It was recently reported that a series of cyberattacks were aimed at companies and governments that will be distributing COVID-19 vaccines around the world. Pharmaceutical company Pfizer Inc. also recently suffered a data breach with patient information found exposed on unsecured cloud storage.
Healthcare institutions, research companies and drug companies have been under constant attack since the outbreak of the pandemic. These latest headlines warn of a targeted cyberespionage campaign to disrupt the global COVID-19 vaccine distribution network and is, yet another wake-up call to public and private sector companies working around the clock to put an end to this global pandemic.
According to Sam Curry, Chief Security Officer, Cybereason, it has never been a question of if the research companies, pharma companies and hospitals would be targeted, but more about how frequently and how much damage would be caused.
He said: “What the recent Pfizer data breach tells us is that it is extremely difficult for even the largest companies in the world to secure their data every hour, every day and every week. The most important aspect of the distribution of the various vaccines is that it is being done efficiently and safely. Think about the suffering and impact if a threat actor interferes with the distribution of COVID-19 vaccines and launches a successful ransomware campaign against the supply chain responsible for distributing the vaccine in mass; locking down the distribution network and demanding millions of dollars to unlock the networks. It is not that far-fetched.”
Curry explained that cyberattacks can have a massive impact on hospitals and clinics in many ways, including the hacking of sensitive patient data, medical health records and other proprietary information. In addition, ransomware attacks can have devastating outcomes if IT systems fail and a hospital is unable to treat its patients.
He said: “The security analysts and IT professionals that protect patient data are on call around the clock, keeping nation-state actors and rogue hacking groups from stealing patient data. The healthcare industry is susceptible to hacking because patient data can be monetised or used for identity compromise. In times of this pandemic, anything in critical infrastructure becomes targeted and particularly susceptible. Hospitals and research companies are critical infrastructure. Overall, the healthcare industry is ripe for cyberattacks and fraud because of the volume of patient data that is available across connected networks. In addition, with an increase in the number of connected devices used in hospital emergency rooms, doctor’s offices and minute clinics, security vulnerabilities will continue to be the single biggest risk facing patients.”
Types of attack
The healthcare industry has been stretched in its efforts to accommodate the COVID-19 pandemic. Hospitals have been overwhelmed with patients and several have introduced commercial technology — including baby monitors and even home-based vital monitoring solutions — to monitor patients and ensure temporary field hospitals, as well as overstretched hospital facilities, to adjust to the surge in cases. None of these solutions have good security hygiene, especially for a hospital, and many devices introduce extreme risk when used in bulk to aid patient care.
In addition, many hospitals have strict change control processes when it comes to the information technology used for patient care and medical record storage. This can introduce a lag time in security updates, new devices, and maintenance required to protect against the latest threats.
Morey Haber, CTO & CISO, BeyondTrust, said: “When the risks of the pandemic are merged with the lag in technology updates present in healthcare, the state of cybersecurity in healthcare is in a dire state and prime for an attack.”
Threat actors generally operate using two modes: government, social, and business destabilisation and to create a criminal profit stream. Today, they have ramped up attacks against the COVID-19 vaccine supply chain in order to accomplish several nefarious goals.
One of the most popular attack vectors are phishing emails. Haber shared that some of these attacks also include disrupting nation-state confidence in the vaccine via social media and fake news and compromising (in the form of hacking) refrigeration equipment and technology needed to safely deliver the vaccine through the supply chain. The results could lead to incomplete coverage for inoculation or the delivery of bad product.
There could also be the possibility of introducing faux vaccines into the supply chain for profit. The contents of which could be harmless, highly addictive, or even life-threatening. Or vaccine information could be targeted for an individual manufacturer of a vaccine, in order to adversely affect their reputation, distribution, or stock prices. Cybercriminals could also falsely advertise the availability and registration for vaccination. The goal could be basic credential theft or monetization via payments to reserve placement in a faux queue for inoculation.
Haber stressed: “The COVID-19 pandemic has already proven that phishing attacks and misinformation can easily accomplish these goals. Now, with the release of a vaccine, threat actors have multiple new attack vectors to spread misinformation and monetise the results. The primary vehicles will include phishing attacks (email, voice, and texting) and malicious websites, and will not be limited to one country or region.”
Leaving the front door open
Administrators that are failing to take basic steps to secure cloud services or apps isn’t a new story – there have been many instances that have come to light where private data was inadvertently left exposed to the internet. Whilst cloud computing’s instant provisioning and scale are valuable benefits, the cloud service provider’s features and default configurations are constantly in flux and so administrators must know and adapt what they’re doing and ensure appropriate access controls are in place to protect their data.
“As no system, or person, is ever perfect, the ability to monitor, detect and respond to unauthorised or malicious access to cloud services can make the difference between a contained security incident and a full-blown breach as being reported at Pfizer. For example, in a recent study, we performed analysis on Office 365 — the worlds most used Software and a Service Cloud offering — and identified how attackers are using existing tools and services within the cloud to spy and steal. When administrators inadvertently “leave the front door open” it’s unsurprising that attackers walk straight in and out unnoticed,” emphasised Matt Walmsley, EMEA Director, Vectra.
Focus on training
Hackers have a full toolset available to them as they continue to successfully breach hospitals and research companies. One of the most common ways for criminals to gain access to a computer network is through the commonly used phishing emails. To combat this, hospitals need to improve their security hygiene, implement around the clock threat hunting and increase their ability to detect malicious activity. “Security awareness training is also needed, and doctors, nurses and medical professionals should not open attachments from unknown sources and never download content from dubious sources,” Curry said.
Healthcare environments require sensitive information in order to complete their mission of providing health services for an individual. The data collected has monetary value to a threat actor for future attacks. The vast range of attack vectors can cost lives, the loss of data, and prohibit care. The attack vectors themselves almost always — outside of a critical vulnerability — require some form of human interaction in order to exploit. Therefore, education, awareness, and training is the best method to prevent cyber-attacks against healthcare institutions and the results could be branded as “human firewalls”.
Haber highlighted: “Pfizer is a perfect example of what can go wrong in the cloud. It essentially reminds us that everything we do online is being recorded – somewhere. Having spoken with several healthcare CISOs, VPs and Security Professionals, it is interesting that all of them have mentioned one common problem — end-user security awareness and training. The majority of healthcare workers are normally secured within the confines of their brick and motor buildings and networks. But in large part due to the pandemic, several of these workers are now on home or personal networks which are considered unsecured and unmanaged by enterprise standards.
“As a result, users are more exposed to social engineering attacks, phishing attacks, and even social media attacks across numerous devices. This is resulting in more risk and potential for compromise. All the security executives I have spoken to wish they had ramped up security awareness programmes for all remote employees and they plan on making this a priority moving forward.
How can a cyberattack impact a hospital or clinic and how this affects patients?
- The inability for a critical piece of technology to be available during care
- A device periodically malfunctioning or providing incorrect results, affecting the safety of the patient
- Lack of network connectivity to report patient data
- The monitoring of staff and patient information, including the capturing of keystrokes and screen recording, for future inappropriate activity
- The theft of personal healthcare information, including medical records and payment information
- The inability for hospital staff to access or enter patient records
- The inability to access or inventory devices used for the distribution of medication