The healthcare industry is not immune to the same type of unrealistic focus on zero days and innovative attacks that plagues enterprises in other critical industries. While research into the exploitation of insulin pumps, pacemakers, and other connected medical devices garners sexy headlines, the reality for CISOs operating within healthcare delivery organizations and other providers is much more conventional.
According to Mandiant Chief Technology Officer Charles Carmakal, the majority of incidents his teams respond to are profit-motivated extortion attempts that involve not only ransomware, but data theft, victim-shaming and harassment. Carmakal said that state actors who are much more likely to use zero-day vulnerabilities and exploits are carrying out stealthy, targeted attacks against healthcare-related research facilities, while the majority of attacks against hospitals and other HDOs are much more opportunistic.
“There’s a lot of really good research out there and I hope the research helps organizations developing these technologies to do it in a more secure way,” Carmakal said during this episode of the Nexus podcast. “The good news is that we are not seeing real-world attacks in terms of threat actors manipulating insulin pumps or destroying pacemakers in such a way that it directly impacts lives. It certainly may be happening, just that my teams are not getting called in to those events. I hope it isn’t happening and never comes mainstream.”
What HDOs are dealing with, Carmakal said, are “multifaceted extortion” attempts. Criminal outfits are sending thousands of phishing emails hoping to entice victims to execute attachments and launch payloads on critical systems. Attackers are also searching for internet-facing systems that are vulnerable and exploit those to gain a foothold. Once an attacker has access to a good number of compromised systems, Carmakal explained, they may then narrow their focus to organizations in industries much more willing to meet a ransom demand. Further operations are then conducted to steal data, and use ransomware or threats of leaking patient data or intellectual property to the public in order to coerce victims into paying the ransom.
Targeted attacks, meanwhile, are happening against research facilities where, for example, vaccines are being developed—this was prevalent during the development of COVID-19 vaccines—or in biotech or pharmaceutical companies developing new drugs or treatments. Carmakal said state actors are tasked by governments to target particular organizations or projects, maintain persistence, and steal data.
Carmakal also spoke of dwell time, which is the period of time from when the intrusion begins to when a victim discovers or is notified of a breach—usually by a third party such as a researcher or law enforcement. While dwell time is down from a year or longer to a matter of weeks now, it’s a significant problem, in particular for healthcare organizations where reliability, availability, and public safety are paramount to maintaining adequate patient care.
Carmakal advises healthcare organizations to invest in conducting red-team exercises against their operational environments. Red-teaming is a security assessment where a team of “adversaries” attempts to access critical networks, systems, and data, in order to test an enterprise’s detection and resilience capabilities.
“Red-teamers do a really good job of finding real-world issues that need to be fixed. You can’t argue the findings of a red team,” Carmakal said. “A red team is going to show you they got access to whatever it is they got access to. So you just have a prioritized road map of things that need to be fixed. You’d rather the good guys identify these security vulnerabilities than the bad actors.”
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.