The level of cybersecurity threat is growing exponentially in healthcare right now, but there are some very clear strategies that the leaders of patient care organizations can and should do in order to fight back. That was the core of the message that Timothy J. Wallach, a supervisory special agent in the Cyber Task Force in the Seattle Field Office of the Federal Bureau of Investigation (FBI) told attendees Monday morning at the CHIME/AEHIS LEAD Forum Event, being held at the Seattle Marriott Waterfront in Seattle, and sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC umbrella).
Supervisory Special Agent Wallach began his presentation on Monday morning by discussing the main groups that pose threats to healthcare IT security and to IT security across industries. There are six main groups and sources of threats: hacktivists; cyber-criminals; insiders; espionage; terrorism; and warfare, he noted. Hacktivists are low-level threats primarily motivated to deface websites and initiate DDOS (distributed denial of service) attacks against entities they are politically opposed to. Insiders are individuals within organizations who either purposefully or inadvertently expose their organizations to breaches and cybercriminality. Terrorists are beginning to consider how they might use technology to attack potential targets. And warfare involves actual nations waging war on each other. The two biggest threats by far, he said, are cybercriminals and those involved in cyber-espionage—including hostile foreign governments.
With regard to the biggest group of those threatening healthcare organizations right now, Wallach noted that the cyber-criminals involved now are conducting activity to steal information and monetize it. “Healthcare information is worth a lot of money on the dark web,” he said. “The bad guys want to target information that they can eventually monetize.” And patient records are treasure troves of usable data, unfortunately for the leaders of patient care organizations.
Meanwhile, the leaders of nation states are now actively also involved in cyber-criminality, Wallach said. They are generally attempting to steal information for economic or political gain or for espionage purposes. What’s important to understand in this context, he said, is that hostile foreign governments’ cyber-criminal activities are “generally well-funded, highly technically adept, and very sophisticated.” He added that there is no coincidence that some of the most high-profile attacks in 2014 were waged against health insurers like Anthem and Premera, as insurers in the U.S. are insuring a lot of state and local governments. Hostile national governments are also targeting academia and governments, he noted. They are motivated to attack academic organizations (and of course, academic medical centers are connected to research organizations) in order to steal their intellectual property.
Latest trends among cybercriminals and nation-state actors
So what are some of the latest trends in what cybercriminals and nation-state actors doing right now to attack healthcare and other organizations? “They’re exploiting our trust” as end-users, Wallach said, “primarily through trusted or spoof e-mails. In fact,” he said, “the majority of network compromises are caused by bad guys sending e-mails to a target and getting that target to open the e-mail or to click on a link. In other words, they’re exploiting the trust that that individual has in an organization or entity.”
There are many variations on the various themes involved, too, of course. For example, Wallach noted, vendor relationships can be very vulnerable, too. “Unfortunately, the Target hack was based on the Target Corporation’s relationship with a vendor, where the vendor was compromised” by an insider, with a group of criminals using their access to Target stores to physically place credit card readers adjacent to checkout counters, where they could steal credit card information.
More broadly, a successful hack “starts with reconnaissance, with the penetration testing of a network,” Wallach told his audience. The cyber-criminals also “do reconnaissance of individuals on social media—Facebook, LinkedIn, Snapchat, etc. In fact,” he said, “90 percent of all network compromises are based on spear phishing, based on social media reconnaissance.” In other words, the cyber-criminals investigate to find out the social media vulnerabilities of individuals, and shape phishing attacks based on such vulnerabilities. “And then,” he said, “when they get someone to open a phishing communication, the average amount of time between when that breach occurred and the leaders of the organization realize that it has happened, is 270 days, or nine months. That time is starting to come down now,” he conceded, “as organizations have been getting better at identifying compromises. But in those 90 days, they’ve established a foothold, and they’re exploring to find out where the crown jewels are stored in the organization. They’re find out which data and systems are segmented and which are not segmented; they’re moving laterally across the organization over time. And they’re expanding their presence, like an amoeba that’s spreading across a body.” Importantly, as the cybercriminals expand their presence horizontally, they are exfiltrating data as they go along. And, interestingly, “They’re using Google Drive, Dropbox, all the tools we all use. And then they maintain their presence, even as they escalate privileges.”
Buying services on the dark web