Eoin Keary, CEO and founder of cyber firm Edgescan, writes of what can be learned from Ireland’s biggest cyber attack.
The healthcare sector has struggled through one of its most challenging periods in the last year. Not only did it bow under the weight of the coronavirus pandemic, but it also faced another pandemic – ransomware. In 2020 there were 304 million ransomware attacks on the healthcare sector, with $15.6 million demanded of medical organisations. One of the worst breaches witnessed by the healthcare industry during the pandemic was the ransomware attack on the Irish health system.
Health Service Executive (HSE) suffered a major attack in May 2021, which left all of their IT systems down nationwide. HSE refused to pay the ransom, resulting in 520 patients’ details and corporate documents being published online. The attack was the largest yet to happen on an Irish state agency, and it left its mark. To move forward from this incident and to prepare for other attacks, the healthcare sector should take heed and learn from it in order to avoid a similar situation in the future.
1 . Awareness and resilience
It is clear from this attack that cybercriminals show no remorse when targeting victims, even society’s most critical organisations. Therefore, it is crucial that the value of cybersecurity is understood from the top-down as well as the bottom up, as the importance of cybersecurity is often overlooked by senior management who should be investing in it the most.
Investing in cyber-resilience and awareness programmes can help limit the extent of a breach not if, but when they happen, while also allowing the IT teams to react to the incident in a considered manner, reducing any margin for error in reactions.
Investment in cybersecurity is especially essential in this instance as the healthcare sector handles more sensitive and personal data than any other sector. In this attack, over 500 patients’ data was shared online, which could have a detrimental impact on them and their lives. When handling large amounts of sensitive data it is important to remember that compliance is not security, and instead, the focus should be placed on the practical technical controls as well as the technical framework associated with healthcare networks.
2 . Threat Awareness
Being aware of possible threats is important both when detecting post-breach activities as well as when monitoring for internal threats and weaknesses. It is recommended that organisations should deploy a solution to monitor potential threats, such as lateral movement, brute force and typical indicators of compromise (IoC) traffic or artefacts. If a threat awareness solution is in place to monitor for these attack vectors an organisation is already more prepared to defend against such devastating breaches.
3 . Asset and Attack surface management
With cybersecurity, we can’t secure what we can’t measure. If an organisation is unable to identify what assets in its network are protected, or even worse what assets are in the network at all, it will be difficult to protect against any form of attack. Tracking system resilience is of key importance when facing the current threat landscape, especially now that hospitals are having to protect devices outside of their parameters, such as mobile devices and even medical devices like heart monitors.
Real-time attack surface management is an effective solution to help understand what can be hacked within a network. Deploying continuous monitoring and management of your external internet-facing estate is a highly recommended method used to detect weaknesses and exposures as they arise.
Furthermore, establishing an asset register or IT BOM (Bill of materials) can help to identify critical assets, like systems and data which can be hard to keep track of in large organisations, such as hospitals. Once this is in place, layering stronger controls around such systems can increase durability against attacks, while performing threat monitoring exercises surrounding these systems will identify any cyber chokepoints or audit points to detect malice.
4 . Vulnerability management and patching
In addition to asset and attack surface management, vulnerability management is another fundamental tool to combat attacks. Most ransomware leverages CVEs to exploit targeted systems. If an organisation is able to detect patching, web application and API weaknesses as they occur then it will have increased its defences against possible ransomware attacks.
However, in order for vulnerability management solutions to be effective, they must also be accurate. Thousands of CVEs are discovered every year, so solutions with guaranteed accuracy are a preferred option as they reduce “white-noise” so that the real issues can be amplified and focused on. As all vulnerabilities are not created equally a good rule is to concentrate on what matters most, such as critical systems and data first, and moving down the list based on decreasing importance. If an organisation is able to establish a patching programme, or better yet an automated solution, it will be easier to maintain this list and keep up to date with the latest CVEs.
5 . Penetration testing
Unfortunately, in today’s landscape, you cannot use software alone. Hackers are expert operators working with professional and industrialized capabilities. In order to defend against such opponents, organisations must fight fire with fire. Penetration testing is one of the only solutions that can help beat cybercriminals at their own game. It consists of conducting manual “deep dive” assessments using human intelligence to simulate a determined attacker. This is known to be more effective in uncovering weaknesses than other solutions, however, it is expensive and not as scalable as more accessible options.
6 . Logs and Tracking
One simple, yet essential component of a robust cybersecurity programme is log maintenance and auditing. By maintaining a log of transactions, traffic and events on core systems, IT teams can consolidate and monitored these for anomalies. Scraping logs for errors and non-standard events is a good starting point, as well as logging non-idempotent transactions, authentication between users and systems or between systems themselves.
Once a log is maintained it will be easier to record improvements. Organisations can track what cybersecurity activities are taking a long time and are challenging; discover which systems are historically more problematic and require the most attention; understand what layer, either network or application, has the highest risk density. Similarly, IT teams can examine their logs for vulnerability types; be they patching, developer or architecture related. Upon identifying these vulnerabilities organisations can determine what to focus on when trying to prevent such bugs and errors which manifest as weaknesses.
7 . Data encryption and secure storage back-ups
Data is critical to all businesses, and especially those in the healthcare sector. It is also sensitive in nature and so, it must be protected with the utmost security. Data contains PII that needs to be encrypted with a suitable key management solution in place. Additionally, passwords should also be stored in an un-recoverable way, such as being salted-hashed.
In relation to cyber attacks, an undervalued aspect of restoration after a breach is the backing up of data and systems. The frequency of backup impacts the data loss; more frequent backups allows for less window of exposure. In order to remedy this organisations can deploy real-time backup solutions. The backups should then be stored in a secure part of the network which requires authentication in order to limit the chance of malware affecting backup repositories.
8. Email and Internet Browsing
Emails and internet browsing are easy attack avenues for cybercriminals. Almost half of the breaches that took place in 2020 involved phishing attacks, with 96 per cent of these attacks arriving by email. Locking down email systems and deploying email security services, while also restricting browsing access to a whitelist of legitimate sites can minimise exposure to threats.
Enabling multi-factor authentication (MFA) can also protect users from various forms of attacks as it adds an additional layer of security. Implement MFA for critical systems is a wise decision too, as well as adopting a ‘zero trust model’ by introducing system-to-system authentication. To further limit the spread of infection organisations can use an IP which will reduce traffic between systems from an architectural standpoint in order to make a network more hierarchical and less “flat”.
The HSE attack sent a wave of shock through the healthcare industry. However, by learning from the mistakes from the HSE attack, healthcare organisations can improve their defences in order to be better prepared to face the impending threat of cyberattacks.
