Ransomware groups love hospitals for the same reason everybody needs them. Healthcare is crucially important. Good thing the attackers are often lazy.
Cyberattacks against hospitals have reached epidemic levels. According to Tenable’s 2021 Threat Landscape Retrospective, close to half of the United States hospitals were shut down due to ransomware attacks, either as a direct result of an attack or to proactively shut down their networks to prevent further infection.
So far, ransomware groups have focused on stealing and encrypting data. However, every modern hospital depends on dozens of interconnected devices. Worryingly, most smart devices are hackable. The stakes, however, are a lot higher if a human life depends on the target running smoothly.
There's a small step from holding hospitals hostage to taking on the patients themselves. Not that ransomware attacks haven't caused fatalities already.
While the stakes are high, no healthcare institution should resort to using pen and paper, thinks Bernard Montel, Technical Director for Europe, the Middle East, and Africa at Tenable.
"Adversaries are just using the simplest attack path. Bad guys are lazy. They don't want to do a lot of work. And if they see a wall that's hard to climb, they don't want to climb it," Montel told CyberNews.
According to Montel, even though hospitals were not designed to brawl with cybercriminals, adopting tactics similar to those used in emergency rooms could help deter attackers.
Do you see ransomware groups deploying healthcare-specific malware or using any other specific technical measures?
There is no real dedicated technology or a specific set of vulnerabilities that are unique to hospitals. Healthcare organizations, however, have operational technology (OT) and Internet of Things (IoT) devices.
It's a combination of the classical IT on the admin of the hospital and some embedded devices they don't have any control over, like sensors.
We can link hospitals and industrial companies. For example, Conti malware is one of the ransomware groups that target mainly those kinds of organizations. But there is not a specific one for hospitals. Cybercriminals are using the same malware to target OT and IT systems.
Hospitals, however, differ from everyday service providers. Which hospital systems are most vulnerable to attacks?
Hospitals, much like industrial companies, use embedded devices. Medical suppliers provide those devices. For example, pacemakers or other bedside devices that are used to monitor and treat heart conditions. I know from experience that some of the equipment is still running on Windows 7 or Windows 8.
I mean, sure, we can blame them, but their primary concern is regulations validating that the device they are providing is in line with what it is supposed to do from a medical perspective. Suppliers might use very old databases and old technology, and it might have never come to mind that these devices will pose a cyber threat. It's very recent that hospitals started to ask questions like what kind of certificates suppliers are using to encrypt data.
That is one of the main issues we have in hospitals. Industrial companies are suffering the same way. They often use legacy software that has vulnerabilities. And I think adversaries are just using the simplest attack path.
Bad guys are lazy. They don't want to do a lot of work. And if they see a wall that's hard to climb, they don't want to climb it. That's the situation with embedded devices that are not connected to the IT system.
Do you think threat actors could use hospital equipment to start an attack?
This is one of the scenarios for sure. Threat actors could just enter a hospital, make a Wi-Fi scan, and look for ITP addresses. Some of them are connected to IT, some of them are not. There are still some that have VLAN or firewalls.
I'm not saying that hospitals have no security at all. But suppose cybercriminals find a vulnerability that exists for a while on a specific device. In that case, they will use it for penetration, and potentially, they will be able to judge what they want to do.
Another vital element is the active directory (AD). It's a corporate technology that is deployed in the majority of organizations. It is also deployed in hospitals. And all of the ransomware operators today are trying to target AD in their process.
Once criminals get their way into a system, they ultimately want to steal and encrypt data. To do that, threat actors need to have what we are calling AD dominance. They need to be inside the process, not only the network. They're always targeting AD because they know they will find the accounts with access to sensitive data.
Hospitals don't have any security best practices for that piece of software. This software is just linked to store accounts that the staff uses. That's one of the elements which is a weakness in the complete picture. We all think about entry points, but what threat actors do after is super important.
"Hospitals were not designed to fight cyber threats. They are here to save lives."-Bernard Montel, Technical Director for Europe, the Middle East, and Africa at Tenable
Ransomware attacks and cyber safety are not new concepts. Why aren't hospitals better prepared?
Hospitals were not designed to fight cyber threats. They are here to save lives. However, the last two years made them realize something had to change. At least here in France, the government has also helped because they've launched more security regulations healthcare organizations have to put in place.
That doesn't mean that if you are compliant, you are secured. You still have to have a focus on monitoring and understanding the threat. If you see a wave of hospital attacks in the US or anywhere else on the planet, you obviously have to increase your risk level.
Could a hospital device be used to harm patients?
A team of researchers has already successfully compromised an insulin pump. There is a proof of concept. Today, we don't have evidence that anyone has used that as an exploit. So yes, find any connected device in a very sensitive place, and it could be considered a potential liability.
These threats are pretty new. However, hospitals have started to ask medical vendors about penetration testing and what software the machines use. I think the situation is changing because medical providers and hospitals have begun communicating about levels of security.
The government has also launched regulations to force healthcare organizations to develop capabilities to monitor their security posture. And then, if they know where they are with a risk-based approach, they can then react appropriately. You know they won't be able to close everything, patch everything, and disconnect everything.
At the end of the day, hospitals need to make patients happy. It's impossible to go back to using pen and paper, nor should we. This is the worst scenario. As security practitioners, we need to help them with business continuity. That's one of the challenges we currently face with healthcare.
How can hospitals protect against cyber threats? Should they contact every single equipment vendor to find every single vulnerability in every single device?
They shouldn't do that day one. It's almost impossible. Firstly, they should have a risk approach, like they do with emergency rescue. The CIO should apply the same, determining what is risky. They cannot patch everything since they won't close all the doors unless they disconnect entirely. And that's not an option.
I mean, this is an option when you are down, but that's a nightmare scenario. By having a risk approach, you identify your attacks or their phase.
Ransomware gangs are targeting essential systems. So we have to be able to have the same level of approach. Cybercriminals always take the easy way. If the wall protecting your system is hard to penetrate, they will go away.
They will try exploiting an old vulnerability first, one that has been here for a while and not patched. If threat actors can't immediately enter your system, they will find a different target. Cybercriminals don't care. They are lazy, and they don't want to spend much time. Their main goal is fast money.
More from CyberNews:
Subscribe to our newsletter