Healthcare facilities around the world are under overwhelming pressure right now as the COVID-19 pandemic is straining every facet of their organizations. Adding to this challenge is the fact that criminal organizations are showing no signs of letting up. INTERPOL warned that cybercriminals are increasingly attempting to ‘lockout hospitals out of critical systems by attempting to deploy ransomware on their networks despite the ongoing COVID-19 outbreak.”
With this in mind, VMRay’s CEO and co-founder Carsten Willems thought it would be instructive to sit down with Dr. Tilman Frosch, Managing Director of G DATA Advanced Analytics, a long-time VMRay partner who has extensive first-hand experience working with a variety of European-based healthcare and hospital customers in the ongoing fight against malware and cyber-attacks.
In this condensed interview, Carsten and Tilman discuss the vital role that rapid incident response plays in keeping hospitals online throughout a crisis, what previous ransomware attacks on hospitals and healthcare providers can teach us about preventing and responding to future ones, and shares some of the learnings and best practices drawn from his years of experience protecting critical infrastructure.
Carsten Willems (CW): How do you think the Coronavirus pandemic is changing the way countries around the world are thinking about hospitals as critical infrastructure?
Tilman Frosch (TF): It’s hardly an exaggeration to say that IT systems save peoples’ lives and the current pandemic crisis is demonstrating why hospitals – and the various systems that connect patients to healthcare workers – deserve the designation of critical infrastructure.
Unfortunately, I’ve rarely seen a hospital that was not under-equipped in terms of infrastructure as well as the skilled personnel required to properly manage it. During normal times, a systems outage can have serious implications to patient care. In our current situation however, the same type of outage would obviously be disastrous on any number of levels.
Were a ransomware attack to take down an entire hospital network during this current crisis, you can imagine the domino effect that would take place. We’ve seen hospitals reverting back to paper and pens when their network went offline. This is good, to the extent that they could actually still work, but which of course impaired the quality of care provided given that doctors and nurses require real-time data about their patients’ medical history, pre-existing conditions, medication details, etc. I think most countries realize all of this but perhaps now there will be more urgency to better equip and fund hospital and healthcare IT infrastructure budgets.
CW: What are some of the tactics have you seen threat actors adopt to penetrate hospital networks?
TF: Similar to what we’ve seen in other industries, we are seeing attackers taking a more targeted approach and compromising these networks with valid credentials, exploiting open remote desktop protocols, or in some cases brute force attacks. We’ve also seen more commodity malware attacks, with say everyone’s current favorite combination, Emotet Trickbot which are basically today’s information stealers. With Trickbot, you have a pretty well-established presence because you have passwords from browser caches along with browsing history, which can basically be translated into a complete mapping of an internal network, which they can either monetize by selling off the data or use that intelligence to plan future attacks.
CW: The ransomware attacks on Lukas Hospital Neuss and others in 2016 were something of a wakeup call to the healthcare industry. What steps have hospitals taken since then to prevent future ransomware attacks from happening?
TF: As we’ve seen with the current pandemic, the faster you can detect and isolate a threat, the quicker you can limit its damage. In those attacks, the hospitals needed to literally shut down the entire network to be able to contain the ransomware’s impact before it could spread laterally and infect more connected systems.
While this was the right thing for them to do, the consequences were significant as they had to treat patients without easy access to critical contextual medical data. Since this time, some hospitals have taken some important first steps towards building more resiliency into their IT infrastructure. This should include adopting network segmentation capabilities to limit the spread of malware, which also helps them meet compliance with data privacy regulations, though in practice this is often overlooked.
CW: Speaking of compliance, obviously hospitals and healthcare facilities must also contend with a fast-changing regulatory environment, whether they’re based here in the EU or the US. In your opinion, do these compliance mandates create more of a security burden or do you think they are actually helpful as it relates to improving a healthcare organization’s overall security posture?
TF: I think the best thing I’ve heard about compliance is that compliance is very useful in case your company is attacked by auditors. However, in the context of critical infrastructure, these rigid compliance requirements actually do help to argue security up the chain of command and make it a boardroom priority.
Security should be considered an essential service, in the same way as basic utilities such as water and electricity. Today’s compliance requirements puts cybersecurity into the same category because you really can’t operate without it. And if you fulfill these compliance requirements, that can go a long way towards improving your security posture, if you do it right. While it doesn’t render it perfect, it does provide a very solid foundation.
Will meeting compliance requirements prevent attacks? It will probably help protect against some of the lower level, non-targeted types of attacks. However, compliance alone won’t keep a threat actor who has intentionally set their sights on a specific target from successfully breaching a network. Rather it is part of the hardening process that provides a framework to allow an organization to improve their ability to detect and mitigate at attack.
CW: How might this current crisis help critical infrastructure providers such as hospitals better prepare for future crises?
TF: Of course, we as cybersecurity incident response practitioners borrow many of our methodologies from the healthcare field. Just as doctors apply the concept of ‘triage’ to prioritize patients in the ER, incident responders also must assign degrees of urgency to ensure critical systems remain operational. Similarly, in any incident response case, the quicker you can get access to reliable threat intelligence, the more effective you are going to be. This is why it’s so important for hospitals to ensure that they can maintain the integrity and continuity of patient data systems or else their ability to make the correct diagnosis or administer the right dosage of medication can be impacted.
The pushing and pulling of data between a hospital’s on-premise network to external cloud providers represents another challenge, both from an operational perspective as well as a security and compliance standpoint. For instance, some hospitals will use external long-term archiving solutions to store inactive data. In many contractual environments, pushing the data there is relatively cheap and easy – what you actually pay for is the speed of recovery. Which means that if they find themselves in a situation where they need to recover data from this type of long-term backup, it can take days or weeks, depending on the contract and the amount of data. So in the wake of a crisis, the doctors may lose all of this context as it relates to their patients. The more we can align IT with healthcare decision makers, the better prepared we will be to meet these types of challenges.
CW: Based on your experience and the current environment, what are some practical steps hospital IT leaders should take to harden their systems?
TF: I think the most effective thing they can do in the short-term would be to limit access to critical systems such as PACS (Picture Archiving and Communications Systems) and other privileged hospital information system. As mentioned before, most hospital IT departments are severely understaffed. While many of these groups have plans to implement proper network segmentation, firewalling, and actual security monitoring, they get so busy with their day to day activities that these types of long-term projects get perpetually put on the back burner. The first practical step, besides having plans, is to assign budget to hire more competent personnel, or to get a security service provider to implement and operate a meaningful security architecture with you, not just for you.