SlideShare une entreprise Scribd logo
1  sur  32
Télécharger pour lire hors ligne
Anatomy of an Attack –
Healthcare under Siege
Contents
About Anatomy of an Attack.................................................................................... 3
Executive Summary ............................................................................................... 4
Healthcare Under Siege ......................................................................................... 7
Inside the Healthcare Network ............................................................................... 9
Case Study #1 – Hospital Laboratory - The Blood Gas Analyzer Pivot Attack ...............13
Case Study #2 – Hospital Radiology - The PACS Pivot Attack .....................................16
Obfuscation of Malware in Healthcare Attacks.........................................................19
Conclusions ......................................................................................................... 21
Recommendations ............................................................................................... 22
Introducing Deception Technology for Healthcare ................................................... 24
DeceptionGrid – Breaking the Intrusion Chain ....................................................... 25
DeceptionGrid – Core Functionality .................................................................... 26
DeceptionGrid – Key Components ....................................................................... 28
DeceptionGrid - Benefits and Value for Healthcare .............................................. 29
About TrapX Security ............................................................................................ 30
Find Out More – Download a Free Trial ............................................................... 30
Find Out More – Contact Us Now ........................................................................ 30
Trademarks ..................................................................................................... 30
Special Supplement - Wireless Access Brings Risk to Patients .................................31
About Anatomy of an Attack
The Anatomy of an Attack (AOA) Series highlights the results of our research into
current or potential critical information security issues. The AOA series are
publications of TrapX Laboratories. The mission of TrapX Labs is to conduct critical
cybersecurity experimentation, analysis and investigation and to bring the benefits
back to the community at large through AOA publications and rapid ethical compliance
disclosures to manufacturers and related parties.
The TrapX Labs knowledge base benefit significantly from information on advanced
malware events shared with us by the TrapX Security Operations Center (TSOC).
Uniquely this TSOC threat analysis includes very deep intelligence on advanced
persistent threats (APTs) and Zero Day Events.
Executive Summary
This anatomy of an attack (AOA) report shares our research into the state of cyber
security within the healthcare industry. The results of this research suggested the
title of this report - healthcare is truly in a state of siege. Attacker activities threaten
overall hospital operations and patient well-being. These attacks, although not always
sophisticated zero day events, represent a clear and grave threat to hospital
operations, the security of patient data and ultimately patient safety. Our team has
identified several attack vectors that could result in patient injury, or even death.
Our report does not identify the specific manufacturers of the compromised devices
which include PACS systems, multiple blood gas analyzers and more. At a later date
we will move forward to complete the distribution of an ethical disclosure. At that
time we will provide these ethical disclosures to the manufacturers for review and
comment, and then to the public at large.
As in other industries, the attackers in healthcare are funded by organized crime,
nation states or a variety of other “bad actors.” The great majority are clearly after
valuable healthcare data and economic gain. Health insurance credentials can have a
value twenty times that of a credit card on the hacker black market. These attackers
know that healthcare networks have more vulnerability and provide greater potential
rewards. They have already determined that these vulnerabilities are so extreme as to
make healthcare the easiest choice for their attack. We have concerns that there are
small but growing risks for these attacks to be used by terrorists or even nation states
to target a medical facility and their patients in times of war or national interest.
The TrapX Labs team refers to this attack vector as MEDJACK, or “medical device
hijack.” Medical devices have clearly become the key pivot points for the attackers
within healthcare networks. They are the most significant point of vulnerability in the
healthcare enterprise, the least protected area, and the hardest area to remediate
even when attacker compromise is identified. We will explain why medical devices are
primary pivot points, how the attacks happen, and once established, how the advanced
persistent threats can extend these command and control points to breach the
hospital’s records over an extended period of time.
The typical hospital is replete with internet connected systems and medical devices.
These devices are also connected to the electronic medical records (EMR) systems that
are being deployed at a fast pace across physician’s practices and hospitals due to
government incentives such as meaningful use. 1
1
http://www.cms.gov/Regulations-and-
Guidance/Legislation/EHRIncentivePrograms/Meaningful_Use.html
“We use the term MEDJACK, or medical device hijack, to frame
what we see as the attack vector of choice in healthcare.
Attackers know that medical devices on the network are the
easiest and most vulnerable points of entry. The MEDJACK is
designed to rapidly penetrate these devices, establish
command and control and then use these as pivot points to
hijack and exfiltrate data from across the healthcare
institution. MEDJACK also creates the potential for injury or
even death to patients whose care and support rely on malware
infected devices within the hospital.”
-Moshe Ben Simon, Co-Founder & VP, TrapX Security, General Manager
TrapX Labs
Primary research came from first hand data from incidents within the TrapX security
operations center (TSOC). This included a detailed review of data and analysis
associated with ongoing, advanced persistent attacks in three (3) hospitals. These
attacks pivoted around medical devices which were installed within the hospital’s
hardwired networks.
Our primary mission has been to focus on malware that impacts government and
commercial enterprise where we can leverage our core deception technology. On a
global basis, some of our healthcare customers have expressed concern over the
potential for directed threats to patients delivered through wireless networks to their
internet of things medical devices. The U.S. Department of Homeland Security (ICS-
CERT 2
) has expressed some concern over the use of these wireless attack vectors to
potentially direct a terrorist attack against patients. Further, the ICS-CERT team
continues to investigate these capabilities on a regular basis and has issues a
considerable amount of guidance on this topic.3
Our team decided to do a survey of these devices to better understand the nature of
these attacks and the risk to our customers. We have issued a special supplement to
this report, where Trapx Labs and our research team took a broader look at those
2
https://ics-cert.us-cert.gov/
3
http://www.computerworld.com/article/2837413/security0/dhs-investigates-24-potentially-
deadly-cyber-flaws-in-medical-devices.html
medical devices used with ambulatory patients.
Finally, we do present our analysis and recommendations for minimizing the risk
associated with a MEDJACK attack and the best practices for design, implementation
and system life management networked medical devices.
Healthcare Under Siege
Healthcare is a massive market with annual expenditures that consume approximately
17.4 percent of the gross domestic product in the United States.4
The ecosystem that
provides healthcare in the U.S. includes 893,851 physicians5
spread across
approximately 230,187 practices each of which may have more than one office. Integral
to the physician’s practices and hospital operations are the 2,724,570 registered
nurses,6
physician’s assistants and administrative staff that support them.
The infrastructure to support the delivery of their expertise is equally massive. There
are approximately 5,686 hospitals7
that support this ecosystem directly and then
closely related ecosystems that include many thousands of skilled nursing facilities,
ambulatory surgical centers, physical therapists and much more. And over 75% of
these physician’s practices have electronic medical records (EMR/EHR) systems which
are all interconnected with the rest of the ecosystem. 8
All of this presents a major target of opportunity for cyber attackers. Recent examples
include the 2014 breach of Community Health Services. 9
The attackers acquired
names, addresses, birth dates, telephone numbers and social security numbers from
4.5 million patients.10 This attack, which occurred between April and June 2014,
compromised the company’s security measures and successfully copied and exfiltrated
data outside the company.
The healthcare information at Community Health Services was potentially protected by
a variety of laws. This data potentially included protection under the Health Insurance
and Portability and Accountability Act (HIPAA) which is enforced, in part, as specified
by the HITECH act. Healthcare data is also governed by laws that vary by state which
specify the protection of HIV/AIDS data. Finally, there are data breach laws which that
also vary by state which might apply in the case of a breach such as Community.11
All
of this creates significant expense and liability beyond the short term ramifications of
the breach. Of course, the potential damage to each of the patients whose data was
stolen is also a key concern.
4
http://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-
Reports/NationalHealthExpendData/NationalHealthAccountsHistorical.html
5
http://kff.org/other/state-indicator/total-active-physicians/
6
http://kff.org/other/state-indicator/total-registered-nurses/
7
http://www.aha.org/research/rc/stat-studies/fast-facts.shtml
8
http://www.hhs.gov/news/press/2014pres/08/20140807a.html
9
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/
10
http://www.usatoday.com/story/tech/2014/08/18/community-health-systems-hack-attack-45-
million/14226421/
11
http://www.dwt.com/statedatabreachstatutes/
Healthcare has always been a major target. As of March 30, 2015, the Identify Theft
Resource Center (ITRC) shows Healthcare breach incidents as 32.7% of all listed
incidents nationwide. Per ITRC, for the first quarter of 2015, over 99,335,375 medical
records have been exposed and compromised in the United States alone.12
Viewed in a
different context, Experian produced the 2015 Annual Data Breach Report which lists
the “Persistent and Growing Threat of Healthcare Breaches” as a top trend for 2015.
Experian further notes that the potential cost of breaches for the healthcare industry
could be as much as $5.6 billion annually.13
All of this demand for healthcare data presents a compelling opportunity for organized
crime. Cybersecurity firm Dell Secure Works notes that cyber criminals were getting
paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit
card numbers prior to the Target Breach. 14
The Federal Bureau of Investigation (FBI)
issued a private industry notification (PIN) report in April, 2014 that noted cyber-
attacks will increase against healthcare systems and medical devices due to lax
cybersecurity standards, and a higher financial payout for medical records in the black
market.15
12
http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2015.pdf
13
http://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast-
experian.pdf
14
http://www.secureworks.com/resources/blog/general-hackers-sell-health-insurance-
credentials-bank-accounts-ssns-and-counterfeit-documents/
15
https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf
Inside the Healthcare Network
We do not know of standard cyber defense software available from 3r d
parties that
installs and operates on standalone medical devices. By definition, medical devices
are turnkey systems. They go through an FDA approval process16
prior to commercial
release to make sure that the standards of manufacture and product performance
protect consumers and meet intended use. The purchaser or user of these systems
cannot install their local suites of cyber defense. The reasons may include lack of
visibility through a console or otherwise to the basic operating system access
required, lock-up of the internal environment by the original equipment manufacturer
(oem) manufacturer to prevent access, or explicit cautions by the medical device
manufacturer. In some cases we understand that the hospital is concerned about
liability brought on by accidentally affecting the correct operation of the device. The
effect of loading updates and/or additional software is never completely known or
understood.
The FDA understands the problem. FDA guidance makes it clear that updates and
patches to software to protect against viruses, worms and other threats are important
and specifically that they do not have to review or certify these “patches or updates” in
their guidance document for manufacturers on the cybersecurity of networked medical
devices. 17
The goal is that manufacturers must stay focused on developing and
maintaining adequate cyber defense capability into their medical device platforms. On
the other side of the situation, the hospitals are concerned and perhaps evaluating
ways to remediate specific situations without the manufacturer’s consent. This can
perhaps create more problems than it solves. The FDA has stated that they don’t
expect you to have the expertise of the manufacturer and provides direction to work
with them to deal with potential cybersecurity vulnerabilities.18
Hospitals have many departments and most must purchase a variety of highly
specialized, FDA approved medical device equipment. This equipment has network
access and generally is believed to be within a “protected network.” The protection
afforded by the internal network generally includes a firewall, signature-based
protection such as anti-virus software, other endpoint and intrusion security and more.
To be blunt, there are very few diagnostic cyber security tools a hospital can use that
can identify malware resident on the overwhelming majority of these devices. In fact,
even when suspected, most hospital security teams have no idea how to get a memory
16
http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/DeviceApprovalsandCleara
nces/
17
http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077
812.htm
18
http://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm
dump from these systems sufficient for analysis and malware diagnosis. These
devices are closed devices, running out of date, closed, oftentimes modified and likely
insecure operating systems such as windows 2000, windows XP or Linux. That’s why
the MEDJACK attack vector presents a highly vulnerable target to attackers on a global
basis. The defenders cannot easily get in to detect or remediate an attack. On the
other hand the attackers have an open door.
So, the strategy behind the MEDJACK attack vector becomes apparent very quickly.
The security gap that makes MEDJACK so appealing is that most of the information
technology cyber defense in the “protected network” cannot run on the medical
devices. Cyber defense can only run on the servers and workstations (personal
computers) around them. One the attacker can get into the network and bypass
