Cyber Threats to the Healthcare Industry

Written by Gal Landesman

Introduction

The healthcare industry is advancing rapidly, linking systems and medical devices to the Internet, adopting electronic health records and implementing regulatory reforms. Tremendous technological advancements in the medical industry bring with them a greater reliance on software-controlled devices and wireless technologies. These technologies are used in any visit to the doctor and in hospital wards. Many of them connect or have the capability to connect to the Internet. Alongside the opportunities presented, the industry is also a major target for cyberattack, mostly for financial motivationIn the following post, we will present some of the cyber threats currently faced by the healthcare industry.

In today’s environment, organizations are required to take responsibility for securing their networks and computers. Alarming vulnerabilities in medical devices have caused the FDA to issue guidelines for cyber security of the medical device industry. The U.S. Health Information Technology for Economic and Clinical Health Act, for example, permits the fining of hospitals and other organizations up to $1.5 million a year for serious security incidents. Unfortunately, the industry is falling short of complying with said security standards. Last year, for example, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) performed a random audit of 20 healthcare organizations, 19 of which failed.

(Note –  this blog post is an excerpt from our report: ”Cyber Threats to the Healthcare Industry”. If you are interested in receiving the full report, please write to: info@sensecy.com).

Threats to the Healthcare Industry

According to security experts, cyber criminals are shifting their focus from the financial industry to the healthcare industry, today an easier and more profitable target. Healthcare records contain valuable information for cyber criminals, such as social security numbers and personal information. Credit card records sell for an average of $2, while medical records can fetch about $20 on the black market. According to the Experian 2014 Data Breach Industry Forecast, the healthcare industry is likely to make the most breach headlines in 2014, despite the fact that 2013 was a year of mega-breaches in the healthcare industry.

Hackers' ransom note, after breaking into a Virginia government website
Hackers’ ransom note, after breaking into a Virginia government website

Identity and Information Theft

Medical identity theft occurs when someone uses an individual’s name and personal identity to fraudulently receive medical services, prescription drugs and goods, or attempts to commit fraudulent billing. Information theft can include the theft of personal information for malicious use, such as selling it on the DarkNet. According to a Ponemon Institute 2013 survey, medical identity theft claimed more than 1.84 million U.S. victims in 2013. Medical identity theft is on the rise in the U.S., where the number of victims in 2013 increased by 19%.

Medical Device Breaching

Over the last 15 years, a growing number of medical devices have become interconnected through hospital networks, the Internet, smartphones and other devices, increasing their vulnerability. This has not escaped the attention of the FDA who recently issued new guidelines to biomedical engineers, healthcare IT and procurement staff, medical device user facilities, hospitals and medical device manufacturers.

The new FDA guidelines came in response to the 2012 findings of a governmental panel that revealed that computerized hospital equipment is increasingly vulnerable to malware infection that can potentially render these devices temporarily inoperable. Many of the devices run on Windows variants. They are interconnected through internal networks to the Internet and are also exposed to laptops in the hospitals, making them vulnerable to malware.

An example of the implications that could be caused by such systems was demonstrated by the medical-device panel from the NIST Information Security & Privacy Advisory Board, who described fetal monitors in intensive-care wards that were slowed down due to malware infection. This problem can affect a wide range of devices, such as compounders, diagnostic equipment, etc.

A report issued by the Government Accountability Office (GAO) warned mostly about vulnerabilities found in wireless implanted defibrillators and insulin pumps, but thousands of other network-connected life-saving devices are also vulnerable. Malware in medical devices is probably much more prevalent than we know, since most of it is not reported to the regulators and there are no records. The OS updating process for medical devices is an onerous regulatory process.

Cyber threats to medical devices (from the GAO report)
Cyber threats to medical devices (from the GAO report)

Conclusion

We believe that the healthcare industry is facing major threats from cyberspace. These threats encompass large areas of the industry and may become a greater burden for it, compromising patient safety, and causing financial and commercial damage to the associated bodies.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.

RedHack – A Turkish Delight

On February 4, 2014, it was reported that members of the RedHack group hacked into the systems of three major telecoms companies: TTNET (Turkey’s largest ISP), Vodafone and Turkcell (the leading mobile phone operator of Turkey). The hackers claim to have obtained large amounts of data, and thus far they have published online information that belongs to Turkish officials and government employees, including names, ID numbers, phone numbers, email addresses and more.

RedHack is a Turkish Marxist–Leninist computer hacker group founded in 1997. The group has claimed responsibility for hacking institutions that include the Council of Higher Education, the Turkish police force, the Turkish Army, Türk Telekom, and the National Intelligence Organization. The group’s core numbers are said to be 12 but the group has hundreds of supporters and over 700,000 followers on Twitter.

RedHack's official Twitter account
RedHack’s official Twitter account

RedHack first made a name for themselves by hacking the Ankara Police Department’s official site in 2012, and later launched a number of attacks against governmental websites, including the Finance and Interior ministries, as well as the Religious Affairs Directorate.

During the last month the group has waged several high-profile attacks against Turkish entities: On January 16, 2014, the group leaked the phone numbers of over 4,000 people who work for Turkcell; On January 15, members of RedHack breached the systems of the General Directorate of the EGO, which serves as the Public Transports Department in Ankara. On January 11, hackers from the group waged several cyber attacks against a number of Turkish organizations, such as the Parliament, the Turkish State Railways, and the Justice and Development Party (AKP).

We believe that in the near future RedHack will continue to focus on attacking official Turkish entities. An interesting observation is their shift from defacing governmental websites to breaching major organizational systems and leaking sensitive information.

