How do cyberattackers gain access to health systems? Often via smaller hospitals


2021-10-16 01:00:18 Healthcareitnews


Smaller hospitals are often how cyberattackers and nation states gain access to health system networks to steal IP, deploy ransomware or scour data to sell on the dark web, according to new research from cybersecurity firm CyCognito. The firm's latest research studied health systems with more than $1 billion in revenue and more than 19 hospitals. Healthcare IT News interviewed Rob Gurzeev, CEO and founder of CyCognito, to discuss the results of his firm's latest research, including why smaller hospitals are entry points for bad actors, how health systems are increasing risk by not paying their smaller entities enough attention, exactly how threat actors are using these points for entry, and how health systems can get a handle on extended attack surfaces. Q. Your research found that smaller hospitals are often the entry point for bad actors to get in and steal intellectual property, issue ransomware or sell data on the dark web. Why is this? A. Our research looked at subsidiary organizations such as the smaller hospitals, clinics, healthcare service providers and facilities that a larger health system may acquire, or, at times, divest, as they grow. Baker Tilley, one of the world's largest accounting firms, reported that healthcare M&A activity was up 43% in the first half of 2021 versus the first half of 2020. With that increased M&A activity comes larger attack surfaces, along with more risk. For example, a small healthcare organization being acquired might have around 5,000 digital assets on average. A very large organization might have 100,000 digital assets or more. Earlier research by CyCognito showed that about 7% of these smaller organization digital assets are at risk. That means around 350 at-risk assets are added to the parent's attack surface when a smaller organization is acquired. To find those 350 among a sea of digital assets, the parent organization needs to discover all of the assets, test them and take corrective action. Many times, these entities continue to operate certain functions – such as cybersecurity – autonomously or at an arm's length with respect to the parent organization for some period of time. When this is the case the smaller hospitals and facilities do the best they can with the resources they have but, generally speaking, have fewer resources and less-well-trained cybersecurity staff than larger organizations do. Scarily, most of these organizations have digital connections into the critical systems, applications and data of the parent health systems. Attackers are clever, opportunistic and resourceful, and they understand the dynamics of health systems and other large organizations very well. They know that as the IT ecosystems of these healthcare providers grow, the pieces that are under dotted-line or indirect control of the "headquarters" security team – and pieces that are effectively IT blind spots, such as cloud and SaaS applications provisioned outside of the control or view of IT staff – are the weakest and least protected of the organization. Therefore, bad actors target those small hospitals and entities because they are the paths of least resistance back into the networks, applications and data of the larger health system. Q. How are health systems increasing risk and exposure by not paying enough attention to their smaller entities? A. "Attack surface" blind spots provide the biggest risk. These blind spots frequently include the digital surfaces associated with smaller hospitals, connected partners, cloud providers and other related entities. These are the exact places where organizations get breached. Research firm ESG found that 67% of organizations have been attacked via an unknown or unmanaged asset, and 75% expect it to happen again. Q. How are threat actors using these points for entry? A. With ransomware and supply chain attacks becoming more prevalent over the last 18 months, the way attackers operate in this context has become clearer. Attackers look for an opening, and in the case of ransomware, one of the main attack vectors they use is unpatched or otherwise under-secured systems. For example, ransomware attackers often target remote services like remote desktop protocol (RDP) to gain a foothold and extort money from their victims. CyCognito labs research found that the attack surface of a large organization typically harbors between two to 20 or more easily exploited remote access systems. This initial point of entry is called the "initial access" point, and it is critical to identify these as rapidly as possible, because they are so important to the bad guys. Once initial access is gained, attackers often target patient personally identifiable information (PII). These records are worth as much as $250 per record, which is orders of magnitude more valuable than other PII like email credentials, phone numbers or even credit card numbers, because an individual can't easily change their health history. After data is stolen, the attacker can start making money. Most directly, they can sell the information they find. Secondarily, they can ransom the information, usually to the healthcare provider directly for millions of dollars in bitcoin, and in some cases back to the patients themselves (as seen in the Vastaamo mental health breach of 2019). A third path is to use ransomware to encrypt healthcare IT systems and ask for payment to decrypt them. This is again particularly impactful, because access to up-to-the-minute health information is critical to business and healthcare operations. Q. How can health systems get a handle on the extended attack surface? A. Best practices dictate that health systems discover all of their exposed digital assets, test them for security risks, and work with asset owners to quickly focus on, and remediate, the most critical risks. Those basic steps need to be performed on a continuous basis to effectively manage cyber risk in an extended attack surface. Our research showed that cyber risks increase with the number of subsidiaries that are part of the organization. Therefore, including digital assets that are part of the attack surface of smaller hospitals and other owned providers is a critical part of that process. The research also found that to make the attack surface management process as operationally efficient as possible, respondents favored dedicated attack surface management solutions over a variety of other solutions they had tried, viewing them as the most effective solution category for managing subsidiary risk.​ Twitter: @SiwickiHealthIT Email the writer: Healthcare IT News is a HIMSS Media publication.
