Compromised patient data sets off a new health care crisis

Deception technology helps stop cyber thieves who see high value in medical records and systems

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The ran­somware attack on health care com­pa­ny Med­Star last week takes the wave of such assaults on hos­pi­tals to anoth­er level.

Ed note_TrapX_Carl WrightMed­Star, which oper­ates 10 hos­pi­tals and oth­er facil­i­ties in the Bal­ti­more-Wash­ing­ton, D.C., region, is reel­ing from an attack that dis­rupt­ed access to cru­cial net­work sys­tems. Ear­li­er ran­somware attacks that made news head­lines were con­duct­ed against sin­gle insti­tu­tions: Methodist Hos­pi­tal in Hen­der­son, Ken­tucky, Canada’s Ottawa Hos­pi­tal, and Hol­ly­wood Pres­by­ter­ian Hos­pi­tal in Los Angeles.

Free resource: Plan­ning ahead to reduce breach expenses

Clear­ly, such attacks against health care orga­ni­za­tions are becom­ing com­mon, pos­ing a very seri­ous pub­lic health and safe­ty issue that won’t soon go away. The dri­vers of this trend are out­lined in TrapX Security’s recent “Med­jack” report, “Anato­my of Attack: Med­ical Device Hijack.”

The report high­lights a sharp increase in health care data that is being tar­get­ed and com­pro­mised for nefar­i­ous pur­pos­es. Crit­i­cal health care sys­tems, includ­ing pic­ture archive com­mu­ni­ca­tions sys­tems (PACS), blood gas ana­lyz­ers and X-ray sys­tems, are being infect­ed with mal­ware capa­ble of hold­ing patient health care data hostage.

Med­ical records a trea­sure trove of info

The uptick of such attacks against health care orga­ni­za­tions makes sense from an eco­nom­ic per­spec­tive. Med­ical records have 10 to 20 times the val­ue of cred­it card data due to the fact that a person’s entire iden­ti­ty can be recon­struct­ed from the infor­ma­tion. Cred­it cards, on the oth­er hand, can be eas­i­ly can­celed and replaced.

In the case of the Ottawa hos­pi­tal, mal­ware encrypt­ed four com­put­ers in the net­work ren­der­ing them inac­ces­si­ble. It’s like­ly this mal­ware was embed­ded via spear phish­ing. Spear phish­ing is a tar­get­ed cyber attack, usu­al­ly via email, against an insti­tu­tion and is designed to sup­port the theft of data or diver­sion of funds. In a spear phish­ing attack, hack­ers send a well-craft­ed email to tar­get­ed employ­ees designed to trick the recip­i­ent into click­ing on a mali­cious link or down­load­ing a mali­cious attachment.

Ken­tucky Methodist Hospital’s com­put­ers appar­ent­ly were hit by the so-called “Locky” mal­ware, which arrived as an attach­ment in a spam email and then attempt­ed to spread across the net­work. Methodist Hos­pi­tal placed a scrolling red alert on its home­page stat­ing, “Methodist Hos­pi­tal is cur­rent­ly work­ing in an Inter­nal State of Emer­gency due to a Com­put­er Virus that has lim­it­ed our use of elec­tron­ic Web-based services.”

Cyber thieves hold data hostage

The hack­ers who locked up the Med­Star net­work actu­al­ly offered the hos­pi­tal chain a bulk dis­count to release all dis­rupt­ed machines. The Bal­ti­more Sun report­ed that the crim­i­nals asked for three bit­coins, worth about $1,250, for the dig­i­tal key to unlock a sin­gle infect­ed com­put­er, or 45 bit­coins, about $18,500, for keys to all of them.

TrapX research shows that attacks are becom­ing increas­ing­ly com­mon. Attack­ers gain access to the net­work via an employee’s com­pro­mised sys­tem, allow­ing the attack­er to then move about the net­work unde­tect­ed, often for months at a time, while they search for valu­able con­fi­den­tial data, or install mali­cious software.

Ran­somware, which freezes hos­pi­tal data, gen­er­al­ly pro­vides a quick but small return for attack­ers. Theft of hos­pi­tal patient data pro­vides a poten­tial­ly much larg­er return and can hap­pen qui­et­ly over a peri­od of months.

We expect the pace at which these attacks are dis­cov­ered to accel­er­ate over the com­ing months as more hos­pi­tal net­works fall prey to attack­ers already with­in their net­works today.

Fight­ing back with technology

Decep­tion tech­nol­o­gy involves the use of decoys and lures to expose, divert and con­fuse cyber adver­saries at var­i­ous phas­es of their attack. Entic­ing fake IT assets or decoys are inter­spersed among real IT assets. Data lures, includ­ing false login cre­den­tials, are placed with­in real IT assets.

This pow­er­ful com­bi­na­tion reduces time to breach detec­tion, author­i­ta­tive­ly iden­ti­fies attack­ers with­in net­works, and enables secu­ri­ty oper­a­tions cen­ter teams to aggres­sive­ly defend the enter­prise. It can be used by health care orga­ni­za­tions to iden­ti­fy and block these types of attacks in real-time before any dam­age can be done.

TrapX tech­nol­o­gy enables orga­ni­za­tions to deploy traps to attract and deceive attack­ers while they are mov­ing with­in a net­work and, ulti­mate­ly, pre­vents them from dis­rupt­ing net­work oper­a­tions or exfil­trat­ing sen­si­tive data.

More sto­ries on health care security:
As hack­ers tar­get health care data, sec­tor must get proactive
Health care sec­tor finds cure for dig­i­tal attacks elusive
Cloud use increas­es data secu­ri­ty risk for health care organizations