Related Posts


Turkish Hacking Group Cyber Warrior’s e-Magazine : TeknoDE on December 18, 2014 by Sheila Dahan

Did Turkish Hackers Actually Hack the Israeli “Iron Dome”? on August 18, 2014 by Sheila Dahan

Turkish Government Bans Twitter and Hijacks IP Addresses for Popular DNS Providers on March 31, 2014 by Sheila Dahan

Who Are The Islamic Cyber Resistance?

On January 7, 2014, a relatively new hacker group calling itself the Islamic Cyber Resistance (ICR) claimed they had accessed the Local Area Network (LAN) of the Israel Airports Authority (IAA) and leaked sensitive information regarding domestic and international flight maps.

According to the group, they accessed flight management plans and the ATIS/VOLMET system (Automatic Terminal Information Service), where they could have manipulated data communications, such as flight routing and weather conditions.

The ICR has leaked a great amount of data, most of which is not up-to-date. Our analysis additionally revealed that the leaked data does not originate from the IAA local network, but either from its open and public network or from a different server that contains such information.

Nonetheless, it appears that this group may pose a threat to Western entities, as well as non-Shi’a, and I will explain.

ICR executed their first act on February 25, 2013, when the group leaked the personal details of Bahraini intelligence and high-ranking military personnel. This was accompanied by an image demonstrating the group’s support of Hezbollah leader Hassan Nasrallah.

The attached image
The attached image

On August 10, 2013, the ICR and the Syrian Electronic Army (SEA), a pro-Assad hacker group, hacked a Kuwait mobile operator (Zain Group) and leaked information that included passwords.

On October 22, 2013, the ICR leaked the email addresses of the International Atomic Energy Agency (IAEA). It should be noted that information regarding the IAEA was also leaked in 2012 by the Iranian hacker group Parastoo.

On December 16, 2013, the ICR leaked personal details of 2,014 Israelis affiliated with various security bodies as well as secret documents from the Saudi BinLadin Group (SBG) and Saudi Arabian security officials. They stated that this attack was the group’s revenge for the assassination of Hezbollah Commander Hassan al-Lakkis on December 4, 2013.

Image of SBG document that ICR hackers gained access to
Image of SBG document that ICR hackers gained access to

According to the semi-official Iranian Fars News Agency, the group has declared that it is not affiliated with Hezbollah. However, the cyber-attack coined “Remember Hassan Lakkis Operation” and the image of Hassan Nasrallah attached to one of the leaks indicates a connection between the group and Hezbollah, or at least the group’s support for the organization.

Moreover, the name of the group in English is the same as one of the names for Hezbollah (Al-Muqawama al-Islamiyya – “Islamic Resistance”). Additionally, a news report in Persian about the ICR attached an image labeled “HizbullahCyber”, another indication of a possible connection between the ICR and Hezbollah.

Hizbullah_Cyber

The ICR has no Facebook or Twitter accounts. However, it seems that wikileak.ir is the main platform for their leaks. Additionally, the Twitter account @quickleak.org often tweets about the group’s operations and should therefore be considered a good source of information about the group’s activity.

Cyber Intelligence Yearly Report

Executive Summary

The SenseCy Cyber Intelligence team, along with our partners ClearSky and Aman Computers, has been providing intelligence monitoring services for leading financial institutes in Israel for over a year. Our unique methodology of using “Virtual Entities” to infiltrate cyber-attack groups and the underground has proven successful in alerting regarding imminent cyber threats, as well as detecting new Malware types and monitoring broader cyber trends.

The following is an extract of an annual report sent to our customers. To receive a copy, please send a request to: info@sensecy.com

Main Findings

This report comprises an analysis of data amassed from major cyber incidents pertaining to financial institutions in Israel over the past year, as reflected in the alerts, weekly and monthly reports produced by our Cyber Intelligence team. The analysis can be summarized as follows:

  • The majority of Hacktivist campaigns were directed against the government and financial sectors.
  • Interestingly, we have found no correlation between the attack dates and any symbolically significant dates.
  • The main threat actors were political activists and political cyber warriors.
  • The more popular attack types were data leakage (exploitation) attacks, resource depletion attacks, injection attacks and social engineering attacks.

Additionally, the report includes an analysis of data collected on the sale of attack tools on underground forums (mostly Russian). The analysis comprises 42 tools and exploits, summarized as follows:

  • The most popular tools for sale on the underground are bots and exploits (some sold as exploit kits), followed by Trojan horses.
  • Their main purpose is stealing financial information.
  • The main functions of the tools sold included running Web injection attacks and grabbers, intercepting and forwarding SMS messages and calls from cell phones, Keyloggers, and DDoS attack tools.
  • Java was the program identified as most vulnerable to attack.
  • The most vulnerable Web browser was Internet Explorer, followed closely by FireFox.
  • The most vulnerable operating system was Windows.

Event Classification

This summary is based on major cyber events pertinent to the financial sector, as published in the various reports we issued throughout the year. The analysis is based on data from over 40 cyber events.

The majority of incidents reported are specifically relevant to the financial sector, but also include a category for general threats to Israeli websites, mainly from political threat elements. This classification is evident in the graph below, with the leading threats being financial, data loss, defacement and DDoS.

Classification

Timeline of Events 2013

Timeline

Classification of the Sale of Attack Tools on the Underground

The summary was based on all malware/exploit sales for the past year that appeared on underground forums, mainly Russian forums, monitored by us – more than 40 in total. The majority of tools for sale are bots, followed by exploits or exploit kits. Trojan horses are also offered for sale, but less frequently.

Underground