existing security they have a time window to infect a medical device and establish a
backdoor within this protected (and safe) harbor.
Some of the more enterprising hospitals have likely tried to install cyber protection on
some of the devices. Most hospital teams, and certainly their administration in the
hospital, are generally cautioned (and concerned) about even the consideration of
loading a piece of software onto the medical devices. Any software beyond a patch or
update supplied by the manufacturer might negatively impact FDA approval. This
situation also has the potential to create additional liability for the hospital. It is a
small step to conceive of a scenario where the loading of additional software by the
hospital, unspecified by the medical device manufacturer, could impact performance or
accuracy negatively and result in patient injury.
“MEDJACK has brought the perfect storm to major healthcare
institutions globally. The health information technology team
is totally dependent on the manufacturers to build and maintain
security within the device. The medical devices themselves just
do not have the requisite software to have any chance of
detecting most of the software payloads delivered by MEDJACK
attack and cannot detect the command and control networks
once they are established. Finally, the standard cyber security
environment set up in the hospital, regardless of how effective
it might be, cannot access the internal software operations of
medical devices. For all of these reasons MEDJACK is very
difficult to detect and remediate.”
-Carl Wright, EVP & General Manager, TrapX Security
Compromised devices can include any medical device with internet connectivity. In our
three (3) case studies this included the picture archiving and communications system
(PACS) in one hospital’s radiology department, a medical x-ray scanner in another
hospitals radiology department and several blood gas analyzers in a third hospital’s
laboratory in service to critical care and emergency services.
Note that even after our deception technology detects the MEDJACK within the devices,
that remediation may still be difficult. Complex malware and persistent attacks often
require that cyber security experts have access to the internals of the device itself.
They must be able to access internal memory (they need to extract this in the form of a
memory dump for analysis). This access is to determine exactly the variant of malware
and to develop a plan for remediation in complex situations. This access to internal
memory may not be achieved without considerable support from the manufacturer. Of
course, standard support agreements between the hospital and the medical device
manufacturer pertain to product functionality, but not to infection by the hospital’s
networks and certainly not to remediation and repair in these circumstances.
“Trapx Labs strongly recommends that hospital staff review
and update their contracts with medical device suppliers. The
manufacturer must contractually commit to step up to whatever
cost is required to enhance the cyber defense in these devices.
They must include very specific language about the detection,
remediation and refurbishment of the medical devices sold to
the hospitals which are infected by malware. They must have a
documented test process to determine if they are infected, and
a documented standard process to remediate them when
malware and cyber attackers are using the devices.”
-Moshe Ben Simon, Co-Founder & VP, TrapX Security, General Manager
TrapX Labs
There are many other devices that present targets for MEDJACK. This includes
diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic
equipment (infusion pumps, medical lasers and LASIK surgical machines), and life
support equipment (heart - lung machines, medical ventilators, extracorporeal
membrane oxygenation machines and dialysis machines) and much more. Most of
these devices run standard Microsoft® Windows and the medical devices’ proprietary
internal software. All of this has been through stringent FDA approval and
certification.
Doctors and nurses within intensive care depend on laboratory based medical devices
such as a blood gas analyzer to help diagnose problems and plan patient therapy. This
sort of device is used often in critical care situations. A wrong reading can result in
missing the delivery of required therapy, or perhaps delivering the wrong therapy, and
materially harm the patient. Our research has told us that when compromised, a blood
gas analyzer can become the pivot point to support an extended enterprise attack.
Unfortunately, if the attackers goals change to those of a terrorist, these devices are
wide open for attacks that can compromise device readings and operation, and
threaten the patient’s well-being directly. Further, in time of need, these sorts of
attacks can also be used to shut down critical hospital systems necessary for the
treatment of patients and military personnel.
Recognize that a pivot attack begins with the reconnaissance process. Attackers begin
by looking for the weakest asset in the network for persistence. Medical devices and
the MEDJACK attack vector are clearly the hospital’s “weakest link in the chain.”
Case Study #1 – Hospital Laboratory - The Blood Gas Analyzer
Pivot Attack
Our first case study focuses on a global healthcare institution where we provided an
installation of the basic DeceptionGrid system. Our involvement was part of an
evaluation of deception technology. There were absolutely no indicators of malware
infection or persistent threats visible to the customer. The customer had a very strong
industry suite of cyber defense products. This included a strong firewall, intrusion
detection (heuristics based), endpoint security and anti-virus and more. The hospital
information technology team included a security operations command (SOC) team with
several highly competent and experienced cyber technologists.
Within a few days of our deployment of DeceptionGrid we received high level ALERTS to
malicious activity with their networks. Upon inspection, it became apparent that this
was a form of persistent attack and the attacker continued to move through their
networks looking for appropriate targets. DeceptionGrid noted that the source of this
lateral movement was in fact from three (3) of the customers blood gas analyzers
present in the hospital laboratory. These were both infected separately and both had
now enabled at backdoors 19
into the hospital networks.
The lateral movement prior to our involvement enabled the infection of one of the
hospital IT department’s workstations. Confidential hospital data was being exfiltrated
to a location within the European Community. It is uncertain how many data records in
total were successfully exfiltrated.
19
http://searchsecurity.techtarget.com/definition/back-door
We found the use of Zeus Malware20
and we also found the presence of Citadel
malware21
being used to find additional passwords within the hospital. The goal was to
gain entry to the hospital systems to acquire data.
It is clear that the PIVOT POINT for these attacks and the initial infection was the blood
gas analyzers. We are completing our analysis, disclosure and discourse with the
manufacturers.
20
http://en.wikipedia.org/wiki/Zeus_%28malware%29
21
http://securityintelligence.com/cybercriminals-use-citadel-compromise-password-
management-authentication-solutions/#.VSFvhfnF80E
The most important point of this analysis is not the malware. Malware could be a new
zero day form of malware, or malware several years older and more common. We will
successfully detect both kinds during their lateral movement. The most important
point is that the relatively unprotected aspects of medical devices make successful
attacks upon healthcare networks easier than upon most standard corporate
information technology resources. The medical devices themselves create far broader
exposure. It is the ideal environment upon which to launch persistent attacks with the
end goal of accessing high value data. And this exposure is not easily remediated,
even when the presence of malware is identified conclusively. We will expand upon this
further during our analysis and recommendations.
Case Study #2 – Hospital Radiology - The PACS Pivot Attack
Our second case study focuses on a global healthcare institution where, as in the first
case study, we provided an installation of the basic DeceptionGrid system. Once again,
our involvement was part of an evaluation of deception technology. As before, there
were absolutely no indicators of malware infection or persistent threats visible to the
customer. The customer had a typical industry suite of cyber defense products. This
included, as before, an industry standard firewall, intrusion detection (heuristics
based), endpoint security and anti-virus. The hospital information technology team
included a security specialist with strong background and experience.
Almost upon deployment DeceptionGrid generated high level ALERTS that indicated
malicious activity with their networks. This was a form of persistent attack and the
attacker continued to move through their networks looking for appropriate targets.
DeceptionGrid noted that the source of this lateral movement was the picture archive
and communications systems (PACS) that provided the radiology department with the
storage and access to images derived from multiple sources. These image sources
included CT scanners, MRI scanners, portable x-ray machines (c-arms), x-ray and
ultrasound equipment.
The PACS system is central to hospital operations and is linked very directly to the rest
of the hospital for access to vital imagery. This imagery is used for diagnosis and
treatment. Further, ambulatory physicians have access to his imagery through their
EMR systems located within their individual practice office locations. So if the PACS
system is well positioned to be the Pivot point for an advanced persistent attack.
The lateral movement prior to our involvement enabled the infection of a key nurse’s
workstation. Confidential hospital data was being exfiltrated to a location within the
Asia Pacific. It is uncertain how many data records in total were successfully
exfiltrated. Communications went out encrypted using port 443 (SSL) and were not
detected by existing cyber defense software.
The attack vector was very simple and basic. After reconnaissance, the attackers sent
targeted email to the hospital. All it took was for one person to click on the link. This
took them to a website which enabled the installation of a Java Exploit which was able
to download onto the workstation, and then spread. Information technology’s cyber
defense detected this, and likely eliminated it, but not before it infected the PACS
systems. As in our first case study, the hospital’s standard cyber defense was unable
to scan or remediate anything within the PACS system. So now the persistent attack
can continue as a backdoor was set up through the PACS system. The PACS system has
become the pivot point for the attack across the healthcare enterprise.
Obfuscation of Malware in Healthcare Attacks
Tools have evolved to help mask old, easily detectable malware threats as new
malware. This technique is called obfuscating malware. This, in effect, creates new
malware software as the malware is effectively camouflaged and invisible to detection
and defensive techniques.
This strategy does not work as well to attack markets such as financial services and
insurance where the vulnerabilities associated with medical devices do not exist. But
healthcare is a different story. Using MEDJACK as the vector of choice, attackers are
able to effectively remanufacture and redeploy old exploits, even such old malware as
CONFICKER 22
and dozens of others with tremendous impact.
All of this, of course, makes the healthcare institutions more vulnerable. These
exploits root within medical devices in major healthcare institutions and evade most
cyber defense software for extended periods of time. The IT teams believe that the
environment is clear of threats. In fact, these persistent attackers are comfortably
situated within the enterprise and free to exfiltrate confidential patient records, or
worse yet, perhaps, some day to enable harm to fall to patients directly.
Obfuscation techniques we see used by malware in healthcare include:
Polymorphism. Polymorphic malware morphs and changes over time so that it is not
easily detected by anti-malware software. The malicious code can change in a variety
of ways to include how it is encrypted, compressed and even the filename and
extensions to it. The basic functions of the malware will be the same, for example if it
is a password stealer it will continue to function as such, but it causes significant
delay in the time to detection.
Software Packers (Repacking). Packers are normally used by legitimate software
manufacturers to keep proprietary information private while retaining the function of
the software. These software packers are placed around modules of software to
compress and sometimes encrypt their contents. While these can be legitimately used
by software manufacturers, they are very commonly used by malware to hide the
contents of malicious files from cyber defense software scanners. Packers basically
process executable files as they in real-time. Initially the malware is unpacked and
then loaded into memory and run. A file can be packed and repacked many times with
incremental changes to the packing method and to the file inside.
This repacking process produces what appears to be a file that is undetectable by most
signature-based and many heuristics based techniques. The trend today in the
22
http://www.techopedia.com/definition/48/conficker
healthcare malware we are seeing is to use this technique so that the attacker can
invest less in creating original malware, but instead remanufacture and repack older
exploits targeted to the MEDJACK vector. Cyber defense software sometimes identifies
packer software but this often creates large quantities of excess false alerts based
upon the legitimate use within the enterprise.
Junk Code Injection. Sometimes it is as easy as inserting “junk code” or extra lines
into the malware program. This in effect can change the signature and make the
malware undetectable.
Modern malware creation tools make this attack on healthcare more challenging.
Imagine a hacker taking a malware program and then, through automation, creating 50
different copies of it, all appearing unique, but delivering essentially the same
functionality. Sandboxing techniques working in conjunction with anti-virus software
can mitigate this to some extent, but not enough. Malware is also developed to work
around this form of detection.
Conclusions
In contrast to regular corporate IT networks, healthcare networks are much more
vulnerable to attack. The data stored within healthcare networks remains a primary
target for attackers on a global basis. For all of these reasons and more we expect
targeted attacks on hospitals to increase throughout 2015 and 2016. Further, based
upon our experience and understanding of MEDJACK, we believe that a large majority
of hospitals are currently infected with sophisticated malware that has remained
undetected for months and in many cases years.
The important point of this report is that these vulnerabilities as they exist in medical
devices render many components of the hospital’s cyber security technology useless.
You cannot detect malware on a system which you cannot scan. The primary reason for
this problem is centered on the fact that medical devices are closed systems. As FDA
certified systems, they not easily open for the installation of additional 3r d
party
software by the hospital staff. This makes hospitals on a global basis wide open
targets for attackers using a variety of malware and techniques.
Finally, even when sophisticated attacks are detected by new products using deception
technology, it is still very difficult to remove the malware and blunt the attack. The
