Who is Hacking Healthcare?

November 17, 2016 by

Infosec

In February of last year, history was made when about 78 million Anthem customers were hacked; till date, it’s the largest breach that healthcare has ever seen. This, however, was only one of the many hacks made throughout 2015, which eventually ended up compromising close to 113 million records. To put things into perspective, 1 out of every 3 American citizens became a victim. This year is looking comparatively tamer when you consider the fact that only 3.5 million medical data records have been hacked thus far. A list released by the Department of Health and Human Services reveals that the healthcare industry has suffered from around four data breaches a week in 2016. You can view the list here.

The statistics are grim and very thought-provoking. There is an ever-increasing need to spread awareness among people and healthcare organizations to fight this ongoing war against hackers. Information security needs to be enhanced and life should be made as hard as possible for the intruding parties. But who exactly are these hackers? Where do all these attacks originate from? What are the motives of these hackers? Why is it so easy to hack this much sensitive information? These are the questions that are plaguing the minds of many people around the country. In this article, we intend to answer some if not all of them.

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Get Started

Why Is Healthcare Getting Hacked?

Before we begin talking about the types of hackers attacking healthcare, we need to shed light on some of the reasons why healthcare gets hacked.

1. Lack of qualified aid

The biggest reason why hackers target healthcare organizations is the lack of qualified IT security personnel. Said organizations don’t deem it their highest priority to preserve the data of their customers and hence don’t spend big to hire quality resources that could help them set up solid information security infrastructures.

Healthcare organizations normally have networks that don’t even require the usage of the most sophisticated hacking methodologies to intrude. Researches reveal that the protocols and data encryption frameworks used by most of the healthcare organizations in the U.S. are either obsolete or easy to exploit.

The hackers can make use of the stolen data for identity theft, financial gain, targeted blackmailing, and even insurance frauds. Most of the hackers just sell the information online while some of them make use of it themselves. There have been cases where fake insurance credentials have been used to undergo costly surgeries and operations.

Recently, we heard about a hacker who goes by the name “thedarkoverlord” selling around 655,000 patient records on the internet. The hacker claimed that he hacked different databases from organizations in Farmington, Missouri; Georgia, and the Central/Midwest US to collect data that included full names of the patients, their Social Security numbers, addresses, and dates of birth, etc. The hacker tried to strike a deal with the breached companies by offering to “Cover this up” for a small fee but apparently the companies didn’t bite. He asked the guys at DeepDotWeb to include the following note for the companies:

“Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Who Is Hacking Healthcare?

There are many different categories into which cyber-attackers can be put, depending on their techniques, malware used, procedures employed, and target selection. We will be talking about different possible attacker groups below (cybercriminals, nation-state actors and script kiddies) and any of them will attack based on the opportunity presented by the vulnerabilities of the victim system. Hacktivists are known for their retaliations against opposing ideological and/or political parties. On the other hand, cybercriminals attack systems with the aim of scooping up personal profits via victim data exploitation/auction. Lastly, nation-state actors find motivation from geopolitical agendas.

Hacktivist groups

Hacktivists are normally politically encouraged attackers who target organizations that either possess beliefs that oppose their hacking agendas or that serve as platforms to promote their propagandas. Hacktivist groups contain various hackers who work together without any organizational structure and centralization. The various constituents of the group don’t necessarily have to agree on the choice of targets or attack methods. The members may also differ in their skill sets but, regardless of their level of expertise, most of them depend on the tools easily available on the online hacking markets simply because the tools are known to be cost-effective and credible; some, however, also make use of customized malware to infect more sophisticatedly protected networks. The reason why hacktivist groups are so hard to track is that there is no assigned leader at any time and no predefined roles. Anonymous is easily the most notorious contemporary hackitivist group. It was born in 2003 on the 4chan message boards and, since then, it has gradually become the most publicized and the most feared hacker groups in the world. It’s known for its usage of the Guy Fawkes mask, its open community, and the pseudo-anarchistic culture. Anybody who believes that they share the same views as Anonymous can become an active member by agreeing to not discuss any group-related activities with anyone. Over the years, they have carried out attacks against pedophiles, politicians, companies, religious extremists, and even governments. On March of 2014, an Anonymous hacker sent a direct threat to Boston Children’s Hospital as a reply to the diagnosis and subsequent treatment of a young girl whom the Commonwealth of Massachusetts removed from her parents’ care. Daniel J. Nigrin, the CIO of the hospital had to collaborate with his IT team to stop multiple attacks from compromising any patient data in the following weeks. The hospital had to hire third-party information security companies in the end to set up a more formidable defense.

Script kiddies

In contrast to hacktivist groups, script kiddies are attackers with the lowest skill sets. They normally buy, trade, and employ tools that have been developed by other, more skilled hackers. Script kiddies normally possess only the most rudimentary of technical knowledge and thus most of these tools are automatic by design. Kiddies engage in attacks on networks that they deem vulnerable and are usually ignorant about the underlying running code. Repelling a script kiddy attack isn’t hard for most commercial networks, but a healthcare network can be easy pickings even for script kiddies with the least level of expertise. Most of the attackers enter the hacking community and never mature past being a script kiddy.

