface in several ways:
- The applications interact and communicate with the general security infrastructure of the associated health care organization
- The presence of advertising or analytical trackers increases the processing time, which could increase the vulnerability of the application to the violation
- Not all medical applications must comply with HIPAA
Finally, because many healthcare applications share data with third parties, “there is a possibility that cybercriminals may not even have to violate the program, but let the data reach them.”
Ensuring the next wave of digital tools
If hospitals cannot keep X-ray and EHR records safe, what does that mean for even more sophisticated technology in healthcare settings? The most sobering part of the Malwarebytes report is the “Future Concerns” section.
Elon Musk’s company, Neuralink, is working on technology to link the human brain to a computer: human brain / cloud interface (B / CI). The original intention is good: to help people deal with injuries to the brain and spinal cord. Testing this interface in the laboratory is one thing, but connecting such a system to hospital systems that use legacy software is a completely different challenge.
As the authors of Malwarebytes ask: is it possible to protect a human brain connected to the Internet? If cyber criminals can use X-ray machines for disastrous use, they would certainly want to use more advanced healthcare technology.