outgoing IP addresses can be shut down, but removal of the malware is a tricky
proposition. Hospitals really don’t want to impact the operation of these systems –
they depend on the often on a 24 x 7 basis. They are also concerned about liability.
What happens if the hospital IT teams impact the operation of the medical device and
that results in errant diagnose or therapy? And finally, the infection by malware is so
prevalent that the hospitals will be spending many tens of thousands of dollars with a
variety of manufacturers cleaning the devices and reloading the medical device
software. It’s a perfect storm for attackers and our healthcare institutions are in the
middle of it.
Recommendations
Our review of the security infrastructure of studied hospitals provided very valuable
and useful information for us. These findings are supported by TrapX Labs (TSL’s)
research, experience and our constant dialog with other leading security experts on a
global basis. We see multiple areas for deeper and continued research.
In terms of specific recommendations, hospitals and major healthcare institutions
should consider the following:
• Review and update your strategy to rapidly integrate and deploy software fixes
and/or hardware fixes provided by the manufacturer to your medical devices.
These need to be tracked and monitored by senior management and quality
assurance teams.
• Review and update your strategy to procure medical devices from any vendor
only after a review with the manufacturer that focuses on the cyber security
processes and protections. Conduct quarterly reviews with all of your medical
device manufacturers.
• For your existing medical devices, Trapx Labs **strongly** recommends that
hospital staff review and update their contracts with medical device suppliers.
Renegotiate now. If these new services raise operating budgets we believe that
the additional expense necessary and prudent. The manufacturer must
contractually commit to step up to whatever cost is required to enhance the
cyber defense in these devices. They must include very specific language about
the detection, remediation and refurbishment of the medical devices sold to the
hospitals which are infected by malware. They must have a documented test
process to determine if they are infected, and a documented standard process to
remediate them when malware and cyber attackers are using the devices.
• Consider a strategy to review and remediate your existing devices now. We
estimate that over 2/3 of these are likely infected and placing your operation
and patients at risk.
• If you are a healthcare entity within the U.S., it is very possible you will find
exfiltration of patient data (more than 500 patients affected) within the
notification trigger of HIPAA. Compliance and information technology must
work together to document these incidents, provide the notice and follow-up as
required by law. There are similar compliance requirements in many countries
around world – this advice applies on a global basis.
• Hospitals in the U.S. are very likely primary targets over time for HIPAA
compliance audit. Given the extreme risk of data breach that hospitals face, we
recommend bringing in outside consultants to review your HIPAA compliance
program in 2015.
• Avoid allowing any of these devices to provide USB ports for staff use without
additional protections. Consider the one-way use of new memory sticks only to
preserve the air gap. Otherwise one medical device can infect similar devices.
• Favor signed software – this is a mathematical technique used to validate the
authenticity of the software.
• Run security tests to discover vulnerabilities and help with the management of
your medical device manufacturers.
• Implement advanced firewalls to resist hacker attacks and only allow specified
IP addresses in or out. Most firewalls are incorrectly configured and don’t have
the latest features and defense available. It takes a security expert to
understand the best ways to configure the latest firewalls – this is not business
as usual for your information technology team.
• Protect the project management interface on medical devices from inside
attackers and only allow limited access to these devices based upon need.
• Utilize a technology designed to identify malware and persistent attack vectors
that have already bypassed your primary defenses. Deception technology can
provide this advantage for your security operations center (SOC) team.
• If you are a smaller hospital or clinic obtain the services of a managed security
service provider (MSSP) to manage these challenging security issues on an
ongoing basis.
Introducing Deception Technology for Healthcare
Deception technology is a new category of cyber security designed to meet head-on the
threats of malicious software, targeted attacks, zero day exploits and other
sophisticated attacks. DeceptionGrid automates the deployment of a network of
camouflaged malware traps that are intermingled with your real information
technology resources. The traps appear identical in every way to your real IT assets.
Once malware has penetrated your enterprise, the attackers move laterally to find high
value targets. Just one touch of the DeceptionGrid sets off a high confidence ALERT.
Real-time automation isolates the malware and delivers a comprehensive assessment
directly to your SOC team.
Now the basic pattern of malware deployment and privilege escalation activity is
disrupted. At the first moment of reconnaissance and lateral movement the APT is
identified positively. Automation adds powerful forensics so that your SOC team has an
almost immediate understanding of the nature of the attack. You can begin rapidly to
implement the best path for remediation and removal.
DeceptionGrid – Breaking the Intrusion Chain
The TrapX DeceptionGrid™ now makes it possible break the intrusion chain. Attackers
map the network and move laterally. Just one touch of the DeceptionGrid sets off a
high confidence ALERT. Real-time automation isolates the malware and delivers a
comprehensive assessment directly to your SOC team.
DeceptionGrid – Core Functionality
DeceptionGrid has been designed from the beginning to fit efficiently and securely into
healthcare operations. DeceptionGrid includes Malware Trap Sensors and Network
Intelligence Sensors. Our Security Intelligence Management provides Integrated Event
Management and fully automated Forensic Analysis.
This automated analysis enables the SOC to move faster yet at the same time reduce
costs as excess escalation is no longer required. Further, DeceptionGrid’s mechanism
of generating an alert is not based upon a probabilistic event or clustering around
adjustable thresholds. These are very high confidence events. These alerts are
directly generated and triggered by explicit contact with our Malware Trap Sensors.
DeceptionGrid includes important core functionality to support your cyber defense.
This includes:
Automated Deployment of Camouflaged Malware Traps
The platform scans the existing network and creates a camouflaged network of
emulated systems, including servers, switches, databases, and applications,
interleaved with the real assets.
Sandbox Analysis
Payloads affecting these malware traps are immediately inspected for known
behaviors, such as a search engine crawler, and any unknown activity is transferred
and isolated in a sandbox server. As soon as Zero-Day malware starts executing within
the sandbox, the platform’s forensics server examines it and builds a detailed model of
the exploit architecture in real time, with no added expertise needed from security
personnel. This radically reduces the time and effort required to identify, analyze, and
remediate threats. DeceptionGrid produces a level 3 analysis. This includes both a
static and dynamic analysis, profile and signature set.
Integrated Event Management
The information produced in this automated analysis is then pulled into the platform’s
management system, tagged with a distinct event ID, and stored within an integrated
event- management database. This actionable threat intelligence can be shared or
integrated with customer’s existing security systems in the network.
Threat Intelligence
DeceptionGrid’s business-intelligence engine builds a profile of the attack vector and
performs root-cause analysis on the event. The engine then correlates this information
with outside information from a fully integrated threat-intelligence feed.
Outbound Packet Inspection (BOTNET Detection)
DeceptionGrid also provides packet inspection of outbound traffic to identify malicious
behavior on existing servers. DeceptionGrid uses intelligence from the malware traps
to target specific behaviors and components, and to spot lateral movement of complex
threats. This sharing allows the engine to catch more infected assets before they
spread. This sharing also adds greater scalability and efficiency to the system, and
avoids many of the performance and latency problems associated with deep packet
inspection technology.
DeceptionGrid – Key Components
These are the key components in a system deployment:
Malware Traps
A mesh of virtual decoy malware traps lure and divert APT and Zero-Day attacks away
from real hosts. This grid of decoy malware traps runs low-level emulations of many
real-life systems in the network to present attackers with a high-fidelity emulation of
reality. Our virtual network of malware traps undetected Zero-Day malware before it
can infect real IT assets.
Management Dashboard
A dashboard with fully featured sandbox capabilities allows payloads captured by
DeceptionGrid sensors to execute for real-time forensics investigation. An automated
forensics engine examines payload as it executes in real time within the sandbox to
identify and catalogue unique behavior and attributes of Zero-Day activity. Event data
is pulled into a comprehensive event management database.
Business Intelligence Engine
A business intelligence engine takes event data and builds profiles to detect and
prevent future attacks. A threat intelligence feed layered into event analysis is
integrated directly into the management system, enabling the attribution and creation
of topology maps. This rich data and intelligence analysis allows for swift remediation
of known attacks against IT systems.
DeceptionGrid Platform
Users can deploy the TrapX platform in the cloud or on their premises. The platform is
fully integrated and extensible. All communications between sensors and the
management platform are secured by an encryption protocol that allows real-time
updates without any kind of inbound firewall connection.
“Detection is a binary event – not probabilistic. There is
no cloaking available to sophisticated attacker that
enables them to violate the integrity of the detection.
There are no false alerts. Any cyber event that touches
the interlaced network of virtual “decoy” computing
resources in DeceptionGrid is by definition malicious
and unauthorized activity and immediately alerted to
your security team.”
-Yuval Malachi, Co-Founder and CTO, TrapX Security
DeceptionGrid - Benefits and Value for Healthcare
Deception technology brings strong benefits to our healthcare customers. We address
key pain points within their existing cyber defense strategy. Some key value points
include:
• We detect mid-point VLAN movement by malware in real-time which is unseen
by other cyber defense. We monitor and protect these areas. This enables us to
detect the movement of malware emanating from medical devices which do not
run or allow scanning by your standard cyber defense suite. This ultimately
reduces the risk of economic loss, impact to business operations and threats to
patient well-being.
• Our technology detects the movement of advanced malware almost immediately.
We dramatically reduce the time to breach detection for the most sophisticated
zero day events, advanced persistent threats (APTs) and other malware. The
longer an attacker has access to your internal hospital networks the greater the
probability of severe economic and operational impact. Reduction in time to
breach detection is a critical and important metric.
• We generate a small number of highly accurate and actionable alerts.
Important events are not missed or ignored by your security operations
command (SOC) team. This reduces the risk as you can now more rapidly detect
and defend against these complex threats to your hospital. No big data, no need
to process thousands or millions of alerts. And no missed alerts.
• We identify malware within the VLAN and then we automatically deliver a
complete static and dynamic analysis. This provides your SOC team with a
complete level 3 analysis without extensive manual processes. This helps
reduce the time for your SOC team to determine appropriate action.
• Our deployment is automated, simple and very fast. Our automation reduces the
investment required to protect the entire enterprise. This makes it easy to plan
for rapid deployment.
• Our Threat Intelligence Center automatically flows information from discovered
threats across our network so that our customers can immediately benefit.
• DeceptionGrid seamlessly integrates into your existing hospital network
architecture without requiring any changes to configuration or topology. This
saves time and resources upon the initial implementation and over the life cycle
of system support.
About TrapX Security
TrapX Security is a leader in the delivery of deception based cyber security defense. Our
solutions enable our customers to rapidly isolate, fingerprint and disable new zero day
attacks and APTs in real-time. Uniquely our automation, innovative protection for your
core and extreme accuracy enable us to provide complete and deep insight into malware
and malicious activity unseen by other types of cyber defense. TrapX Security has many
thousands of government and Global 2000 users around the world, servicing customers in
defense, healthcare, finance, energy, consumer products and other key industries.
Find Out More – Download a Free Trial
Come to www.trapx.com and download our FREE proof of concept and trial for
qualifying organizations.
Find Out More – Contact Us Now
TrapX Security, Inc., 1875 S. Grant St., Suite 570 San Mateo, CA 94402
+1–855–249–4453
www.trapx.com
For sales: sales@trapx.com
For partners: partners@trapx.com
For support: support@trapx.com
Trademarks
TrapX, TrapX Security, DeceptionGrid and all logo’s are trademarks or registered
trademarks of TrapX in the United States and in several other countries.
Cyber Kill Chain is a registered trademark of Lockheed Martin.
Other trademarks are the property of their respective owners.
© TrapX Software 2013. All Rights Reserved.© TrapX Software 2013. All rights reserved.
Special Supplement - Wireless Access Brings Risk to Patients
Medical devices are worn, carried or embedded for ongoing medical therapy. Many of
these are connected via wireless and represent new vectors for attack. Unfortunately,
this attack vectors are not about financial gain. This is more about a direct threat to
targeted personnel by organized crime, terrorists or nation states.
We did preliminary research into the wide range of medical IoT devices used with
ambulatory patients to include pacemakers, insulin pumps, drug pumps, deep brain
neurostimulators, gastric stimulators, cochlear implants, vital sign monitoring and
more. We also identified foot drop implants as a potential area of investigation. The
goal was to understand and document attack vectors, assess the relative risk to
patients.
The New Zealand hacker and computer security expert, Mr. Barnaby Jack, is widely
credited with documenting initial attack vectors for the hack of insulin pumps and
pacemakers. Mr. Jack’s testimony23
in this area may have convinced the U.S. General
Accounting Office (GAO) to recommend that the FDA improve information security for
medical devices. We have confirmed these attack vectors as presenting potential risks
for patient safety.
23
http://www.thedailybeast.com/articles/2013/07/26/the-good-hacker-barnaby-jack-
dies.html

