The HIMSS October Cybersecurity has highlighted five current cybersecurity threats that could possibly be used against healthcare groups to obtain access to networks and protected health idata.
Cyber Attacks Using WiFi
Security researchers have discovered a new cyberattack method called a key reinstallation (CRACK) attack that can target WiFi networks using the WPA2 protocol. These attacks use a flaw in the way the protocol operates a 4-way handshake when a user attempts to access the network. By manipulating and replaying the cryptographic handshake messages, one could potentially reinstall a key that was already in use and to intercept all communications. The use of a VPN when using Wi-Fi networks is strongly recommended to restrict the possibility for this cyberattack scenario and man-in-the-middle attacks.
BadRabbit Ransomware Cyber Attacks
Limited BadRabbit ransomware attacks have been experienced in the United States, although the NotPetya style ransomware attacks have been widespread in Ukraine. As with NotPetya, it is thougt that the aim is to inflict disruption rather than for financial profit. The attacks are now believed to use NSA exploits that were also utilized in other global ransomware attacks. Mitigations include ensuring software and operating systems are kept 100% up to date and all patches are applied quickly. It is also vital for that backups are regularly completed. Backups should be stored safely on at least two different media, with one copy stored securely offsite on an air-gapped device.
Advanced Persistent Threats: Dragonfly
A cyberattack campaign operated by an APT group known as Dragonfly has been in action since at least May 2017. The APT group is targeting critical infrastructure groups. The usual attack scenario is to target small networks with relatively poor security structures, and once access has been obtained, to move laterally to major networks with high value assets. While the group has mainly been attacking the energy sector, the healthcare sector is also under threat. Further information on the threat and the indicators of compromise can be downloaded from the US-CERT website.
In October, security researchers issued a public warning regarding of the danger of Dynamic Data Exchange (DDE) cyberattacks targeting Outlook users. This cyberattack scenario employs the use of calendar invites sent via phishing emails. The invites are distributed in Rich Text Format, and opening the invites could result in the installation of malware. Sophos warned of this danger and suggested one possible mitigation is to view emails in plaintext format. These cyberattacks will present a warning indicating attachments and email and calendar invites contain links to other files. Users should always click ‘no’ when asked to update documents with data from the linked files in the invites.
Cyberattacks on Medical Device Security
HIMSS has drawn attention to the danger of cyberattacks on medical devices, stating out that these are a soft-spot and normally have poor cybersecurity protections. As was the case with the APT critical infrastructure cyberattacks, it is these soft spots that malicious actors look to use to gain access to networks and data. HIMSS has warned healthcare groups to heed the advice of analysts, who predict the devices will be attacked using ransomware. Steps should be implemented to isolate the devices and back up any data stored on the devices, or the computers and networks to which they connect.
Medical device security was also addressed in the Office for Civil Rights October cybersecurity newsletter. While not specifically referred in its list of current cybersecurity campaigns, the threat from phishing is ongoing and is still one of the most serious threats to the confidentiality, integrity and availability of PHI. The risk of harm can be lessened with anti-phishing defenses such as spam filtering software and with staff training to enhance security awareness.