The Office for Civil Rights has issued a warning about the risk of advanced persistent threats to sensitive data in the spring edition of its cybersecurity newsletter. OCR, part of the Department of Health and Human Services, also used the newsletter to draw attention to that zero-day exploits pose to data security.
Due to its potential use in fraud, healthcare data has a substantial black-market value. Therefore, organisations in the healthcare industry are potentially lucrative targets for hackers due to the sheer amount of data stored at these facilities. If a hacker were to obtain sensitive patient data successfully, the effects could be devastating for the victims. Under HIPAA, organisations in the healthcare industry (so-called ‘covered entities’) have a responsibility to protect the integrity and confidentiality of patient data. Therefore, it is crucial healthcare organisations have a thorough awareness of all of the threats posed to this data.
Hackers, aware of the potential profits that can be made using patient data, design sophisticated attacks to bypass the cybersecurity measures that hospitals use. Effectively, there is an arms race between cybersecurity professionals and hackers; as soon as a new technique is used to protect patient data, hackers will launch a campaign to crack it.
According to OCR, two of the most severe threats being advanced persistent threats and zero-day exploits.
An advanced persistent threat (APT) is a series of repeated cyber attacks in which the hacker identifies vulnerabilities to gain access to information systems. Once the hacker identifies the vulnerabilities, they attempt to exploit them. Even simple attacks can do severe damage to a hospital’s security system due to the hacker’s persistence. The hacker wishes to be undetected for as long as possible to steal patient information gradually over a long period.
Although hackers may launch simple campaigns, in reality, many advanced techniques are used to access networks, and hackers employ various types of malware for this cause. Several APT groups have succeeded in gaining access to healthcare IT systems in the United States to steal sensitive patient information and propriety healthcare data.
Zero-day exploits involve hackers finding vulnerabilities in a network’s security and exploiting them. These types of attacks are some of the most difficult to prevent; one would have to identify all potential flaws and anticipate how a hacker would exploit them. As these flaws are unknown to anyone but the hacker, no patches exist to fix them.
Sometimes organisations only become aware of vulnerabilities once they have been exploited. This affords cybersecurity professionals an opportunity to release patches, but hackers still have a window to exploit vulnerabilities until systems are patched. OCR advises that healthcare organisations should ensure all operating systems and software are up-to-date to ensure that patches are applied promptly.
There are some circumstances in which there is a delay in a patch being released, such as if a patch needs to be tested extensively. In these cases, it is vital to implement workarounds or other security controls to prevent hackers from exploiting the flaw. The use of encryption and access controls can mitigate the damage a hacker can do even if they were to gain access to a network.
OCR has issued further warnings of the danger of combination attacks involving APTs and zero-day exploits, such as the use of the NSA’s EternalBlue exploit. Within days of the exploit being made available online, hackers incorporated it into WannaCry ransomware which infected hundreds of thousands of computers around the world. A patch for the vulnerability that EternalBlue exploited was released by Microsoft 2 months before the WannaCry attacks. Organisations that patched promptly were protected against the exploit and WannaCry.
HIPAA’s Security Rule addresses methods and procedures that healthcare organisations should implement to defend themselves against zero-day exploits and ATPS. OCR recommends that organisations wishing to protect themselves against such attacks should carefully follow the Security Rule’s text and implement all necessary safeguards.