By Elizabeth Snell

October 18, 2016 - The healthcare industry possesses large amounts of sensitive information, yet is consistently vulnerable to the evolving cybersecurity threats. Refusing to adapt to the changing threat landscape, and work to implement a layered security approach can prove especially devastating, according to a recent Institute for Critical Infrastructure Technology (ICIT) report.

“Your Life, Repackaged and Resold: The Deep Web Exploitation of Health Sector Breach Victims” discusses how healthcare data breach victims are often affected for quite some time post-breach. Additionally, executives often make “budget-line decisions that shift the risk of compromise onto the patients,” which could then put their personal data at risk.

ICIT Co-founder and Senior Fellow James Scott was one of the report’s authors, and told HealthITSecurity.com that it was important to see what happens after the initial healthcare data breach. ICIT wanted to “paint the picture” for the events after an attack and how patients are potentially affected.

“When somebody gets into your network, they exfiltrate information,” Scott said. “Now they have a treasure trove of data. How is that marketed? What are they using it for? What should victims know about what they’re in for?”

Patients will often feel the long-term effects of healthcare data breaches, even though they did not determine how their data was going to be stored or transferred. Healthcare organizations cannot cut cybersecurity budgets, procrastinate system updates, postpone medical device updates, or “Frankenstein” medical devices.

When health data is stolen, it could end up on Deep Web markets. Scott explained that cyber attackers can fuel their business for an entire decade from one breach.

Researchers first navigated the general marketplaces on the Deep Web and found that basic slang terms are used to advertise the stolen information. In the more private forums, there is terminology unique to that particular forum. This is done so individuals who come in for surveillance cannot immediately figure out what is being discussed and what is actually for sale, Scott noted.

“Somebody that wants to have longevity on the Dark Web as a broker of information, the last thing they want to do is draw unnecessary attention to themselves in an already highly vulnerable situation,” Scott said.

For example, instead of saying that they have all of the PII from a particular breach, the hackers will break up the information into short form PII. They will release just enough for identity theft but might not say where it is from. Over time, another batch of information will be sold, with a little more data involved.

“After a breach, what we saw was that you can have one individual that didn’t even have a successful breach, but they maybe stole 100,000 records that can fuel their business for the next decade,” Scott stressed. “That’s the kind of optimized monetary gain that these guys are looking for within a breach.”

Another key discovery from the ICIT research was that the attacker might set up beach heads for future attacks, according to Scott. This can help create a type of remote access Trojan on a vulnerable device that has perhaps been “Frankensteined” into the IoT microcosm. With no end point security for that device, it could make the entire network vulnerable.

“They’ll use that as their rat where they can log in, log out, sell access as a service, or they can even use a new ransomware variant or malware when one comes out,” explained Scott.

Key report takeaways for healthcare organizations

Healthcare ransomware is simply the latest cybersecurity threat for the industry, Scott maintained. It should not be the only aspect that healthcare organizations are focusing on when creating data security measures.

“The layers of security are the only things that will save them from a layered attack,” he reiterated. “And they have to look at how an attack will actually happen.”

For example, an initial DDoS or ransomware attack might bring in security people to investigate the machine or device and try to assess the damage. However, that device should be quarantined, and the entity should then immediately view network activity, Scott explained.

“You’re looking at multi-factor authentication and user behavior analytics to detect abnormalities in an infected machine,” he said. “That is where the adversary is trying to move laterally from that machine and then elevate privileges to map the system and find the treasure troves [of data].”

A security operations team will also be greatly beneficial, and will likely know more than just the IT guy, he added. The security operations team can know where the threats will start looking for data, and they can pinpoint those vulnerable areas of the IoT microcosm and begin to immediately shut them down.

“This time last year, end point security and cybersecurity were only expected to detect and respond,” Scott stated. “But now, with the mutating hash and the metamorphic signature of malware and malicious code, you have to have artificial intelligence that predicts [potential attacks].”

It is also essential for healthcare entities to have cybersecurity expertise at the C-suite level. If hospitals or healthcare organizations do not have a “real red team expert that knows how to hack” or can put together a breach scenario, then those organizations have become lackadaisical, Scott maintained.

Healthcare organizations should also consider how they are storing information, Scott warned. If a hospital keeps all of its data on one server that is not properly siloed, that could be a huge payload for a cyber attacker.

“It’s going to take a lot of time and real interest for them to keep trying to seek out where the next data treasure trove is,” he explained. “They’ll have to go through a whole new layer of encryption, or even through a whole new layer of analytics that might detect when there’s abnormal network activity.”

Overall, healthcare organizations need to understand that the real target in these types of attacks is individuals’ health data. It is no longer acceptable to simply say “We were spear phished,” “We’re working with local law enforcement,” or “We’re giving you a year’s worth of ID theft coverage.”

“There’s a fine line now with health sector organizations where at the end of the day post breach, they still feel that they can justify the breach and the pure dismantling of these people’s lives who have been victimized and will continue to be re-victimized,” Scott said.

Dig Deeper: