In the wake of the COVID-19 pandemic and the continuous surge of new variants, the preciousness and preservation of human life is at the forefront of what we think about daily. In 2020, three of the top 10 most searched terms were, unsurprisingly, healthcare-related. (Coronavirus, coronavirus update, coronavirus symptoms.) We’ve never been so attuned to what’s happening in our healthcare systems and hospitals.
And unfortunately, the same goes for hackers.
With a slew of fresh ransomware attacks in healthcare, organizations are turning a critical eye to their cybersecurity hygiene and ability to successfully detect and prevent attacks. During the recent AttackIQ Purple Hats Conference, AttackIQ CMO Julie O’Brien spoke with Ted Harrington, ethical hacker and author of the book Hackable: How to Do Application Security Right, and Paul Haywood, Chief Security Officer at Bupa to get their thoughts on the current state of cybersecurity in healthcare—and what organizations should be prepared for next.
We’ve been hearing a lot lately about what happened at Scripps, the New Zealand health system, and even the Irish health system just recently. To kick off, I’d like to know: why is the healthcare industry facing so many attacks right now?
Ted Harrington: It’s going to sound a little twisted to say it this way, but I think the reason that we’re seeing such prevalence of ransomware in healthcare is because it’s a match made in heaven from an attacker’s standpoint. Many healthcare organizations don’t have enough budget for their security programs. They don’t have enough people. There’s not enough buy-in from the leadership level regarding what the security mission needs to be. And they absolutely, without exception, need 100% uptime in order to be able to treat patients. Attackers look at this and say, “I have a tool here that could prevent uptime in addition to taking advantage of all of those vulnerabilities I know exist in this industry.”
And the solution is to pay a ransom. It’s a strategy that’s unfortunately working; hospitals are consistently paying these ransoms, so new attackers pile on and try the same thing.
Paul Haywood: I agree. Privacy has become a huge topic here as well for a lot of jurisdictions and regulators. Medical data, personal information—it’s all rife in hospitals, so there’s a lot of monetization that can be achieved just from the collection of that data alone. Additionally, in a medical setting you have a lot of operational technology and medical devices. Historically, those medical devices are expensive, hard to maintain, hard to secure, and have their own complexities—beyond the complexity you might have on a PC or a Mac. Securing that environment is tough.
As we all know, the CEO of Colonial Pipeline paid hackers $4.4 million in ransom—partly because executives weren’t sure how far the attack went into the systems, or how long it would take for the pipeline to come back online. From your perspective, what’s the difference between ransomware in a pipeline environment versus a medical environment?
Ted Harrington:They actually share some similar traits. The reason that ransomware is so effective on something like a pipeline is the same reason it’s effective on a hospital: because you need uptime. Once Colonial Pipeline understood they were under attack they made the decision to take the whole system offline themselves—which is actually a pretty brave decision. They tried to quarantine the issue.
Paul Haywood:Most organizations now will have a playbook to handle ransomware in some way. There’s a risk-based decision that businesses need to make regarding how they will handle an attack. It’s unfortunate, but these ransomware attacks are becoming more and more commonplace, so we shouldn’t be surprised when organizations might take those extreme measures to protect their business, supply chains, and customers.
Ted, talk a bit about the discrepancy between HIPAA and patient safety, even with a fully compliant system.
Ted Harrington:We had this big piece of research that we did a few years ago. One element in that research had to do with active vs. passive medical devices. An active medical device does something to the patient physically, like a pacemaker manipulates your heartbeat. It’s pretty clear to see how if you attack that, that could hurt the patient.
But a passive medical device, like a bedside monitor that reports on your O2 levels, heartbeat, etc., isn’t doing anything to the patient; it’s merely providing readouts. This type of device is out of the scope of HIPAA. And when we were looking at the particular device or set of devices in this study, we found that an attacker could actually bypass authentication, access the data stream, then issue commands to the device, making the device behave however they wanted it to. In doing this, attackers could trigger false alarms—say, that the patient is having a cardiac event—sending nurses, doctors, and other staff to the patient’s room, and could lead to administering something like electric paddles to a patient that doesn’t need it.
But, what’s potentially much scarier, is the attacker could actually disable legitimate alarms for patients that need care. This attack sequence isn’t all that sophisticated for moderately to highly skilled hackers. And no amount of investment in HIPAA or anything trying to protect privacy would have even touched that particular attack sequence.
What do you see the role of regulation and legislation playing in ransomware?
Ted Harrington:I know people are talking about if we should make it illegal to pay ransom and that feels a little heavy handed to me, but hopefully something will land where it kickstarts people as a catalyst, but not a notion that we’ve solved everything because now we have this legislative piece that exists.
Paul Haywood:I think that depends where in the world you are as well. One of the jurisdictions in Bupa have categorically said they’ll abide by the law in their land. The law for them is that you do not pay for any sort of terrorist activity. So you start to wonder whether or not there’s enough legislation already existing. It feels like there probably is, but it’s not joined up and equivalent around the globe. Perhaps the regulators and legislators becoming more consistent will help us all.
Ted Harrington: We have to keep in mind that security is a borderless issue. It really doesn’t have to do with sovereignty of any one nation over another. In fact, most attacks come from across national borders. One thing that most groups of attackers are really good at is finding the discrepancies that might exist, whether that’s in a particular technology or in the way that one country or another operates, and using that in their pursuit of their different attacks.
Paul Haywood: Adversaries, along with understanding the different jurisdictional boundaries, also understand that different companies are going to have a different risk appetite and a different propensity to pay.
There was an article in the Wall Street Journal recently around how the ransomware boom is forcing more companies to cut deals with criminals. And the wave of hacks that we’ve seen has created this cottage industry of negotiators who broker payouts. As a follow on to this conversation that we’re having, what is the trustworthiness of a ransom working?
Paul Haywood:There are now, essentially, “credit rating agencies” for some of the ransomware gangs. You’re seeing these intermediaries effectively ranking the ransomware gangs in terms of trustworthiness or credit worthiness—the likelihood attacked organizations will pay them—which I guess is the reality, that ransomware has now become a commercial business, oddly.
Ted Harrington:I shouldn’t be smiling and laughing at this, but it’s so absurd. That this condition exists with a rankings system. It reveals a really interesting point: a lot of people think of a malicious attacker as a guy in a hoodie in a dark room with the green terminal. But in actuality, this is a person like you or me, with bills to pay. And maybe they check the ethics of what they’re doing at the door; maybe the ethical norms are different where they are.
One way organizations are getting ahead of and anticipating adversarial behavior is through breach and attack simulation (BAS) and security control validation. What are your perspectives on these technologies?
Paul Haywood:I think we need to get used to the threat landscape changing rapidly— hourly, even. And for me it’s really about understanding the landscape, and efficacy of the controls that we have in our landscape, and then “rehearsing” the playbook in terms of what we do in certain threat scenarios.
I concentrate on a few questions when it comes to the efficacy of our controls: How do we validate that our controls are working? How do we use the toolings of red teams, blue teams, purple teams, to get to the point of understanding what we should be concerned about? And when I look at ransomware and new variants, I’m thinking, “How quickly can I validate that my controls and my environment can detect and handle the new variants?”
My own SLA for my team is to prove to me within a 12 or 24 hour period that we have good, effective controls in place to defend against a new variant of ransomware.
Ted Harrington:I have so much empathy for the difficulties that CISOs live in. You’re straddling this line between needing to execute on the technical mission, but communicate it in terms of it being a business challenge. And oftentimes, when communicating it to the business, the business is like, “Isn’t this just computers? Why are we spending money on this? Just make it work.”
I see a real deficiency in the way that most companies approach investing in their security program. One of the things that I’ve worked with our team to try to actually quantify is how effort translates into vulnerabilities discovered, which then translates into vulnerabilities remediated. And then work backwards from there to say, “Hey, here’s a way we can actually connect a dollar amount to an improvement in the overall security of the system.”
Paul Haywood:I look at BAS as validation of my controls, and also a way to show me where I need to spend more money or where I’ve spent enough on controls that are or are not working effectively, continuously. I’ve pushed my team to start running automated testing on a daily basis across the organization. Using real-world scenarios and TTPs, we can prove to ourselves that our controls are good. That’s how I can demonstrate to the board that we are doing all we can to protect our data and our business.
Let’s wrap up with the big, million dollar (literally) question: should healthcare systems pay ransom, if attacked?
Ted Harrington:There are two ways to answer that question, and they’re in conflict with each other. If we were in an ethics or philosophy class right now, the answer would clearly be no. In paying the ransom, it incentivizes more ransomware attacks and fosters this behavior to continue. But, the other way to answer is by looking at who would be hurt: if I need to serve patients or get gasoline out to people or whatever the case may be—then the hypothetical scenario goes away and I need to focus on what I do for this organization right now, in this moment.
Paul Haywood: It truly does depend on the scenario. The primary concern in healthcare is protecting human life. So, I think it becomes a risk-based conversation, but you’ve got to understand the risk profile that your business is prepared to do.The focus is on how well you’re set up to detect, contain, and recover.
Ted Harrington:Yes, the solution is less about whether we pay ransom or not, and more about how we prevent, detect, and respond to it in ways that are more effective. It’s a call for innovation.
To watch more videos on everything from operationalizing MITRE ATT&CK to purple teaming to details on today’s threat landscape, see our Purple Hats YouTube playlist.