Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill...
Transcript of Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill...
Cyber Threat Trends in Healthcare
S.C. LeungSenior Consultant
HKCERT
Hong Kong Computer Emergency Response Team Coordination Centre
managed by
HKCERT
Hong Kong Computer Emergency Response Team Coordination Centre
• Established in 2001
• Funded by Government
• Operated by Hong Kong Productivity Council (HKPC)
HKCERT Services
• Incident Report
• Security Watch and Warning
• Cross-border collaboration
• Awareness education and guideline
24-hr Hotline: 8105-6060
Free subscription
https://www.hkcert.org/subscription
Free of charge service to Hong Kong Internet users and enterprises
Agenda
• Cyber Threat Trends
• Two Cyber Security Programmes for Healthcare
Healthcare – Data Breach
US Healthcare Data Breaches Statistics 2018
Total: 293 cases
Total affected users in Top 10 cases:
8.2M
Hacking/IT Incidents: 136
Unauthorised access 105
Theft: 34
Loss: 11
Improper Disposal: 7
US Healthcare Data Breach Statistics 2018
Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Hacking/IT incidents accounted for nearly half of the reports.
Total: 293 cases
US Healthcare Sector concerned about Data Breach
Feeling very or extremely vulnerable to sensitive data threats
• Global Average 34%
• US Healthcare 56%
Experienced Data Breach in 2018
• Global Average 36%
• Global Healthcare 39%
• US Healthcare 48%
Source: 2018 Thales Data Threat Report (US Healthcare Edition)
Medical Information costs 20 times that of credit card numbers
in underground market.
($20-$40 @)
Fraudsters use this data to create fake IDs to buy medical equipment or drugs,
or use with false provider ID to file fake claims with insurers.
Credit card data theft can be reported to banks and act (card cancel and issue) immediately.
Damage of Patient data theft cannot be contained similarly.
Cyber Security Concerns on Medical Systems / Devices
• Medical systems / devices are regulated by healthcare authority
• Long lifecycle OS support end-of-life (e.g. WinXP)
• Balance of power: manufacturers have great influence
• Incident Response for medical devices may be slow
• Healthcare IT team have difficulty install their own suite of
cyber defense and ensure compatibility
WannaCry’s Wake-up Call for Healthcare cyber risks
• 81 NHS hospitals and 595 GP practices in UK were disrupted by WannaCry ransomware in 2017• 1,900 appointments cancelled
• Resorted to pen and paper operation
• £92M loss (data restoration, fix damage and system check)
• The affected bodies had not applied the patch to a SMB vulnerability which was targeted by Wannacry.
#wannacry
Ransomware brought down hospitals in US
• 10 hospitals and 250 outpatient centres shut down computer and email systems in 2016
• Patient safety issue in pen and paper operation• Incomplete medical history and
prescription record• Computers not validating human errors• Lab results delayed, nurse continued a
powerful antibiotics that has side effect
MedStar hospital centre infected with ransomware in 2016
What happened to SingHealth?
SingHealth hacking incident 2018
20 July 2018 SingHealth and CSA announced a SingHealth hacking case
• 1.5 M non-medical patient data illegally accessed and copied (including Premier Lee)
• Attack started with a user workstation
• A Planned and organized attack – Advanced Persistent Threat
• Data was copied but not contaminated
10 Jan 2019 Full Report of Committee of Inquiry published
Image source: TodayOnline
SingCERT’sAdvisory told
the story in some way
1. Employ Strong Endpoint Protection
2. Tighten Control for Long-running or decommissioned Endpoints
3. Keep System Up-to-date
4. Review Domain Admin Accounts
5. Disable Powershell for Standard Workstations
6. Monitor Unauthorized Remote Access of Database Access
Source: https://www.csa.gov.sg/singcert/news/advisories-alerts/measures-for-protecting-customers-personal-data
SingHealth Sunrise Clinic Manager (SCM) System
Staff Workstations(SCM client app: screens
of SCM application)
Citrix server farm
SCM Application
server
SCM Database(patient
e-records)
User Zone Data Centre
SCM Security server
Administered by Integrated Health Information Systems (IHiS)
Anatomy of SingHealth Attack
CITRIX Server 1
@SGH
CITRIX Server 2
@SGH
CITRIX Server 3
@HDC
Citrix
Servers
Medical
records
SCM DB
Servers
Internet
Healthcare Institution B
Wksn B
Healthcare Institution A
Wksn A
Initial Entry (via Phishing)
Call back C&C
(23 Aug 2017)
Stay stealth for months
Exploited unpatched Outlook
vulnerability and installed RAT.
Downloaded powershell (.jpg files)
from C&C (1 Dec 2017)
1
Lateral movement & privilege
escalation.