Contenu connexe

Tendances

Survey of open source health information systems
Survey of open source health information systemsSurvey of open source health information systems
Survey of open source health information systemshiij
 
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSMANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSijsptm
 
HL7 January 2013
HL7 January 2013HL7 January 2013
HL7 January 2013Barry Smith
 
BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)- Mark - Fullbright
 
Research aarkstoreenterprise disease and therapy review non small cell lung...
Research aarkstoreenterprise   disease and therapy review non small cell lung...Research aarkstoreenterprise   disease and therapy review non small cell lung...
Research aarkstoreenterprise disease and therapy review non small cell lung...Neel Terde
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...mosmedicalreview
 
A framework for secure healthcare systems based on big data analytics in mobi...
A framework for secure healthcare systems based on big data analytics in mobi...A framework for secure healthcare systems based on big data analytics in mobi...
A framework for secure healthcare systems based on big data analytics in mobi...ijasa
 
Mustafa Degerli - 2016 - Answers for MI 502 – Introduction to Medical Informa...
Mustafa Degerli - 2016 - Answers for MI 502 – Introduction to Medical Informa...Mustafa Degerli - 2016 - Answers for MI 502 – Introduction to Medical Informa...
Mustafa Degerli - 2016 - Answers for MI 502 – Introduction to Medical Informa...Dr. Mustafa Değerli
 
Nur 3563 group project team 6 ehr
Nur 3563 group project team 6  ehrNur 3563 group project team 6  ehr
Nur 3563 group project team 6 ehrdublin11
 
Next gov.com VA EHR
Next gov.com VA EHRNext gov.com VA EHR
Next gov.com VA EHRJack Shaffer
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceControlCase
 
Electronic Health Records Integration with Corrections Case Management
Electronic Health Records Integration with Corrections Case ManagementElectronic Health Records Integration with Corrections Case Management
Electronic Health Records Integration with Corrections Case ManagementDavid Martin
 
Personal Health Records
Personal Health RecordsPersonal Health Records
Personal Health RecordsRRR784
 

Tendances (19)

Survey of open source health information systems
Survey of open source health information systemsSurvey of open source health information systems
Survey of open source health information systems
 
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDSMANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
MANAGING THE INFORMATION SECURITY ISSUES OF ELECTRONIC MEDICAL RECORDS
 
HL7 January 2013
HL7 January 2013HL7 January 2013
HL7 January 2013
 
Data Breach: It Can Happen To You
Data Breach: It Can Happen To YouData Breach: It Can Happen To You
Data Breach: It Can Happen To You
 
BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)BREACH REPORT 2013: Protected Health Information (PHI)
BREACH REPORT 2013: Protected Health Information (PHI)
 
Compliance Today
Compliance TodayCompliance Today
Compliance Today
 
Mikhaela ripa
Mikhaela ripaMikhaela ripa
Mikhaela ripa
 
Research aarkstoreenterprise disease and therapy review non small cell lung...
Research aarkstoreenterprise   disease and therapy review non small cell lung...Research aarkstoreenterprise   disease and therapy review non small cell lung...
Research aarkstoreenterprise disease and therapy review non small cell lung...
 
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
Healthcare Attorneys Feel the Healthcare Industry Is More Vulnerable to Cyber...
 
A framework for secure healthcare systems based on big data analytics in mobi...
A framework for secure healthcare systems based on big data analytics in mobi...A framework for secure healthcare systems based on big data analytics in mobi...
A framework for secure healthcare systems based on big data analytics in mobi...
 
Hippa breaches
Hippa breachesHippa breaches
Hippa breaches
 
Mustafa Degerli - 2016 - Answers for MI 502 – Introduction to Medical Informa...
Mustafa Degerli - 2016 - Answers for MI 502 – Introduction to Medical Informa...Mustafa Degerli - 2016 - Answers for MI 502 – Introduction to Medical Informa...
Mustafa Degerli - 2016 - Answers for MI 502 – Introduction to Medical Informa...
 
HITECH Act
HITECH ActHITECH Act
HITECH Act
 
Nur 3563 group project team 6 ehr
Nur 3563 group project team 6  ehrNur 3563 group project team 6  ehr
Nur 3563 group project team 6 ehr
 
Next gov.com VA EHR
Next gov.com VA EHRNext gov.com VA EHR
Next gov.com VA EHR
 
Health Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) ComplianceHealth Insurance Portability and Accountability Act (HIPAA) Compliance
Health Insurance Portability and Accountability Act (HIPAA) Compliance
 
Electronic Health Records Integration with Corrections Case Management
Electronic Health Records Integration with Corrections Case ManagementElectronic Health Records Integration with Corrections Case Management
Electronic Health Records Integration with Corrections Case Management
 
Personal Health Records
Personal Health RecordsPersonal Health Records
Personal Health Records
 
Pro medoss
Pro medoss Pro medoss
Pro medoss
 

En vedette

Another Introduce to Redis
Another Introduce to RedisAnother Introduce to Redis
Another Introduce to Redisjiaqing zheng
 
Usages journalistiques de twitter - L'exemple de France 3 Lorraine
Usages journalistiques de twitter - L'exemple de France 3 LorraineUsages journalistiques de twitter - L'exemple de France 3 Lorraine
Usages journalistiques de twitter - L'exemple de France 3 LorraineJean-Christophe Dupuis-Rémond
 
Crew, FOIA,Documents 017782- 017823
Crew, FOIA,Documents 017782- 017823Crew, FOIA,Documents 017782- 017823
Crew, FOIA,Documents 017782- 017823Obama White House
 
Jaiden Social Studies Slideshare
Jaiden Social Studies SlideshareJaiden Social Studies Slideshare
Jaiden Social Studies Slideshareguest6e1de4
 
You are on LinkedIn...Now what?
You are on LinkedIn...Now what?You are on LinkedIn...Now what?
You are on LinkedIn...Now what?bcornell1
 
Crew, Foia, Documents 008692 - 008793
Crew, Foia, Documents 008692 - 008793Crew, Foia, Documents 008692 - 008793
Crew, Foia, Documents 008692 - 008793Obama White House
 
Rest In Peace Tribute Tour 7 23 09
Rest In Peace Tribute Tour 7 23 09Rest In Peace Tribute Tour 7 23 09
Rest In Peace Tribute Tour 7 23 09pageway
 
Crew documents 020564 - 020611
Crew documents 020564 - 020611Crew documents 020564 - 020611
Crew documents 020564 - 020611Obama White House
 
Websense Hosted Email Security
Websense Hosted Email SecurityWebsense Hosted Email Security
Websense Hosted Email Securityfartur
 
Irtaza's presentation
Irtaza's presentationIrtaza's presentation
Irtaza's presentationlibrarygrl3
 
Post-It Girl
Post-It GirlPost-It Girl
Post-It GirlLitWorld
 
Introduction toyun
Introduction toyunIntroduction toyun
Introduction toyunAnkit D
 
Crew, FOIA, Documents 012929- 013743
Crew, FOIA, Documents 012929- 013743Crew, FOIA, Documents 012929- 013743
Crew, FOIA, Documents 012929- 013743Obama White House
 
Bbq Invitation
Bbq InvitationBbq Invitation
Bbq Invitationbichdung
 

En vedette (20)

Another Introduce to Redis
Another Introduce to RedisAnother Introduce to Redis
Another Introduce to Redis
 
MSE Part1-Chapter3
MSE Part1-Chapter3MSE Part1-Chapter3
MSE Part1-Chapter3
 
Usages journalistiques de twitter - L'exemple de France 3 Lorraine
Usages journalistiques de twitter - L'exemple de France 3 LorraineUsages journalistiques de twitter - L'exemple de France 3 Lorraine
Usages journalistiques de twitter - L'exemple de France 3 Lorraine
 
Crew, FOIA,Documents 017782- 017823
Crew, FOIA,Documents 017782- 017823Crew, FOIA,Documents 017782- 017823
Crew, FOIA,Documents 017782- 017823
 
Are You A Consultant
Are You A ConsultantAre You A Consultant
Are You A Consultant
 
Jaiden Social Studies Slideshare
Jaiden Social Studies SlideshareJaiden Social Studies Slideshare
Jaiden Social Studies Slideshare
 
You are on LinkedIn...Now what?
You are on LinkedIn...Now what?You are on LinkedIn...Now what?
You are on LinkedIn...Now what?
 
