Months into the COVID-19 pandemic and stay-at-home order, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement warning of Chinese-backed and other state-sponsored hackers attempting to steal intellectual property (IP), and research data related to coronavirus vaccines, treatments and testing from healthcare research institutions. Additionally, coronavirus has overwhelmed U.S. hospitals, making them a prime target for terror and cyberwarfare-related activity from state-sponsored attackers.
State-sponsored efforts to steal U.S. medical research IP aren’t new, as foreign governments have long sought to use stolen IP to advance their own national goals – in this case, the development of a vaccine. Numerous factors surrounding the coronavirus pandemic have created a perfect storm of security issues and that amplifies risks for healthcare institutions. Fortunately, there are steps that hospitals and healthcare organizations can both take to thwart cyberattacks from state-sponsored hackers as well as common cybercriminals.
Impact of coronavirus on healthcare business operations
The impact of the virus has forced significant changes to hospitals and healthcare research institutions that have increased associated cybersecurity risks. On the business side, the pandemic has limited non-emergency medical procedures in hospitals, a byproduct of citizens attempting to flatten the curve, resulting in lost revenue for hospitals and causing many to face financial turmoil. On the other hand, healthcare research institutions are laser-focused on developing effective treatments for the virus, resulting in proper cybersecurity not being a priority. While the government is distributing $100 billion to hospitals and other healthcare organizations affected by coronavirus under the CARES Act, the terms limit the use of the funds to “prevent, prepare for and respond to coronavirus,” leaving doubts about whether these funds can help improve affected hospitals and healthcare organizations’ IT infrastructure.
To elaborate, healthcare research firms and hospitals share a common risk with other research and manufacturing institutions. These businesses rely on embedded operating systems (OS) that are antiquated and tough to manage and update. This results in hospital and healthcare research firms’ security models being antiquated and relying on firewalls and segmentation that modern attackers can easily bypass. You can’t defend these outdated OS with modern security controls, either. For example, you cannot install antivirus software on a hospital’s automated ventilator – in fact, the ventilator may run the same OS as your laptop from a decade ago.
On top of these financial and infrastructure troubles, hospital support staff and healthcare research and treatment staff have been pivoting to remote work, further increasing the risk of breach. For example, nation-state groups like China have been exploiting poor security as workers in healthcare organizations migrate to remote work, according to the FBI and CISA’s joint warning. More specifically, state-sponsored groups can target vulnerabilities in virtual private networks (VPNs) used by hospital staff and medical research workers to remotely access their organization’s network. This allows state-sponsored attackers to access coronavirus research IP from healthcare research firms, and obtain access to capabilities within hospitals’ networks that can be used for cyberwarfare or terror-related reasons by causing mass disruption.
To combat these threats, some healthcare research firms and hospitals may have adopted a security approach to segment vulnerable IT assets with firewalls. Unfortunately, such actions provide a false sense of security. The inbound traffic coming through the firewall is usually the same traffic a cybercriminal or nation-state hacker would use to exploit the data. Monitoring this traffic requires a complex ecosystem of teams and tools that hospitals and adjacent research organizations are unlikely to have.
Threat actors covet monetizable coronavirus immunity research data
An Iran-backed hacking group recently targeted Gilead Sciences Inc., a U.S. drugmaker that has been developing an antiviral drug shown to be an effective treatment option to aid in the fight against coronavirus. The virus has triggered a race including government agencies, private pharmaceutical institutions, and healthcare researchers to develop a cure, and some may choose to gain the upper hand through cybertheft.
As the global casualty rate continues to grow, the demand for successful treatment options accelerates. Healthcare institutions need to consider how much of a target they are for cybercriminals and nation-state hackers alike.
How healthcare organizations and hospitals can protect themselves with threat-informed defense
A first essential step is for healthcare organizations to actively test and improve their overall cybersecurity. Verizon’s 2020 Data Breach Investigations Report found that most organizations had 2.5 percent or less of alerts involving exploitation of a vulnerability. Security teams focus too much on exploitation, but if you have a good vulnerability management system, then the focus should be on defending against other attacks once the attacker is inside your network.
Healthcare organizations should test and map their security controls against an attack chain of known tactics, techniques and procedures (TTPs). By studying security frameworks like MITRE ATT&CK, organizations can better understand how attackers operate, inventory the security controls they have to defend themselves, and identify gaps in their cybersecurity posture. A data-driven, threat-informed strategy gives an organization a shared understanding of threats and their security capabilities.
The feedback from tests gives healthcare organizations a visible picture of their defensive posture, allowing them to fix what isn’t working. With a more granular view of their security controls, resource-constrained healthcare organizations can make decisions about whether or not they can live with identified gaps. This is the essence of threat-informed defense.
