The level of cybersecurity threat is growing exponentially in healthcare right now, but there are some very clear strategies that the leaders of patient care organizations can and should do in order to fight back. That was the core of the message that Timothy J. Wallach, a supervisory special agent in the Cyber Task Force in the Seattle Field Office of the Federal Bureau of Investigation (FBI) told attendees Monday morning at the CHIME/AEHIS LEAD Forum Event, being held at the Seattle Marriott Waterfront in Seattle, and sponsored by the Ann Arbor, Mich.-based College of Healthcare Information Management Executives (CHIME) and by the Institute for Health Technology Transformation (iHT2—a sister organization to Healthcare Informatics under the Vendome Group, LLC umbrella).
Supervisory Special Agent Wallach began his presentation on Monday morning by discussing the main groups that pose threats to healthcare IT security and to IT security across industries. There are six main groups and sources of threats: hacktivists; cyber-criminals; insiders; espionage; terrorism; and warfare, he noted. Hacktivists are low-level threats primarily motivated to deface websites and initiate DDOS (distributed denial of service) attacks against entities they are politically opposed to. Insiders are individuals within organizations who either purposefully or inadvertently expose their organizations to breaches and cybercriminality. Terrorists are beginning to consider how they might use technology to attack potential targets. And warfare involves actual nations waging war on each other. The two biggest threats by far, he said, are cybercriminals and those involved in cyber-espionage—including hostile foreign governments.
With regard to the biggest group of those threatening healthcare organizations right now, Wallach noted that the cyber-criminals involved now are conducting activity to steal information and monetize it. “Healthcare information is worth a lot of money on the dark web,” he said. “The bad guys want to target information that they can eventually monetize.” And patient records are treasure troves of usable data, unfortunately for the leaders of patient care organizations.
Meanwhile, the leaders of nation states are now actively also involved in cyber-criminality, Wallach said. They are generally attempting to steal information for economic or political gain or for espionage purposes. What’s important to understand in this context, he said, is that hostile foreign governments’ cyber-criminal activities are “generally well-funded, highly technically adept, and very sophisticated.” He added that there is no coincidence that some of the most high-profile attacks in 2014 were waged against health insurers like Anthem and Premera, as insurers in the U.S. are insuring a lot of state and local governments. Hostile national governments are also targeting academia and governments, he noted. They are motivated to attack academic organizations (and of course, academic medical centers are connected to research organizations) in order to steal their intellectual property.
Latest trends among cybercriminals and nation-state actors
So what are some of the latest trends in what cybercriminals and nation-state actors doing right now to attack healthcare and other organizations? “They’re exploiting our trust” as end-users, Wallach said, “primarily through trusted or spoof e-mails. In fact,” he said, “the majority of network compromises are caused by bad guys sending e-mails to a target and getting that target to open the e-mail or to click on a link. In other words, they’re exploiting the trust that that individual has in an organization or entity.”
There are many variations on the various themes involved, too, of course. For example, Wallach noted, vendor relationships can be very vulnerable, too. “Unfortunately, the Target hack was based on the Target Corporation’s relationship with a vendor, where the vendor was compromised” by an insider, with a group of criminals using their access to Target stores to physically place credit card readers adjacent to checkout counters, where they could steal credit card information.
More broadly, a successful hack “starts with reconnaissance, with the penetration testing of a network,” Wallach told his audience. The cyber-criminals also “do reconnaissance of individuals on social media—Facebook, LinkedIn, Snapchat, etc. In fact,” he said, “90 percent of all network compromises are based on spear phishing, based on social media reconnaissance.” In other words, the cyber-criminals investigate to find out the social media vulnerabilities of individuals, and shape phishing attacks based on such vulnerabilities. “And then,” he said, “when they get someone to open a phishing communication, the average amount of time between when that breach occurred and the leaders of the organization realize that it has happened, is 270 days, or nine months. That time is starting to come down now,” he conceded, “as organizations have been getting better at identifying compromises. But in those 90 days, they’ve established a foothold, and they’re exploring to find out where the crown jewels are stored in the organization. They’re find out which data and systems are segmented and which are not segmented; they’re moving laterally across the organization over time. And they’re expanding their presence, like an amoeba that’s spreading across a body.” Importantly, as the cybercriminals expand their presence horizontally, they are exfiltrating data as they go along. And, interestingly, “They’re using Google Drive, Dropbox, all the tools we all use. And then they maintain their presence, even as they escalate privileges.”