Social media let's party
Social media let's partySocial media let's party
Social media let's party
 
Crew, Foia, Documents 008692 - 008793
Crew, Foia, Documents 008692 - 008793Crew, Foia, Documents 008692 - 008793
Crew, Foia, Documents 008692 - 008793
 
Rest In Peace Tribute Tour 7 23 09
Rest In Peace Tribute Tour 7 23 09Rest In Peace Tribute Tour 7 23 09
Rest In Peace Tribute Tour 7 23 09
 
Crew documents 020564 - 020611
Crew documents 020564 - 020611Crew documents 020564 - 020611
Crew documents 020564 - 020611
 
Hr2all offer to AIMS
Hr2all offer to AIMSHr2all offer to AIMS
Hr2all offer to AIMS
 
About Thrift
About ThriftAbout Thrift
About Thrift
 
Websense Hosted Email Security
Websense Hosted Email SecurityWebsense Hosted Email Security
Websense Hosted Email Security
 
Facebook 101
Facebook 101Facebook 101
Facebook 101
 
Irtaza's presentation
Irtaza's presentationIrtaza's presentation
Irtaza's presentation
 
Post-It Girl
Post-It GirlPost-It Girl
Post-It Girl
 
Introduction toyun
Introduction toyunIntroduction toyun
Introduction toyun
 
Crew, FOIA, Documents 012929- 013743
Crew, FOIA, Documents 012929- 013743Crew, FOIA, Documents 012929- 013743
Crew, FOIA, Documents 012929- 013743
 
Bbq Invitation
Bbq InvitationBbq Invitation
Bbq Invitation
 

Similaire à AOA_Report_TrapX_AnatomyOfAttack-Healthcare

AOA_Report_TrapX_AnatomyOfAttack-MEDJACK
AOA_Report_TrapX_AnatomyOfAttack-MEDJACKAOA_Report_TrapX_AnatomyOfAttack-MEDJACK
AOA_Report_TrapX_AnatomyOfAttack-MEDJACKSaul Rosales
 
Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...
Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...
Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...IJCI JOURNAL
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...Matthew J McMahon
 
Post WannaCry: Hospital cybersecurity needs to link to Emergency Management
Post WannaCry: Hospital cybersecurity needs to link to Emergency ManagementPost WannaCry: Hospital cybersecurity needs to link to Emergency Management
Post WannaCry: Hospital cybersecurity needs to link to Emergency ManagementDavid Sweigert
 
Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfSparity1
 
Acus intel medical_devices
Acus intel medical_devicesAcus intel medical_devices
Acus intel medical_devicesatlanticcouncil
 
The Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and RisksThe Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and Risksatlanticcouncil
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxMarket iT
 
The Pros And Cons Of Biomedical Engineering
The Pros And Cons Of Biomedical EngineeringThe Pros And Cons Of Biomedical Engineering
The Pros And Cons Of Biomedical EngineeringRobin Anderson
 
Medical Device Manufacturers And Healthcare Delivery...
Medical Device Manufacturers And Healthcare Delivery...Medical Device Manufacturers And Healthcare Delivery...
Medical Device Manufacturers And Healthcare Delivery...Lynn Holkesvik
 
Medical Devices Are Needed For Modern Medicine
Medical Devices Are Needed For Modern MedicineMedical Devices Are Needed For Modern Medicine
Medical Devices Are Needed For Modern MedicineJacqueline Thomas
 
Development of an expert system for reducing medical errors
Development of an expert system for reducing medical errorsDevelopment of an expert system for reducing medical errors
Development of an expert system for reducing medical errorsijseajournal
 
Article on The Electronic Health Record
Article on The Electronic Health RecordArticle on The Electronic Health Record
Article on The Electronic Health RecordAnurag Deb
 
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boroEhr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla borokayla_ann_30
 
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Whitepaper next generation_patient_safety_bertine_mc_kenna.01Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Whitepaper next generation_patient_safety_bertine_mc_kenna.01Ronan Martin
 
DHHS ASPR Cybersecurity Threat Information Resources
DHHS ASPR Cybersecurity Threat Information ResourcesDHHS ASPR Cybersecurity Threat Information Resources
DHHS ASPR Cybersecurity Threat Information ResourcesDavid Sweigert
 
Computer Information Systems and the Electronic Health Record
Computer Information Systems and the Electronic Health RecordComputer Information Systems and the Electronic Health Record
Computer Information Systems and the Electronic Health RecordRebotto89
 
IRJET - Blockchain for Medical Data Access and Permission Management
IRJET - Blockchain for Medical Data Access and Permission ManagementIRJET - Blockchain for Medical Data Access and Permission Management
IRJET - Blockchain for Medical Data Access and Permission ManagementIRJET Journal
 
Starion Entrepreneurship Case Analysis
Starion Entrepreneurship Case AnalysisStarion Entrepreneurship Case Analysis
Starion Entrepreneurship Case AnalysisJennifer Gutierrez
 

Similaire à AOA_Report_TrapX_AnatomyOfAttack-Healthcare (20)

AOA_Report_TrapX_AnatomyOfAttack-MEDJACK
AOA_Report_TrapX_AnatomyOfAttack-MEDJACKAOA_Report_TrapX_AnatomyOfAttack-MEDJACK
AOA_Report_TrapX_AnatomyOfAttack-MEDJACK
 
Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...
Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...
Exploring Vulnerabilities and Attack Vectors Targeting Pacemaker Devices in H...
 
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
HCA 530, Week 2, Hacking healthcare it in 2016 lessons the healthcare industr...
 
Post WannaCry: Hospital cybersecurity needs to link to Emergency Management
Post WannaCry: Hospital cybersecurity needs to link to Emergency ManagementPost WannaCry: Hospital cybersecurity needs to link to Emergency Management
Post WannaCry: Hospital cybersecurity needs to link to Emergency Management
 
Why healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdfWhy healthcare is the biggest target for cyberattacks-converted.pdf
Why healthcare is the biggest target for cyberattacks-converted.pdf
 
Risk management in Healthcare on Cloud
Risk management in Healthcare on CloudRisk management in Healthcare on Cloud
Risk management in Healthcare on Cloud
 
Acus intel medical_devices
Acus intel medical_devicesAcus intel medical_devices
Acus intel medical_devices
 
The Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and RisksThe Healthcare Internet of Things: Rewards and Risks
The Healthcare Internet of Things: Rewards and Risks
 
Cybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicauxCybersécurité des dispositifs médicaux
Cybersécurité des dispositifs médicaux
 
The Pros And Cons Of Biomedical Engineering
The Pros And Cons Of Biomedical EngineeringThe Pros And Cons Of Biomedical Engineering
The Pros And Cons Of Biomedical Engineering
 
Medical Device Manufacturers And Healthcare Delivery...
Medical Device Manufacturers And Healthcare Delivery...Medical Device Manufacturers And Healthcare Delivery...
Medical Device Manufacturers And Healthcare Delivery...
 
Medical Devices Are Needed For Modern Medicine
Medical Devices Are Needed For Modern MedicineMedical Devices Are Needed For Modern Medicine
Medical Devices Are Needed For Modern Medicine
 
Development of an expert system for reducing medical errors
Development of an expert system for reducing medical errorsDevelopment of an expert system for reducing medical errors
Development of an expert system for reducing medical errors
 
Article on The Electronic Health Record
Article on The Electronic Health RecordArticle on The Electronic Health Record
Article on The Electronic Health Record
 
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boroEhr by jessica austin, shaun baker, victoria blankenship and kayla boro
Ehr by jessica austin, shaun baker, victoria blankenship and kayla boro
 
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Whitepaper next generation_patient_safety_bertine_mc_kenna.01Whitepaper next generation_patient_safety_bertine_mc_kenna.01
Whitepaper next generation_patient_safety_bertine_mc_kenna.01
 
DHHS ASPR Cybersecurity Threat Information Resources
DHHS ASPR Cybersecurity Threat Information ResourcesDHHS ASPR Cybersecurity Threat Information Resources
DHHS ASPR Cybersecurity Threat Information Resources
 
Computer Information Systems and the Electronic Health Record
Computer Information Systems and the Electronic Health RecordComputer Information Systems and the Electronic Health Record
Computer Information Systems and the Electronic Health Record
 
IRJET - Blockchain for Medical Data Access and Permission Management
IRJET - Blockchain for Medical Data Access and Permission ManagementIRJET - Blockchain for Medical Data Access and Permission Management
IRJET - Blockchain for Medical Data Access and Permission Management
 
Starion Entrepreneurship Case Analysis
Starion Entrepreneurship Case AnalysisStarion Entrepreneurship Case Analysis
Starion Entrepreneurship Case Analysis
 

