Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill...

31
Cyber Threat Trends in Healthcare S.C. Leung Senior Consultant HKCERT

Transcript of Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill...

Page 1: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Cyber Threat Trends in Healthcare

S.C. LeungSenior Consultant

HKCERT

Page 2: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Hong Kong Computer Emergency Response Team Coordination Centre

managed by

Page 3: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

HKCERT

Hong Kong Computer Emergency Response Team Coordination Centre

• Established in 2001

• Funded by Government

• Operated by Hong Kong Productivity Council (HKPC)

Page 4: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

HKCERT Services

• Incident Report

• Security Watch and Warning

• Cross-border collaboration

• Awareness education and guideline

24-hr Hotline: 8105-6060

Free subscription

https://www.hkcert.org/subscription

Free of charge service to Hong Kong Internet users and enterprises

Page 5: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Agenda

• Cyber Threat Trends

• Two Cyber Security Programmes for Healthcare

Page 6: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Healthcare – Data Breach

US Healthcare Data Breaches Statistics 2018

Total: 293 cases

Total affected users in Top 10 cases:

8.2M

Hacking/IT Incidents: 136

Unauthorised access 105

Theft: 34

Loss: 11

Improper Disposal: 7

US Healthcare Data Breach Statistics 2018

Source: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

Hacking/IT incidents accounted for nearly half of the reports.

Total: 293 cases

Page 7: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

US Healthcare Sector concerned about Data Breach

Feeling very or extremely vulnerable to sensitive data threats

• Global Average 34%

• US Healthcare 56%

Experienced Data Breach in 2018

• Global Average 36%

• Global Healthcare 39%

• US Healthcare 48%

Source: 2018 Thales Data Threat Report (US Healthcare Edition)

Page 8: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Medical Information costs 20 times that of credit card numbers

in underground market.

($20-$40 @)

Fraudsters use this data to create fake IDs to buy medical equipment or drugs,

or use with false provider ID to file fake claims with insurers.

Page 9: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Credit card data theft can be reported to banks and act (card cancel and issue) immediately.

Damage of Patient data theft cannot be contained similarly.

Page 10: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Cyber Security Concerns on Medical Systems / Devices

• Medical systems / devices are regulated by healthcare authority

• Long lifecycle OS support end-of-life (e.g. WinXP)

• Balance of power: manufacturers have great influence

• Incident Response for medical devices may be slow

• Healthcare IT team have difficulty install their own suite of

cyber defense and ensure compatibility

Page 11: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

WannaCry’s Wake-up Call for Healthcare cyber risks

• 81 NHS hospitals and 595 GP practices in UK were disrupted by WannaCry ransomware in 2017• 1,900 appointments cancelled

• Resorted to pen and paper operation

• £92M loss (data restoration, fix damage and system check)

• The affected bodies had not applied the patch to a SMB vulnerability which was targeted by Wannacry.

#wannacry

Page 12: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Ransomware brought down hospitals in US

• 10 hospitals and 250 outpatient centres shut down computer and email systems in 2016

• Patient safety issue in pen and paper operation• Incomplete medical history and

prescription record• Computers not validating human errors• Lab results delayed, nurse continued a

powerful antibiotics that has side effect

MedStar hospital centre infected with ransomware in 2016

Page 13: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

What happened to SingHealth?

Page 14: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

SingHealth hacking incident 2018

20 July 2018 SingHealth and CSA announced a SingHealth hacking case

• 1.5 M non-medical patient data illegally accessed and copied (including Premier Lee)

• Attack started with a user workstation

• A Planned and organized attack – Advanced Persistent Threat

• Data was copied but not contaminated

10 Jan 2019 Full Report of Committee of Inquiry published

Image source: TodayOnline

Page 15: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

SingCERT’sAdvisory told

the story in some way

1. Employ Strong Endpoint Protection

2. Tighten Control for Long-running or decommissioned Endpoints

3. Keep System Up-to-date

4. Review Domain Admin Accounts

5. Disable Powershell for Standard Workstations

6. Monitor Unauthorized Remote Access of Database Access

Source: https://www.csa.gov.sg/singcert/news/advisories-alerts/measures-for-protecting-customers-personal-data

Page 16: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

SingHealth Sunrise Clinic Manager (SCM) System

Staff Workstations(SCM client app: screens

of SCM application)

Citrix server farm

SCM Application

server

SCM Database(patient

e-records)

User Zone Data Centre

SCM Security server

Administered by Integrated Health Information Systems (IHiS)

Page 17: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Anatomy of SingHealth Attack

CITRIX Server 1

@SGH

CITRIX Server 2

@SGH

CITRIX Server 3

@HDC

Citrix

Servers

Medical

records

SCM DB

Servers

Internet

Healthcare Institution B

Wksn B

Healthcare Institution A

Wksn A

Initial Entry (via Phishing)

Call back C&C

(23 Aug 2017)

Stay stealth for months

Exploited unpatched Outlook

vulnerability and installed RAT.

Downloaded powershell (.jpg files)

from C&C (1 Dec 2017)

1

Lateral movement & privilege

escalation.