Cyber-criminals

These hackers are stereotypically responsible for targeting organizations for their own personal gain via extortion, blackmail, or revealing sensitive information. A cyber-criminal group can either be one individual or a large group of cyber-crime factions of different criminal enterprises working together. Cyber-criminals are responsible for billions of consumer and business dollars that get stolen every year and have a dominant presence in the media. Like script kiddies and hacktivists, cyber-kiddies are also liable to purchases software and attack tools from the dark online community. Although, unlike the entities mentioned above, cyber-criminals also engage in selling, purchasing, and trading sensitive intellectual property. They use ransomware and DDoS attacks mainly to blackmail healthcare organizations into giving money. Ransomware is a type of malware that’s designed for the sole purpose of holding the compromised information on the infected devices until the victim pays the ransom to the attacker. Cryptolocker and Cryptowall are two very prevalent ransomware kits; they work by encrypting the victim files on the affected system and the data remains encrypted unless the owner pays the ransom. The FBI has recommended that compromised system owners “just pay the ransom” when dealing with ransomware attacks. Currently ransomware has mostly been seen on Windows devices but it’s expected to infect Mac, Linux and Android devices in the future as well. The healthcare sector has already seen many ransomware attacks (e.g., the Kansas heart hospital this past May, etc.) and we can expect many in the future because of the sensitivity and the value of the data stored in healthcare systems.

Cyber-terrorists

Cyber-terrorists target systems that are needed for the operational activities of the victim organization, sector, or even nation. They normally destroy (or disable) services and data via the attacks. Cyber-terrorists are different from cyber-criminals only because of their motivation. Criminals are motivated by the reward while terrorists act because of the possible effects. Cyber-terrorists are also different from hacktivists because of the choice of targets; where terrorists target important enterprise-level infrastructures (transport networks, power facilities, etc.), hacktivists target organizations and people. Healthcare organizations are prime targets for terrorists because a disruption there can cause state-wide panic and chaos. The main cyber-terrorist group now is the ISIS cyber-caliphate. The caliphate has been threatening to take down critical infrastructures like airlines and hospitals and they are a force that should be feared.

Nation state actors

The threat groups that are sponsored by nation state are responsible for launching widespread cyber-warfare attacks on the systems that belong to organizations and governments of the victim country. Such groups first came to global attention with Stuxnet and the Operation Aurora in 2010. They depend on, first, the development of complex malware and, second, on the discovery of vulnerabilities in the intended victim. They are also often referred to as APTs, for advanced persistent threat groups. APTs are considered capable of composing and executing state-of-the-art attacks using the most modern malware obscuring techniques. The malware that they use consists of rootkits for continued presence (rootkits are software designed specifically to sneak into victim computers and remain undetected), encryption to eradicate the possibility of reverse engineering, and complex code to conceal the existence of unwanted presence on the computer altogether. The personal identifiable information or PII collected by APT attacks is not used for exploitation purposes but is stored to burden the government (and the owner) who will then have to compensate the affected citizens for their fiscal and/or personal losses. Because the healthcare sector is a critical part of the national infrastructure, it can be targeted by APTs for service disruption or PII collection purposes. 

Hackers’ Competence or Healthcare Organizations’ Technological Incompetence?

With the widespread increase in the number of healthcare hacks and data leaks, a question creeps into the mind of every American citizen: “Is it the increasing sophistication of computer hackers or the incompetence of the information security infrastructures of healthcare organizations that is to blame?” The answer to the question is simple: The healthcare cybersecurity is full of vulnerabilities and thus is an easy target for hackers, regardless of their skillsets, as already stressed on above.

In February of this year, a report was released by Independent Security Evaluators, who spent 24 months trying to penetrate the networks of two healthcare data centers and 12 health care facilities in the U.S. The team hacked one hospital by using 18 malware-infested USBs to get a hold of its medicine dispensary. All they did was place the hospital logo on the USBs to persuade the inadequately informed employees into using them on their computers; yes, it was that easy. Now the possible aftermath if the attack had been malicious could have involved altering the patient drug dosages, which would potentially prove to be a threat to many lives. At another institute, they used a kiosk to get access to the patient records, which, of course, could easily have been altered to cause irreparable damage.

In addition to this, the websites of healthcare organizations have tons of vulnerabilities. The report highlights the team using a hospital’s online portal to log in as a patient and insert malicious code instead of information. Had a nurse viewed the information, Independent Security Evaluators claim that it would have given them “the full ability to modify the health records of all patients in the database”

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Get Started

Final Word

While no network can be “categorically safe” from unwanted intrusion, a number of steps can be (and should be) taken to strengthen the network security of critical organizations like those in the healthcare sector. Organizations need to realize the threat and spend extra money on hiring qualified personnel that can give the hackers a hard time invading.