AOA_Report_TrapX_AnatomyOfAttack-Healthcare

  • 1. Anatomy of an Attack – Healthcare under Siege
  • 2. Contents About Anatomy of an Attack.................................................................................... 3 Executive Summary ............................................................................................... 4 Healthcare Under Siege ......................................................................................... 7 Inside the Healthcare Network ............................................................................... 9 Case Study #1 – Hospital Laboratory - The Blood Gas Analyzer Pivot Attack ...............13 Case Study #2 – Hospital Radiology - The PACS Pivot Attack .....................................16 Obfuscation of Malware in Healthcare Attacks.........................................................19 Conclusions ......................................................................................................... 21 Recommendations ............................................................................................... 22 Introducing Deception Technology for Healthcare ................................................... 24 DeceptionGrid – Breaking the Intrusion Chain ....................................................... 25 DeceptionGrid – Core Functionality .................................................................... 26 DeceptionGrid – Key Components ....................................................................... 28 DeceptionGrid - Benefits and Value for Healthcare .............................................. 29 About TrapX Security ............................................................................................ 30 Find Out More – Download a Free Trial ............................................................... 30 Find Out More – Contact Us Now ........................................................................ 30 Trademarks ..................................................................................................... 30 Special Supplement - Wireless Access Brings Risk to Patients .................................31
  • 3. About Anatomy of an Attack The Anatomy of an Attack (AOA) Series highlights the results of our research into current or potential critical information security issues. The AOA series are publications of TrapX Laboratories. The mission of TrapX Labs is to conduct critical cybersecurity experimentation, analysis and investigation and to bring the benefits back to the community at large through AOA publications and rapid ethical compliance disclosures to manufacturers and related parties. The TrapX Labs knowledge base benefit significantly from information on advanced malware events shared with us by the TrapX Security Operations Center (TSOC). Uniquely this TSOC threat analysis includes very deep intelligence on advanced persistent threats (APTs) and Zero Day Events.
  • 4. Executive Summary This anatomy of an attack (AOA) report shares our research into the state of cyber security within the healthcare industry. The results of this research suggested the title of this report - healthcare is truly in a state of siege. Attacker activities threaten overall hospital operations and patient well-being. These attacks, although not always sophisticated zero day events, represent a clear and grave threat to hospital operations, the security of patient data and ultimately patient safety. Our team has identified several attack vectors that could result in patient injury, or even death. Our report does not identify the specific manufacturers of the compromised devices which include PACS systems, multiple blood gas analyzers and more. At a later date we will move forward to complete the distribution of an ethical disclosure. At that time we will provide these ethical disclosures to the manufacturers for review and comment, and then to the public at large. As in other industries, the attackers in healthcare are funded by organized crime, nation states or a variety of other “bad actors.” The great majority are clearly after valuable healthcare data and economic gain. Health insurance credentials can have a value twenty times that of a credit card on the hacker black market. These attackers know that healthcare networks have more vulnerability and provide greater potential rewards. They have already determined that these vulnerabilities are so extreme as to make healthcare the easiest choice for their attack. We have concerns that there are small but growing risks for these attacks to be used by terrorists or even nation states to target a medical facility and their patients in times of war or national interest. The TrapX Labs team refers to this attack vector as MEDJACK, or “medical device hijack.” Medical devices have clearly become the key pivot points for the attackers within healthcare networks. They are the most significant point of vulnerability in the healthcare enterprise, the least protected area, and the hardest area to remediate even when attacker compromise is identified. We will explain why medical devices are primary pivot points, how the attacks happen, and once established, how the advanced persistent threats can extend these command and control points to breach the hospital’s records over an extended period of time. The typical hospital is replete with internet connected systems and medical devices. These devices are also connected to the electronic medical records (EMR) systems that are being deployed at a fast pace across physician’s practices and hospitals due to government incentives such as meaningful use. 1 1 http://www.cms.gov/Regulations-and- Guidance/Legislation/EHRIncentivePrograms/Meaningful_Use.html
  • 5. “We use the term MEDJACK, or medical device hijack, to frame what we see as the attack vector of choice in healthcare. Attackers know that medical devices on the network are the easiest and most vulnerable points of entry. The MEDJACK is designed to rapidly penetrate these devices, establish command and control and then use these as pivot points to hijack and exfiltrate data from across the healthcare institution. MEDJACK also creates the potential for injury or even death to patients whose care and support rely on malware infected devices within the hospital.” -Moshe Ben Simon, Co-Founder & VP, TrapX Security, General Manager TrapX Labs Primary research came from first hand data from incidents within the TrapX security operations center (TSOC). This included a detailed review of data and analysis associated with ongoing, advanced persistent attacks in three (3) hospitals. These attacks pivoted around medical devices which were installed within the hospital’s hardwired networks. Our primary mission has been to focus on malware that impacts government and commercial enterprise where we can leverage our core deception technology. On a global basis, some of our healthcare customers have expressed concern over the potential for directed threats to patients delivered through wireless networks to their internet of things medical devices. The U.S. Department of Homeland Security (ICS- CERT 2 ) has expressed some concern over the use of these wireless attack vectors to potentially direct a terrorist attack against patients. Further, the ICS-CERT team continues to investigate these capabilities on a regular basis and has issues a considerable amount of guidance on this topic.3 Our team decided to do a survey of these devices to better understand the nature of these attacks and the risk to our customers. We have issued a special supplement to this report, where Trapx Labs and our research team took a broader look at those 2 https://ics-cert.us-cert.gov/ 3 http://www.computerworld.com/article/2837413/security0/dhs-investigates-24-potentially- deadly-cyber-flaws-in-medical-devices.html
  • 6. medical devices used with ambulatory patients. Finally, we do present our analysis and recommendations for minimizing the risk associated with a MEDJACK attack and the best practices for design, implementation and system life management networked medical devices.
  • 7. Healthcare Under Siege Healthcare is a massive market with annual expenditures that consume approximately 17.4 percent of the gross domestic product in the United States.4 The ecosystem that provides healthcare in the U.S. includes 893,851 physicians5 spread across approximately 230,187 practices each of which may have more than one office. Integral to the physician’s practices and hospital operations are the 2,724,570 registered nurses,6 physician’s assistants and administrative staff that support them. The infrastructure to support the delivery of their expertise is equally massive. There are approximately 5,686 hospitals7 that support this ecosystem directly and then closely related ecosystems that include many thousands of skilled nursing facilities, ambulatory surgical centers, physical therapists and much more. And over 75% of these physician’s practices have electronic medical records (EMR/EHR) systems which are all interconnected with the rest of the ecosystem. 8 All of this presents a major target of opportunity for cyber attackers. Recent examples include the 2014 breach of Community Health Services. 9 The attackers acquired names, addresses, birth dates, telephone numbers and social security numbers from 4.5 million patients.10 This attack, which occurred between April and June 2014, compromised the company’s security measures and successfully copied and exfiltrated data outside the company. The healthcare information at Community Health Services was potentially protected by a variety of laws. This data potentially included protection under the Health Insurance and Portability and Accountability Act (HIPAA) which is enforced, in part, as specified by the HITECH act. Healthcare data is also governed by laws that vary by state which specify the protection of HIV/AIDS data. Finally, there are data breach laws which that also vary by state which might apply in the case of a breach such as Community.11 All of this creates significant expense and liability beyond the short term ramifications of the breach. Of course, the potential damage to each of the patients whose data was stolen is also a key concern. 4 http://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and- Reports/NationalHealthExpendData/NationalHealthAccountsHistorical.html 5 http://kff.org/other/state-indicator/total-active-physicians/ 6 http://kff.org/other/state-indicator/total-registered-nurses/ 7 http://www.aha.org/research/rc/stat-studies/fast-facts.shtml 8 http://www.hhs.gov/news/press/2014pres/08/20140807a.html 9 http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/ 10 http://www.usatoday.com/story/tech/2014/08/18/community-health-systems-hack-attack-45- million/14226421/ 11 http://www.dwt.com/statedatabreachstatutes/
  • 8. Healthcare has always been a major target. As of March 30, 2015, the Identify Theft Resource Center (ITRC) shows Healthcare breach incidents as 32.7% of all listed incidents nationwide. Per ITRC, for the first quarter of 2015, over 99,335,375 medical records have been exposed and compromised in the United States alone.12 Viewed in a different context, Experian produced the 2015 Annual Data Breach Report which lists the “Persistent and Growing Threat of Healthcare Breaches” as a top trend for 2015. Experian further notes that the potential cost of breaches for the healthcare industry could be as much as $5.6 billion annually.13 All of this demand for healthcare data presents a compelling opportunity for organized crime. Cybersecurity firm Dell Secure Works notes that cyber criminals were getting paid $20 to $40 for health insurance credentials, compared with $1 to $2 for U.S. credit card numbers prior to the Target Breach. 14 The Federal Bureau of Investigation (FBI) issued a private industry notification (PIN) report in April, 2014 that noted cyber- attacks will increase against healthcare systems and medical devices due to lax cybersecurity standards, and a higher financial payout for medical records in the black market.15 12 http://www.idtheftcenter.org/images/breach/ITRCBreachStatsReportSummary2015.pdf 13 http://www.experian.com/assets/data-breach/white-papers/2015-industry-forecast- experian.pdf 14 http://www.secureworks.com/resources/blog/general-hackers-sell-health-insurance- credentials-bank-accounts-ssns-and-counterfeit-documents/ 15 https://info.publicintelligence.net/FBI-HealthCareCyberIntrusions.pdf
  • 9. Inside the Healthcare Network We do not know of standard cyber defense software available from 3r d parties that installs and operates on standalone medical devices. By definition, medical devices are turnkey systems. They go through an FDA approval process16 prior to commercial release to make sure that the standards of manufacture and product performance protect consumers and meet intended use. The purchaser or user of these systems cannot install their local suites of cyber defense. The reasons may include lack of visibility through a console or otherwise to the basic operating system access required, lock-up of the internal environment by the original equipment manufacturer (oem) manufacturer to prevent access, or explicit cautions by the medical device manufacturer. In some cases we understand that the hospital is concerned about liability brought on by accidentally affecting the correct operation of the device. The effect of loading updates and/or additional software is never completely known or understood. The FDA understands the problem. FDA guidance makes it clear that updates and patches to software to protect against viruses, worms and other threats are important and specifically that they do not have to review or certify these “patches or updates” in their guidance document for manufacturers on the cybersecurity of networked medical devices. 17 The goal is that manufacturers must stay focused on developing and maintaining adequate cyber defense capability into their medical device platforms. On the other side of the situation, the hospitals are concerned and perhaps evaluating ways to remediate specific situations without the manufacturer’s consent. This can perhaps create more problems than it solves. The FDA has stated that they don’t expect you to have the expertise of the manufacturer and provides direction to work with them to deal with potential cybersecurity vulnerabilities.18 Hospitals have many departments and most must purchase a variety of highly specialized, FDA approved medical device equipment. This equipment has network access and generally is believed to be within a “protected network.” The protection afforded by the internal network generally includes a firewall, signature-based protection such as anti-virus software, other endpoint and intrusion security and more. To be blunt, there are very few diagnostic cyber security tools a hospital can use that can identify malware resident on the overwhelming majority of these devices. In fact, even when suspected, most hospital security teams have no idea how to get a memory 16 http://www.fda.gov/MedicalDevices/ProductsandMedicalProcedures/DeviceApprovalsandCleara nces/ 17 http://www.fda.gov/MedicalDevices/DeviceRegulationandGuidance/GuidanceDocuments/ucm077 812.htm 18 http://www.fda.gov/RegulatoryInformation/Guidances/ucm070634.htm
