Healthcare institutions continue to be heavily targeted by cyber attackers. A review of the current data in the Department of Health and Human Services, Office for Civil Rights (HHS OCR), database of major breaches shows that cyber attackers continue to compromise our healthcare institutions more with each passing year.

If you examine the HHS OCR database, you will find that in 2017, approximately 3.4+ million individuals were impacted in the United States by major healthcare data breaches due to “IT-Hacking.” In 2018, this number of individuals impacted jumped to approximately 9.1+ million. Other key metrics such as the number of total major healthcare data breaches have also increased. Major healthcare data breaches are defined as those report under HIPAA compliance as impacting the confidential healthcare data (personal health information – PHI) of more than 500 individuals.

Email is identified in the HHS OCR data as the primary attack vector

The tactics have evolved a bit at the front of the attacker’s kill chain. Email is identified in the HHS OCR data as the primary attack vector and the use of email has been increasing during the past few years. The rapid move to mobile devices and broad interconnection of healthcare networks between hospitals, physicians, diagnostic labs, surgical centers, long term care facilities, and other healthcare institutions have made healthcare networks much more porous. Medical devices provide a safe target where embedded attackers can remain relatively undetected for long periods of time.

Of course, that is the thesis of this blog. Once inside of the healthcare network, cyber attackers know that medical devices are likely targets of opportunity for their malware tools. If they can get to a medical device, they have a very high probability of inserting their command and control software tools, and using this to communicate with an IP address that has not yet been identified as malicious by current threat intelligence.

The reasons for this are simple – standard cybersecurity tools cannot be installed within FDA certified medical devices. In the United States all of these medical devices are closed devices, that is, no standard cybersecurity controls may be added by healthcare personnel for fear of voiding of FDA certification, voiding manufacturer warranty, creating a potential hazard to patients, and being financial liable for that hazard. This provides an unintended safe harbor for cyber attackers and their malware tools. Further, the operating systems in medical devices are typically older, out-of-date, missing critical updates, and replete with vulnerabilities.

Once infected with malware tools, it is not so simple nor fast to remediate medical devices.

The operating system software must be completely reinstalled by authorized vendor personnel. The downtime for a device like a MRI or CT-scan can cost a hospital or MRI center hundreds of thousands of dollars or more in lost revenue. Without rapid detection and response you can remediate one medical device, and find that three more have been similarly infected. It is a mess.

I think we all understand today that we will never stop the initial points of Kill Chain initiation – attackers will get in. The problem becomes understanding how you will find and stop the execution of the Kill Chain before data breach can be accomplished. How will you detect the attackers operating within your healthcare network? How will you eliminate them, and return to normal operations? Of high importance, how will you protect the highly vulnerable medical devices within your healthcare network? How will you do this with speed, certainty, and accuracy?

The use of segmentation to protect healthcare networks offers promise to help. Perhaps 10% to 20% of hospital networks have implemented network segmentation in whole or part. Unfortunately the set-up for network segmentation is difficult, and sometimes expensive to implement. In the case of one very dominant networking vendor in order to set-up network segmentation you must buy only certain models of their routers. The rest are not compatible! Integrating a multi-vendor network may be difficult to impossible. Portable devices such as X-ray machines, blood gas analyzers, and other devices that must hop on and off various wireless networks is yet another small, but complicating factor. And still, network segmentation cannot completely eliminate the problem but more likely limit the spread to a small part of the network.

Deception technology can rapidly and decisively identify attacker command and control which is hidden away in your medical devices

Any activity emanating from within the medical device will very quickly reach a deception decoy. You touch a decoy and you are caught. This sort of behavior is clearly malicious. Most important, consider that deception technology is not variable, probabilistics or conditional.The detection used by deception technology is absolute and crystal clear. It is certain and very high probability. No one should be touching any of the decoys under any circumstances.

Acalvio Deception Technology

Acalvio deception technology is optimized and well architected to protect healthcare networks and can overcome may of the weaknesses in your current healthcare network cyber security architecture. We have many years of experience in protecting some of the largest healthcare institutions in the world.

Deception Technology Decoys in ShadowPlex

The deception technology decoys in ShadowPlex are easily interspersed within your network, amongst your medical devices, and will constantly be in the way of attacker reconnaissance. Every way they turn, attackers will face the high probability of detection. At any point in time when they touch a deception decoy, Acalvio will identify them at high certainty. We will then issue a very high integrity alert for action by your SOC team responders.

More information – Acalvio Resources

If you want to know more about ShadowPlex, please review our resource page here:
https://www.acalvio.com/our-blog/resources/
or contact us for a free trial. We’d be pleased to share more about our technology, share confidential information about our healthcare case studies, and how ShadowPlex can help secure your healthcare networks and medical devices.