Compromised endpoints &
servers; compromised user and
admin accounts (incl. DC admin)
(Dec 2017 – Jun 2018)
2
A few failed access to
SCM DB
(11 - 13 Jun 2018)
Compromised SCM
(26 Jun 2018)
3
Queried SCB DB
(27 Jun 2018 – 4 Jul 2018)
4
Transferred Data
(27 Jun 2018 – 4 Jul 2018)
5a
Transferred Data
(27 Jun – 4 Jul 2018)5b
C&C
Server 6
Ex-filtrate Data
(27 Jun – 4 Jul 2018)
Attacker’s movement to SCM DB server
Flow of data exfiltration
Legend
Source: COI Report
Cyber Kill Chain by Lockheed Martin
Lesson Learnt
• Cyber Attack starts with anybody in the office• Opportunity for attackers: phishing, weak password (no 2FA), late patching
• It is not a matter to get in but STAY IN• Attacker stay stealthy for months
• Lateral movement is key feature of Advanced Persistent Threat• Key targets: Domain controller, remote access
• Early opportunity to discover attacks• Detecting of bulk query, large traffic volume• Experience of IT personnel to handle incidents
• Intelligence sharing is very important for the industry to pre-empt attacks
Know Our Enemy Better and Earlier is
the Key to Defend Better
Cyber Security Information Sharing Programmes for Healthcare
Healthcare Cyber Security Watch Pilot
Programme
Use global cyber threat intelligence to locate your compromised computers
Cybersec Infohub
Share and exchange information with a trusted
community
21
Organisers: HKCERT and Microsoft
Organiser: OGCIO
Healthcare Cyber Security Watch Pilot Programme
LAUNCH TODAYMar 2019 – Feb 2020
Healthcare Cyber Security Watch Pilot Programme
Objective01
Membership02
Deliverables and Benefits03
Security and Confidentiality04
ObjectiveMake use of global cyber threat intelligence to inform Hong Kong healthcare sector of attacks
targeting their IT infrastructure so that they can better mitigate security risks.
MembershipHealthcare Cyber Security Watch Pilot Programme
Any Hong Kong public or private
hospitals, clinics or medical
laboratories can join01
The participating organisation has to provide information of its IP subnet to be used to match the records of cyber threat intelligence database hosted by the Organisers.
02
Membership is free-of-charge.03
Deliverables & BenefitsHealthcare Cyber Security Watch Pilot Programme
Have a Situational
Awareness of Emerging
Attacks
Regular Report of
compromised systems found
in database of the Organisers
Use Information to Clean Up
Compromised Systems
Deliverables & BenefitsSecurity Risk Analysis – Malware
IP Malware Type Date / Time59.188.xxx.xxx bot-avalanche 2019-01-09 16:30:28
2019-01-08 16:13:55
2019-01-07 16:18:34
2019-01-06 16:15:49
2019-01-05 16:09:44
2019-01-04 16:19:18
2019-01-03 16:12:57
2019-01-02 16:12:37
2019-01-01 16:09:23
2018-12-31 16:15:00
2018-12-30 16:17:18
2018-12-29 16:48:01
2018-12-28 16:13:25
2018-12-27 16:21:05
2018-12-26 16:23:22
2018-12-25 16:20:39
2018-12-24 16:24:00
2018-12-23 16:24:45
2018-12-22 16:26:16
2018-12-21 16:31:06
2018-12-20 16:27:27
2018-12-19 16:24:38
2018-12-18 16:55:36
2018-12-17 16:33:21
2018-12-16 16:29:04
2018-12-15 16:43:50
2018-12-14 16:40:58
2018-12-13 16:06:50
bot-necurs 2019-01-10 10:32:14
2019-01-02 10:39:35
2018-12-31 10:42:36
2018-12-27 10:48:38
2018-12-26 10:51:36
2018-12-24 10:54:50
2018-12-21 10:58:01
bot-ramnit 2018-12-25 09:59:53
2018-12-11 09:59:26
2018-12-04 09:59:48
2018-11-27 10:00:11
2018-11-20 09:59:22
2018-11-13 09:59:42
103.39.xxx.xxx bot-wannacry 2018-09-03 09:59:58
2018-08-27 10:00:15
2018-08-20 10:00:21
2018-08-13 10:00:18
2018-08-06 10:00:15
2018-07-30 09:59:42
2018-07-23 09:58:07
2018-07-16 09:58:38
phishing-a 2018-12-28 15:12:12
Deliverables & Benefits
Security Risk Analysis – Report
XXXXX Hospital
Security and ConfidentialityHealthcare Cyber Security Watch Pilot Programme
Industry information may be
consolidated (after anonymization)
for industry trend research.
All organization-specific
information will not be
disclosed beyond the
participating
organisation.
No assessment or
scanning of participant network
Where will our Healthcare industry be in 2025?
• From Paper Records to Electronic Health Records
• Online patient portals
• Medical devices and equipment will be more connected, such as X-Ray, MRI machines and medical lasers.
• Internet of Medical Things (IoMT): connected wearables that can improve patient care and convenience.
Could our cyber security catch up with it?
Q & A