  • 10. dump from these systems sufficient for analysis and malware diagnosis. These devices are closed devices, running out of date, closed, oftentimes modified and likely insecure operating systems such as windows 2000, windows XP or Linux. That’s why the MEDJACK attack vector presents a highly vulnerable target to attackers on a global basis. The defenders cannot easily get in to detect or remediate an attack. On the other hand the attackers have an open door. So, the strategy behind the MEDJACK attack vector becomes apparent very quickly. The security gap that makes MEDJACK so appealing is that most of the information technology cyber defense in the “protected network” cannot run on the medical devices. Cyber defense can only run on the servers and workstations (personal computers) around them. One the attacker can get into the network and bypass existing security they have a time window to infect a medical device and establish a backdoor within this protected (and safe) harbor. Some of the more enterprising hospitals have likely tried to install cyber protection on some of the devices. Most hospital teams, and certainly their administration in the hospital, are generally cautioned (and concerned) about even the consideration of loading a piece of software onto the medical devices. Any software beyond a patch or update supplied by the manufacturer might negatively impact FDA approval. This situation also has the potential to create additional liability for the hospital. It is a small step to conceive of a scenario where the loading of additional software by the hospital, unspecified by the medical device manufacturer, could impact performance or accuracy negatively and result in patient injury. “MEDJACK has brought the perfect storm to major healthcare institutions globally. The health information technology team is totally dependent on the manufacturers to build and maintain security within the device. The medical devices themselves just do not have the requisite software to have any chance of detecting most of the software payloads delivered by MEDJACK attack and cannot detect the command and control networks once they are established. Finally, the standard cyber security environment set up in the hospital, regardless of how effective it might be, cannot access the internal software operations of medical devices. For all of these reasons MEDJACK is very difficult to detect and remediate.” -Carl Wright, EVP & General Manager, TrapX Security
  • 11. Compromised devices can include any medical device with internet connectivity. In our three (3) case studies this included the picture archiving and communications system (PACS) in one hospital’s radiology department, a medical x-ray scanner in another hospitals radiology department and several blood gas analyzers in a third hospital’s laboratory in service to critical care and emergency services. Note that even after our deception technology detects the MEDJACK within the devices, that remediation may still be difficult. Complex malware and persistent attacks often require that cyber security experts have access to the internals of the device itself. They must be able to access internal memory (they need to extract this in the form of a memory dump for analysis). This access is to determine exactly the variant of malware and to develop a plan for remediation in complex situations. This access to internal memory may not be achieved without considerable support from the manufacturer. Of course, standard support agreements between the hospital and the medical device manufacturer pertain to product functionality, but not to infection by the hospital’s networks and certainly not to remediation and repair in these circumstances. “Trapx Labs strongly recommends that hospital staff review and update their contracts with medical device suppliers. The manufacturer must contractually commit to step up to whatever cost is required to enhance the cyber defense in these devices. They must include very specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by malware. They must have a documented test process to determine if they are infected, and a documented standard process to remediate them when malware and cyber attackers are using the devices.” -Moshe Ben Simon, Co-Founder & VP, TrapX Security, General Manager TrapX Labs There are many other devices that present targets for MEDJACK. This includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.), therapeutic equipment (infusion pumps, medical lasers and LASIK surgical machines), and life support equipment (heart - lung machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and much more. Most of these devices run standard Microsoft® Windows and the medical devices’ proprietary internal software. All of this has been through stringent FDA approval and
  • 12. certification. Doctors and nurses within intensive care depend on laboratory based medical devices such as a blood gas analyzer to help diagnose problems and plan patient therapy. This sort of device is used often in critical care situations. A wrong reading can result in missing the delivery of required therapy, or perhaps delivering the wrong therapy, and materially harm the patient. Our research has told us that when compromised, a blood gas analyzer can become the pivot point to support an extended enterprise attack. Unfortunately, if the attackers goals change to those of a terrorist, these devices are wide open for attacks that can compromise device readings and operation, and threaten the patient’s well-being directly. Further, in time of need, these sorts of attacks can also be used to shut down critical hospital systems necessary for the treatment of patients and military personnel. Recognize that a pivot attack begins with the reconnaissance process. Attackers begin by looking for the weakest asset in the network for persistence. Medical devices and the MEDJACK attack vector are clearly the hospital’s “weakest link in the chain.”
  • 13. Case Study #1 – Hospital Laboratory - The Blood Gas Analyzer Pivot Attack Our first case study focuses on a global healthcare institution where we provided an installation of the basic DeceptionGrid system. Our involvement was part of an evaluation of deception technology. There were absolutely no indicators of malware infection or persistent threats visible to the customer. The customer had a very strong industry suite of cyber defense products. This included a strong firewall, intrusion detection (heuristics based), endpoint security and anti-virus and more. The hospital information technology team included a security operations command (SOC) team with several highly competent and experienced cyber technologists. Within a few days of our deployment of DeceptionGrid we received high level ALERTS to malicious activity with their networks. Upon inspection, it became apparent that this was a form of persistent attack and the attacker continued to move through their networks looking for appropriate targets. DeceptionGrid noted that the source of this lateral movement was in fact from three (3) of the customers blood gas analyzers present in the hospital laboratory. These were both infected separately and both had now enabled at backdoors 19 into the hospital networks. The lateral movement prior to our involvement enabled the infection of one of the hospital IT department’s workstations. Confidential hospital data was being exfiltrated to a location within the European Community. It is uncertain how many data records in total were successfully exfiltrated. 19 http://searchsecurity.techtarget.com/definition/back-door
  • 14. We found the use of Zeus Malware20 and we also found the presence of Citadel malware21 being used to find additional passwords within the hospital. The goal was to gain entry to the hospital systems to acquire data. It is clear that the PIVOT POINT for these attacks and the initial infection was the blood gas analyzers. We are completing our analysis, disclosure and discourse with the manufacturers. 20 http://en.wikipedia.org/wiki/Zeus_%28malware%29 21 http://securityintelligence.com/cybercriminals-use-citadel-compromise-password- management-authentication-solutions/#.VSFvhfnF80E
  • 15. The most important point of this analysis is not the malware. Malware could be a new zero day form of malware, or malware several years older and more common. We will successfully detect both kinds during their lateral movement. The most important point is that the relatively unprotected aspects of medical devices make successful attacks upon healthcare networks easier than upon most standard corporate information technology resources. The medical devices themselves create far broader exposure. It is the ideal environment upon which to launch persistent attacks with the end goal of accessing high value data. And this exposure is not easily remediated, even when the presence of malware is identified conclusively. We will expand upon this further during our analysis and recommendations.
  • 16. Case Study #2 – Hospital Radiology - The PACS Pivot Attack Our second case study focuses on a global healthcare institution where, as in the first case study, we provided an installation of the basic DeceptionGrid system. Once again, our involvement was part of an evaluation of deception technology. As before, there were absolutely no indicators of malware infection or persistent threats visible to the customer. The customer had a typical industry suite of cyber defense products. This included, as before, an industry standard firewall, intrusion detection (heuristics based), endpoint security and anti-virus. The hospital information technology team included a security specialist with strong background and experience. Almost upon deployment DeceptionGrid generated high level ALERTS that indicated malicious activity with their networks. This was a form of persistent attack and the attacker continued to move through their networks looking for appropriate targets. DeceptionGrid noted that the source of this lateral movement was the picture archive and communications systems (PACS) that provided the radiology department with the storage and access to images derived from multiple sources. These image sources included CT scanners, MRI scanners, portable x-ray machines (c-arms), x-ray and ultrasound equipment. The PACS system is central to hospital operations and is linked very directly to the rest of the hospital for access to vital imagery. This imagery is used for diagnosis and treatment. Further, ambulatory physicians have access to his imagery through their EMR systems located within their individual practice office locations. So if the PACS system is well positioned to be the Pivot point for an advanced persistent attack.
  • 17. The lateral movement prior to our involvement enabled the infection of a key nurse’s workstation. Confidential hospital data was being exfiltrated to a location within the Asia Pacific. It is uncertain how many data records in total were successfully exfiltrated. Communications went out encrypted using port 443 (SSL) and were not detected by existing cyber defense software. The attack vector was very simple and basic. After reconnaissance, the attackers sent targeted email to the hospital. All it took was for one person to click on the link. This took them to a website which enabled the installation of a Java Exploit which was able to download onto the workstation, and then spread. Information technology’s cyber defense detected this, and likely eliminated it, but not before it infected the PACS systems. As in our first case study, the hospital’s standard cyber defense was unable
  • 18. to scan or remediate anything within the PACS system. So now the persistent attack can continue as a backdoor was set up through the PACS system. The PACS system has become the pivot point for the attack across the healthcare enterprise.
  • 19. Obfuscation of Malware in Healthcare Attacks Tools have evolved to help mask old, easily detectable malware threats as new malware. This technique is called obfuscating malware. This, in effect, creates new malware software as the malware is effectively camouflaged and invisible to detection and defensive techniques. This strategy does not work as well to attack markets such as financial services and insurance where the vulnerabilities associated with medical devices do not exist. But healthcare is a different story. Using MEDJACK as the vector of choice, attackers are able to effectively remanufacture and redeploy old exploits, even such old malware as CONFICKER 22 and dozens of others with tremendous impact. All of this, of course, makes the healthcare institutions more vulnerable. These exploits root within medical devices in major healthcare institutions and evade most cyber defense software for extended periods of time. The IT teams believe that the environment is clear of threats. In fact, these persistent attackers are comfortably situated within the enterprise and free to exfiltrate confidential patient records, or worse yet, perhaps, some day to enable harm to fall to patients directly. Obfuscation techniques we see used by malware in healthcare include: Polymorphism. Polymorphic malware morphs and changes over time so that it is not easily detected by anti-malware software. The malicious code can change in a variety of ways to include how it is encrypted, compressed and even the filename and extensions to it. The basic functions of the malware will be the same, for example if it is a password stealer it will continue to function as such, but it causes significant delay in the time to detection. Software Packers (Repacking). Packers are normally used by legitimate software manufacturers to keep proprietary information private while retaining the function of the software. These software packers are placed around modules of software to compress and sometimes encrypt their contents. While these can be legitimately used by software manufacturers, they are very commonly used by malware to hide the contents of malicious files from cyber defense software scanners. Packers basically process executable files as they in real-time. Initially the malware is unpacked and then loaded into memory and run. A file can be packed and repacked many times with incremental changes to the packing method and to the file inside. This repacking process produces what appears to be a file that is undetectable by most signature-based and many heuristics based techniques. The trend today in the 22 http://www.techopedia.com/definition/48/conficker
  • 20. healthcare malware we are seeing is to use this technique so that the attacker can invest less in creating original malware, but instead remanufacture and repack older exploits targeted to the MEDJACK vector. Cyber defense software sometimes identifies packer software but this often creates large quantities of excess false alerts based upon the legitimate use within the enterprise. Junk Code Injection. Sometimes it is as easy as inserting “junk code” or extra lines into the malware program. This in effect can change the signature and make the malware undetectable. Modern malware creation tools make this attack on healthcare more challenging. Imagine a hacker taking a malware program and then, through automation, creating 50 different copies of it, all appearing unique, but delivering essentially the same functionality. Sandboxing techniques working in conjunction with anti-virus software can mitigate this to some extent, but not enough. Malware is also developed to work around this form of detection.
  • 21. Conclusions In contrast to regular corporate IT networks, healthcare networks are much more vulnerable to attack. The data stored within healthcare networks remains a primary target for attackers on a global basis. For all of these reasons and more we expect targeted attacks on hospitals to increase throughout 2015 and 2016. Further, based upon our experience and understanding of MEDJACK, we believe that a large majority of hospitals are currently infected with sophisticated malware that has remained undetected for months and in many cases years. The important point of this report is that these vulnerabilities as they exist in medical devices render many components of the hospital’s cyber security technology useless. You cannot detect malware on a system which you cannot scan. The primary reason for this problem is centered on the fact that medical devices are closed systems. As FDA certified systems, they not easily open for the installation of additional 3r d party software by the hospital staff. This makes hospitals on a global basis wide open targets for attackers using a variety of malware and techniques. Finally, even when sophisticated attacks are detected by new products using deception technology, it is still very difficult to remove the malware and blunt the attack. The outgoing IP addresses can be shut down, but removal of the malware is a tricky proposition. Hospitals really don’t want to impact the operation of these systems – they depend on the often on a 24 x 7 basis. They are also concerned about liability. What happens if the hospital IT teams impact the operation of the medical device and that results in errant diagnose or therapy? And finally, the infection by malware is so prevalent that the hospitals will be spending many tens of thousands of dollars with a variety of manufacturers cleaning the devices and reloading the medical device software. It’s a perfect storm for attackers and our healthcare institutions are in the middle of it.