Buying services on the dark web
Frighteningly, Wallach told his audience, an entire ecosystem of networked connections is emerging across the Internet, in the dark web sphere. Cybercriminals “can buy servers, buy services, on the dark web. They can get everything they need” in terms of products and services available to help them do what they need to do to fully compromise business organizations. Even the financing of things is shifting, he noted. “Money transfers are easy, and digital current is common, though eventually, they have to be able to convert that digital currency into real currency. One of the things the cybercriminals are doing now is participating in money-mill schemes in which individuals receive money and transfer it to other accounts.”
What’s more, Wallach said, “Ninety percent of all cybercriminals have a membership on some forum on the dark web,” speaking of the exploding number of online criminal networks. “In 2002,” he noted, “we identified 12 dark web forums; today, there are over 800 forums in 25 different languages, and involving more than 1.25 million monikers.”
Cybercriminals are busy these days stealing huge amount of data and information of all different types, including credit card information; personally identifiable information; personal health information; fraudulent documents; e-mail account credentials; bank account credentials; and the credentials from all sorts of other types of accounts, such as PayPal, Netflix, and Facebook accounts.”
Indeed, in 2015, between 700 and 800 million credentials were stolen, Wallach noted. Among those were 145 million sets of credentials from eBay users; 100 million from JPMorgan Chase account holders; 80 million from Target customers; 78.8 million from Anthem health plan members; 56 million from Home Depot customers; 37 million from Ashley Madison participants; 22 million from federal government employees in the U.S. Office of Personnel Management; 11 million from Premera Blue Cross members; 4.6 million from Scottrade investors; and 3.16 million from Staples customers. The data and information from all those accounts, once stolen, is sold in bulk, in full records referred to as “fulls.” And, he said, “The more information in a record, the more valuable it is on the dark web. And the “fulls” are further broken down into batches, to be sold in dark web forums.
Increasingly, Wallach told his audience, cybercriminals are turning to ransomware schemes, because they are so easy to execute; all that is needed is for one end-user in an organization to open a phishing e-mail, and then for the ransomware to begin to penetrate the organization, and for ransom to be demanded at a certain point down the road. “We do not recommend that organizations pay the ransom; that is our official line,” he said. Paying a ransom, he emphasized, “doesn’t get rid of the malware; it encourages the scheme to go on. What we do recommend is that organizations back up their files on a storage space not connected to their network, because some of the sophisticated malware can locate backups. We also recommend that you encrypt your phone data, because if it’s encrypted or stolen, it can’t be utilized.”
Wallach noted that the FBI is recommending several key strategies for all organizations to protect against cybercriminality and hacking. The core strategies include:
> User awareness and training
> Dual-factor authentication
> Password management
> Data backup and recovery plans
> Encryption of sensitive data
> Patching managementand updates
> Managing social media habits
With regard to passwords, Wallach said, “We recommend 15 characters or more in passwords. The algorithm it takes to break a 15-character password is much more difficult than the algorithm needed to break a shorter password.” In fact, he said, “More organizations are turning to entire passphrases,” which are not difficult to remember, and are very difficult to break.
Social media participation on the part of individuals who work for healthcare and other business organizations remains a point of considerable vulnerability, Wallach warned his audience. “For those of us on social media, be careful what you post and whom you share your information with. If you’re getting LinkedIn requests from people who are clearly outside your network, be careful, those are usually people who want to take advantage. And be careful listing the computer applications you use, in LinkedIn. Even that kind of information can be used against you and your organization.”