Compromised endpoints &

servers; compromised user and

admin accounts (incl. DC admin)

(Dec 2017 – Jun 2018)

2

A few failed access to

SCM DB

(11 - 13 Jun 2018)

Compromised SCM

(26 Jun 2018)

3

Queried SCB DB

(27 Jun 2018 – 4 Jul 2018)

4

Transferred Data

(27 Jun 2018 – 4 Jul 2018)

5a

Transferred Data

(27 Jun – 4 Jul 2018)5b

C&C

Server 6

Ex-filtrate Data

(27 Jun – 4 Jul 2018)

Attacker’s movement to SCM DB server

Flow of data exfiltration

Legend

Source: COI Report

Page 18: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Cyber Kill Chain by Lockheed Martin

Page 19: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Lesson Learnt

• Cyber Attack starts with anybody in the office• Opportunity for attackers: phishing, weak password (no 2FA), late patching

• It is not a matter to get in but STAY IN• Attacker stay stealthy for months

• Lateral movement is key feature of Advanced Persistent Threat• Key targets: Domain controller, remote access

• Early opportunity to discover attacks• Detecting of bulk query, large traffic volume• Experience of IT personnel to handle incidents

• Intelligence sharing is very important for the industry to pre-empt attacks

Page 20: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Know Our Enemy Better and Earlier is

the Key to Defend Better

Page 21: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Cyber Security Information Sharing Programmes for Healthcare

Healthcare Cyber Security Watch Pilot

Programme

Use global cyber threat intelligence to locate your compromised computers

Cybersec Infohub

Share and exchange information with a trusted

community

21

Organisers: HKCERT and Microsoft

Organiser: OGCIO

Page 22: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Healthcare Cyber Security Watch Pilot Programme

LAUNCH TODAYMar 2019 – Feb 2020

Page 23: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Healthcare Cyber Security Watch Pilot Programme

Objective01

Membership02

Deliverables and Benefits03

Security and Confidentiality04

Page 24: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

ObjectiveMake use of global cyber threat intelligence to inform Hong Kong healthcare sector of attacks

targeting their IT infrastructure so that they can better mitigate security risks.

Page 25: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

MembershipHealthcare Cyber Security Watch Pilot Programme

Any Hong Kong public or private

hospitals, clinics or medical

laboratories can join01

The participating organisation has to provide information of its IP subnet to be used to match the records of cyber threat intelligence database hosted by the Organisers.

02

Membership is free-of-charge.03

Page 26: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Deliverables & BenefitsHealthcare Cyber Security Watch Pilot Programme

Have a Situational

Awareness of Emerging

Attacks

Regular Report of

compromised systems found

in database of the Organisers

Use Information to Clean Up

Compromised Systems

Page 27: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Deliverables & BenefitsSecurity Risk Analysis – Malware

Page 28: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

IP Malware Type Date / Time59.188.xxx.xxx bot-avalanche 2019-01-09 16:30:28

2019-01-08 16:13:55

2019-01-07 16:18:34

2019-01-06 16:15:49

2019-01-05 16:09:44

2019-01-04 16:19:18

2019-01-03 16:12:57

2019-01-02 16:12:37

2019-01-01 16:09:23

2018-12-31 16:15:00

2018-12-30 16:17:18

2018-12-29 16:48:01

2018-12-28 16:13:25

2018-12-27 16:21:05

2018-12-26 16:23:22

2018-12-25 16:20:39

2018-12-24 16:24:00

2018-12-23 16:24:45

2018-12-22 16:26:16

2018-12-21 16:31:06

2018-12-20 16:27:27

2018-12-19 16:24:38

2018-12-18 16:55:36

2018-12-17 16:33:21

2018-12-16 16:29:04

2018-12-15 16:43:50

2018-12-14 16:40:58

2018-12-13 16:06:50

bot-necurs 2019-01-10 10:32:14

2019-01-02 10:39:35

2018-12-31 10:42:36

2018-12-27 10:48:38

2018-12-26 10:51:36

2018-12-24 10:54:50

2018-12-21 10:58:01

bot-ramnit 2018-12-25 09:59:53

2018-12-11 09:59:26

2018-12-04 09:59:48

2018-11-27 10:00:11

2018-11-20 09:59:22

2018-11-13 09:59:42

103.39.xxx.xxx bot-wannacry 2018-09-03 09:59:58

2018-08-27 10:00:15

2018-08-20 10:00:21

2018-08-13 10:00:18

2018-08-06 10:00:15

2018-07-30 09:59:42

2018-07-23 09:58:07

2018-07-16 09:58:38

phishing-a 2018-12-28 15:12:12

Deliverables & Benefits

Security Risk Analysis – Report

XXXXX Hospital

Page 29: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Security and ConfidentialityHealthcare Cyber Security Watch Pilot Programme

Industry information may be

consolidated (after anonymization)

for industry trend research.

All organization-specific

information will not be

disclosed beyond the

participating

organisation.

No assessment or

scanning of participant network

Page 30: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Where will our Healthcare industry be in 2025?

• From Paper Records to Electronic Health Records

• Online patient portals

• Medical devices and equipment will be more connected, such as X-Ray, MRI machines and medical lasers.

• Internet of Medical Things (IoMT): connected wearables that can improve patient care and convenience.

Could our cyber security catch up with it?

Page 31: Cyber Threat Trends in Healthcare › assets › doc › Cyber Threat Trends in H… · Cyber Kill Chain by Lockheed Martin. Lesson Learnt •Cyber Attack starts with anybody in the

Q & A