  • 22. Recommendations Our review of the security infrastructure of studied hospitals provided very valuable and useful information for us. These findings are supported by TrapX Labs (TSL’s) research, experience and our constant dialog with other leading security experts on a global basis. We see multiple areas for deeper and continued research. In terms of specific recommendations, hospitals and major healthcare institutions should consider the following: • Review and update your strategy to rapidly integrate and deploy software fixes and/or hardware fixes provided by the manufacturer to your medical devices. These need to be tracked and monitored by senior management and quality assurance teams. • Review and update your strategy to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cyber security processes and protections. Conduct quarterly reviews with all of your medical device manufacturers. • For your existing medical devices, Trapx Labs **strongly** recommends that hospital staff review and update their contracts with medical device suppliers. Renegotiate now. If these new services raise operating budgets we believe that the additional expense necessary and prudent. The manufacturer must contractually commit to step up to whatever cost is required to enhance the cyber defense in these devices. They must include very specific language about the detection, remediation and refurbishment of the medical devices sold to the hospitals which are infected by malware. They must have a documented test process to determine if they are infected, and a documented standard process to remediate them when malware and cyber attackers are using the devices. • Consider a strategy to review and remediate your existing devices now. We estimate that over 2/3 of these are likely infected and placing your operation and patients at risk. • If you are a healthcare entity within the U.S., it is very possible you will find exfiltration of patient data (more than 500 patients affected) within the notification trigger of HIPAA. Compliance and information technology must work together to document these incidents, provide the notice and follow-up as required by law. There are similar compliance requirements in many countries around world – this advice applies on a global basis. • Hospitals in the U.S. are very likely primary targets over time for HIPAA compliance audit. Given the extreme risk of data breach that hospitals face, we recommend bringing in outside consultants to review your HIPAA compliance program in 2015. • Avoid allowing any of these devices to provide USB ports for staff use without
  • 23. additional protections. Consider the one-way use of new memory sticks only to preserve the air gap. Otherwise one medical device can infect similar devices. • Favor signed software – this is a mathematical technique used to validate the authenticity of the software. • Run security tests to discover vulnerabilities and help with the management of your medical device manufacturers. • Implement advanced firewalls to resist hacker attacks and only allow specified IP addresses in or out. Most firewalls are incorrectly configured and don’t have the latest features and defense available. It takes a security expert to understand the best ways to configure the latest firewalls – this is not business as usual for your information technology team. • Protect the project management interface on medical devices from inside attackers and only allow limited access to these devices based upon need. • Utilize a technology designed to identify malware and persistent attack vectors that have already bypassed your primary defenses. Deception technology can provide this advantage for your security operations center (SOC) team. • If you are a smaller hospital or clinic obtain the services of a managed security service provider (MSSP) to manage these challenging security issues on an ongoing basis.
  • 24. Introducing Deception Technology for Healthcare Deception technology is a new category of cyber security designed to meet head-on the threats of malicious software, targeted attacks, zero day exploits and other sophisticated attacks. DeceptionGrid automates the deployment of a network of camouflaged malware traps that are intermingled with your real information technology resources. The traps appear identical in every way to your real IT assets. Once malware has penetrated your enterprise, the attackers move laterally to find high value targets. Just one touch of the DeceptionGrid sets off a high confidence ALERT. Real-time automation isolates the malware and delivers a comprehensive assessment directly to your SOC team. Now the basic pattern of malware deployment and privilege escalation activity is disrupted. At the first moment of reconnaissance and lateral movement the APT is identified positively. Automation adds powerful forensics so that your SOC team has an almost immediate understanding of the nature of the attack. You can begin rapidly to implement the best path for remediation and removal.
  • 25. DeceptionGrid – Breaking the Intrusion Chain The TrapX DeceptionGrid™ now makes it possible break the intrusion chain. Attackers map the network and move laterally. Just one touch of the DeceptionGrid sets off a high confidence ALERT. Real-time automation isolates the malware and delivers a comprehensive assessment directly to your SOC team.
  • 26. DeceptionGrid – Core Functionality DeceptionGrid has been designed from the beginning to fit efficiently and securely into healthcare operations. DeceptionGrid includes Malware Trap Sensors and Network Intelligence Sensors. Our Security Intelligence Management provides Integrated Event Management and fully automated Forensic Analysis. This automated analysis enables the SOC to move faster yet at the same time reduce costs as excess escalation is no longer required. Further, DeceptionGrid’s mechanism of generating an alert is not based upon a probabilistic event or clustering around adjustable thresholds. These are very high confidence events. These alerts are directly generated and triggered by explicit contact with our Malware Trap Sensors. DeceptionGrid includes important core functionality to support your cyber defense. This includes: Automated Deployment of Camouflaged Malware Traps The platform scans the existing network and creates a camouflaged network of emulated systems, including servers, switches, databases, and applications, interleaved with the real assets. Sandbox Analysis Payloads affecting these malware traps are immediately inspected for known behaviors, such as a search engine crawler, and any unknown activity is transferred and isolated in a sandbox server. As soon as Zero-Day malware starts executing within the sandbox, the platform’s forensics server examines it and builds a detailed model of the exploit architecture in real time, with no added expertise needed from security personnel. This radically reduces the time and effort required to identify, analyze, and remediate threats. DeceptionGrid produces a level 3 analysis. This includes both a static and dynamic analysis, profile and signature set. Integrated Event Management The information produced in this automated analysis is then pulled into the platform’s management system, tagged with a distinct event ID, and stored within an integrated event- management database. This actionable threat intelligence can be shared or integrated with customer’s existing security systems in the network. Threat Intelligence DeceptionGrid’s business-intelligence engine builds a profile of the attack vector and performs root-cause analysis on the event. The engine then correlates this information with outside information from a fully integrated threat-intelligence feed. Outbound Packet Inspection (BOTNET Detection) DeceptionGrid also provides packet inspection of outbound traffic to identify malicious
  • 27. behavior on existing servers. DeceptionGrid uses intelligence from the malware traps to target specific behaviors and components, and to spot lateral movement of complex threats. This sharing allows the engine to catch more infected assets before they spread. This sharing also adds greater scalability and efficiency to the system, and avoids many of the performance and latency problems associated with deep packet inspection technology.
  • 28. DeceptionGrid – Key Components These are the key components in a system deployment: Malware Traps A mesh of virtual decoy malware traps lure and divert APT and Zero-Day attacks away from real hosts. This grid of decoy malware traps runs low-level emulations of many real-life systems in the network to present attackers with a high-fidelity emulation of reality. Our virtual network of malware traps undetected Zero-Day malware before it can infect real IT assets. Management Dashboard A dashboard with fully featured sandbox capabilities allows payloads captured by DeceptionGrid sensors to execute for real-time forensics investigation. An automated forensics engine examines payload as it executes in real time within the sandbox to identify and catalogue unique behavior and attributes of Zero-Day activity. Event data is pulled into a comprehensive event management database. Business Intelligence Engine A business intelligence engine takes event data and builds profiles to detect and prevent future attacks. A threat intelligence feed layered into event analysis is integrated directly into the management system, enabling the attribution and creation of topology maps. This rich data and intelligence analysis allows for swift remediation of known attacks against IT systems. DeceptionGrid Platform Users can deploy the TrapX platform in the cloud or on their premises. The platform is fully integrated and extensible. All communications between sensors and the management platform are secured by an encryption protocol that allows real-time updates without any kind of inbound firewall connection. “Detection is a binary event – not probabilistic. There is no cloaking available to sophisticated attacker that enables them to violate the integrity of the detection. There are no false alerts. Any cyber event that touches the interlaced network of virtual “decoy” computing resources in DeceptionGrid is by definition malicious and unauthorized activity and immediately alerted to your security team.” -Yuval Malachi, Co-Founder and CTO, TrapX Security
  • 29. DeceptionGrid - Benefits and Value for Healthcare Deception technology brings strong benefits to our healthcare customers. We address key pain points within their existing cyber defense strategy. Some key value points include: • We detect mid-point VLAN movement by malware in real-time which is unseen by other cyber defense. We monitor and protect these areas. This enables us to detect the movement of malware emanating from medical devices which do not run or allow scanning by your standard cyber defense suite. This ultimately reduces the risk of economic loss, impact to business operations and threats to patient well-being. • Our technology detects the movement of advanced malware almost immediately. We dramatically reduce the time to breach detection for the most sophisticated zero day events, advanced persistent threats (APTs) and other malware. The longer an attacker has access to your internal hospital networks the greater the probability of severe economic and operational impact. Reduction in time to breach detection is a critical and important metric. • We generate a small number of highly accurate and actionable alerts. Important events are not missed or ignored by your security operations command (SOC) team. This reduces the risk as you can now more rapidly detect and defend against these complex threats to your hospital. No big data, no need to process thousands or millions of alerts. And no missed alerts. • We identify malware within the VLAN and then we automatically deliver a complete static and dynamic analysis. This provides your SOC team with a complete level 3 analysis without extensive manual processes. This helps reduce the time for your SOC team to determine appropriate action. • Our deployment is automated, simple and very fast. Our automation reduces the investment required to protect the entire enterprise. This makes it easy to plan for rapid deployment. • Our Threat Intelligence Center automatically flows information from discovered threats across our network so that our customers can immediately benefit. • DeceptionGrid seamlessly integrates into your existing hospital network architecture without requiring any changes to configuration or topology. This saves time and resources upon the initial implementation and over the life cycle of system support.
  • 30. About TrapX Security TrapX Security is a leader in the delivery of deception based cyber security defense. Our solutions enable our customers to rapidly isolate, fingerprint and disable new zero day attacks and APTs in real-time. Uniquely our automation, innovative protection for your core and extreme accuracy enable us to provide complete and deep insight into malware and malicious activity unseen by other types of cyber defense. TrapX Security has many thousands of government and Global 2000 users around the world, servicing customers in defense, healthcare, finance, energy, consumer products and other key industries. Find Out More – Download a Free Trial Come to www.trapx.com and download our FREE proof of concept and trial for qualifying organizations. Find Out More – Contact Us Now TrapX Security, Inc., 1875 S. Grant St., Suite 570 San Mateo, CA 94402 +1–855–249–4453 www.trapx.com For sales: sales@trapx.com For partners: partners@trapx.com For support: support@trapx.com Trademarks TrapX, TrapX Security, DeceptionGrid and all logo’s are trademarks or registered trademarks of TrapX in the United States and in several other countries. Cyber Kill Chain is a registered trademark of Lockheed Martin. Other trademarks are the property of their respective owners. © TrapX Software 2013. All Rights Reserved.© TrapX Software 2013. All rights reserved.
  • 31. Special Supplement - Wireless Access Brings Risk to Patients Medical devices are worn, carried or embedded for ongoing medical therapy. Many of these are connected via wireless and represent new vectors for attack. Unfortunately, this attack vectors are not about financial gain. This is more about a direct threat to targeted personnel by organized crime, terrorists or nation states. We did preliminary research into the wide range of medical IoT devices used with ambulatory patients to include pacemakers, insulin pumps, drug pumps, deep brain neurostimulators, gastric stimulators, cochlear implants, vital sign monitoring and more. We also identified foot drop implants as a potential area of investigation. The goal was to understand and document attack vectors, assess the relative risk to patients. The New Zealand hacker and computer security expert, Mr. Barnaby Jack, is widely credited with documenting initial attack vectors for the hack of insulin pumps and
  • 32. pacemakers. Mr. Jack’s testimony23 in this area may have convinced the U.S. General Accounting Office (GAO) to recommend that the FDA improve information security for medical devices. We have confirmed these attack vectors as presenting potential risks for patient safety. 23 http://www.thedailybeast.com/articles/2013/07/26/the-good-hacker-barnaby-jack- dies.html