Cybersecurity is a major risk that impacts all critical industries. The healthcare sector is known to be a top target for cyberattacks. As an example, the Health Sector Cybersecurity Coordination Center’s (HC3) recent threat brief outlines a history of Russian attacks on US healthcare entities. The US government, through the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), has called for a Shields Up effort for private sector and critical infrastructure to lock their digital doors. Echoing the Biden-Harris Administration, HC3 and the Health-ISAC released a statement warning the healthcare sector to take the Administration’s advice.
Healthcare organizations can ensure they have their Shields Up by establishing a live view into their organization’s overall security posture and controls including their ‘crown jewel’ assets and component security and status. This can be facilitated through cyber supply chain risk management sharing of asset, vendor, and component security control information and machine-readable data like a Software Bill of Materials (SBOM) and components’ exploitability status through a Vulnerability Exploitability eXchange (VEX). Mitigation efforts can be quickly prioritized when this data is combined with an attack framework and vulnerability data such as MITRE’s ATT&CK data and the National Vulnerability Database (NVD).
What can be learned from past healthcare attacks?
HC3 has listed many attacks that can be attributed to threat actors like the Conti ransomware group. This attacker has ties to Russia and has been responsible for up to 300 cyberattacks against US-based organizations, at least 16 of these have been against US healthcare organizations. HC3 has listed other major attacks to Russian-linked actors, including NotPetya, FIN12 , and Ryuk. In addition, two new forms of disk-wiping malware have been identified as being used to attack Ukrainian organizations shortly before Russia’s invasion and which pose an increased threat to the healthcare sector.Attack information can be easily gathered from organizations like CISA or MITRE. What these attacks show is that the lines between enterprise and operational environments, and Information Technology (IT) and Operational Technology (OT) assets, are increasingly blurred. Equipment and software often cross these environments, especially at lower architectural levels, for example, the many software libraries used across applications. This includes the Windows operating system that is widely used across every sector and in all parts of IT and OT. Considering past attacks, the healthcare sector needs to ensure they are not solely focused on IT, and instead equally consider OT network and asset protection.
What can be done to mitigate risk of future threats and attacks?
What does a call to action to mitigate risk or to keep Shields Up for the healthcare sector mean? The simple answer is to patch critical vulnerabilities which may not be practical given the sheer number of attacks and new vulnerabilities discovered every day. For example, in the case of the Log4j exploit many organizations did not realize their systems were running this vulnerable library, which may have been hidden as a dependency of another component in their systems. Any effective incident response requires accurate and up-to-date information on what is running in your environment.
What if you want to learn about security controls built into your ‘crown jewel’ assets? Consider the ISA/IEC 62443 series of standards, which are the leading standards for the industrial sector. It is good to note that most of the dangerous exploits are clustered around a few technical requirements as referenced in the ISA/IEC 62443 3-3, 4-1 and 4-2 standards focused on input validation, data confidentiality, use control, and software development. This is not to take away from other areas of security to consider as exploit chains often rely on internet-facing services to attack or access to periphery systems through social engineering of users like phishing.
If you know about built-in, prioritized security controls for threats intersecting various systems and design flaws, such as input validation, this can be of great help to a CISO and security leadership teams to enable them to focus on what matters most. This information is vital to help address future threats especially when combined with assets’ Bills of Materials and VEX information.
It’s increasingly important to leverage public resources from CISA and MITRE to identify attacks and associated threat actor ‘playbooks’ and their Techniques, Tactics and Procedures (TTPs) so that we can anticipate attacks which are likely to be deployed against IT and OT infrastructure.
By comparing the attacks and TTPs by various threat groups, we can find commonalities and prioritize a subset of defensive asset requirements that really matter. Identifying these controls early while having an up-to-date picture of the current assets via Bills of Materials and VEX information allows for a single pane of glass view and ‘sleep well’ outcome for any CISO.
Example attacks include the Conti Group’s ransomware, WannaCry and the ‘wiper’, NotPetya, as well as CVEs listed by the US Department of Health and Human Services (HSS) as part of a report on APT and Cybercriminal Targeting of the Health Sector. These have all been of concern to companies within the industrial sector and have been used against healthcare organizations.