Why healthcare is ripe for APT attacks

null

Healthcare records have become one of the most valuable commodities on the dark web, containing far more personal information than financial records. The information that attackers can glean from healthcare records provides a more comprehensive data set about an individual than can be found in financial data. From healthcare records, hackers enhance the effectiveness of social engineering attacks, involving the impersonation of friends and colleagues.

Additionally, stolen credit cards have an extremely short service life. More extensive financial data breaches are often mitigated by short term credit/identity theft monitoring. Healthcare records have persistence, and while persistence adds value, it alone is not necessarily enough to provide motivation for a persistent attack. Healthcare records are not only persistent, but data is regularly added to them through patient visits as well as increasing data sharing between providers. In addition to the natural growth of data for existing patients, new patients ensure that attackers are privy to a continuously growing source of records to sell on the dark web. However, to maintain the cash flow, persistence is required, and healthcare providers of all sizes are targets.

How do APT attacks work?

APTs use non-stop, covert, and substantial hacking techniques to gain access to a system and remain inside the network for a prolonged period of time, with potentially disastrous consequences. Hackers achieve this in a series of stages:

  • Gain entry – Hackers will exploit a vulnerable entry point, which could be the network, malware, phishing or an unsecure app. Once a vulnerability has been discovered, attackers will insert malware into an unwary network.
  • Get a grip – Once the malware has been planted, hackers create a foothold in the form of backdoors used to navigate the network undetected. They’re able to remain undetected due to the common technique of file-less malware using polymorphism to get past defences, deleting itself to cover its own tracks.
  • Lateral movement – Now that entry to the network has been gained, hackers attempt to dig deeper, using tools such as password cracking tools to gain administrative control in order to have a greater influence over the infrastructure.
  • Post lateral movement – From this point onwards, hackers effectively have unlimited control over the desired systems. They will try to the gain access to other servers and the rest of the network.
  • Do recon – Safely settled inside the system, attackers will sit here, gaining a fuller understanding of the system, its vulnerabilities, then steal valuable data as it’s ripe for harvesting.

Attackers will maintain their presence – often for 200 days or more – or withdraw without a trace. They often leave a back door open to access the system again in the future.

Why do attackers target healthcare?

APT is a type of attack that should be on the radar of all IT leaders. However, in the eyes of “Black Hat” hackers, the healthcare sector remains a high value target, with data ripe for the taking. According a recent study commissioned by Trustwave, the mean value of payment card information on the black market is $5.40; the mean value of healthcare records however, is $250.15, and this is what makes the healthcare industry a lucrative target.

Additionally, a lot of the healthcare industry is still reliant on equipment that runs on unpatched versions of Windows XP. If hackers can exploit the vulnerabilities, they can gain a foothold into valuable infrastructure, from there, more advanced malware is able to infiltrate the network which leads to hackers gaining access to private medical records.

Exacerbating this are strained IT budgets in the healthcare industry that struggle keep up with the increasing number of attacks. This is due to, in part, the difficulty in measuring ROI before an incident happens. This leads to a perfect storm where perhaps the most important layer of defence, encryption, is sometimes not identified. Potential situations like this should highlight the benefits of providing staff with security awareness training, safeguarding valuable data and minimising the risk of further data breaches.

Persistence in attacks

Persistence is important to cybercriminals targeting the healthcare sector; it means that they can extract data for a longer period of time, rather than a one-off hit. One example of a persistent threat that has been around for years in the Conficker worm, a 10-year old piece of malware. To this day, Conficker is one of the most encountered threats on the Internet and is especially problematic for hospitals.

Regardless that the worm is ten years old, it remains a significant threat to hospitals, despite other organisations being able to deal with it effectively. One of the reasons that it persists within healthcare infrastructure is because some, if not all, of the systems running Windows XP are running embedded outdated XP within the medical equipment. With Conficker being able to provide an entry point into the vulnerable network, more advanced malware can be deployed to infiltrate the network thereby providing hackers access to valuable medical records.

Although healthcare organisations are improving their defences, ATPs continue to be problematic for IT professionals, especially as the amount of data on patients and employees continues to rise. To avoid repeating past calamities, the NHS has begun to implement defensive measures across their organisation, including a data security e-learning session which ensures staff across England are equipped to handle information in compliance with proper security protocols.

This is a good step forward for healthcare, as a focused approach is needed on raising security awareness amongst staff, especially with human error allowing hackers to gain access to networks through phishing efforts. This, combined with an anti-malware software, are a strong first line of defence for healthcare organisations. Once those boxes have been ticked, IT security professionals must ensure that the appropriate steps are taken to secure the other defences: network, server, perimeter, and the endpoint. When it comes to protecting data, no organisation can rest on their laurels. Only a threat intelligence service, combined with a layered security offering that includes security awareness training, can alleviate these threats.

Randy Abrams, Senior Security Analyst, Webroot
Image source: Shutterstock/lolloj