根据网络安全公司Cycognito的新研究,较小的医院通常是网络攻击者和民族国家进入卫生系统网络窃取IP、部署勒索软件或搜索数据在黑暗网络上出售的方式。 该公司的最新研究研究了收入超过10亿美元的卫生系统和超过19家医院。 Healthcare IT News采访了CyCognito的首席执行官兼创始人罗布·古尔泽夫(Rob Gurzeev),讨论了他的公司最新研究的结果,包括为什么较小的医院是不良行为者的切入点,卫生系统如何因没有给予较小的实体足够的关注而增加风险,威胁行为者如何利用这些切入点,以及卫生系统如何应对扩展的攻击面。 Q.你的研究发现,较小的医院通常是不良行为者进入并窃取知识产权、发布勒索软件或在黑暗网络上出售数据的切入点。这是为什么? a.我们的研究着眼于附属组织,如较小的医院、诊所、医疗保健服务提供商和设施,随着它们的发展,较大的卫生系统可能会收购或有时剥离它们。全球最大的会计师事务所之一贝克·蒂利(Baker Tilley)报告称,2021年上半年医疗保健并购活动比2020年上半年增长了43%。随着并购活动的增加,攻击面越来越大,风险也越来越大。 例如,一个被收购的小型医疗保健组织平均可能拥有大约5000个数字资产。一个非常大的组织可能有100,000个或更多的数字资产。CyCognito早些时候的研究表明,这些较小的组织数字资产中约有7%处于风险之中。这意味着,当一个较小的组织被收购时,母公司的攻击面将增加约350项风险资产。 为了在数字资产的海洋中找到这350个,上级组织需要发现所有的资产,测试它们并采取纠正措施。 许多时候,这些实体继续自主地或在一段时间内与上级组织保持一定距离地运作某些职能--如网络安全。在这种情况下,较小的医院和设施利用它们所拥有的资源尽了最大努力,但一般来说,与较大的组织相比,它们的资源更少,网络安全人员训练有素。 可怕的是,这些组织中的大多数都与母体卫生系统的关键系统、应用程序和数据建立了数字连接。 攻击者聪明、机会主义、足智多谋,他们非常了解卫生系统和其他大型组织的动态。他们知道,随着这些医疗保健提供商的IT生态系统的增长,处于“总部”安全团队虚线或间接控制之下的部分--以及实际上是IT盲点的部分,如在IT人员控制或查看之外提供的云和SaaS应用程序--是组织中最薄弱和保护最少的部分。 因此,不良行为者将这些小医院和实体作为目标,因为它们是进入更大卫生系统的网络、应用程序和数据的阻力最小的途径。 Q.卫生系统如何因对其较小实体不够重视而增加风险和暴露? A.“攻击面”盲点提供了最大的风险。这些盲点经常包括与较小的医院、互联合作伙伴、云提供商和其他相关实体相关的数字表面。 这些正是组织被攻破的地方。研究公司ESG发现,67%的组织通过未知或未管理的资产受到攻击,75%的组织预计这种情况还会再次发生。 Q.威胁行为者如何使用这些入境点? A.在过去的18个月里,随着勒索软件和供应链攻击变得更加普遍,攻击者在这种情况下的操作方式变得更加清晰。攻击者寻找一个漏洞,在勒索软件的情况下,他们使用的主要攻击载体之一是未打补丁或其他安全不足的系统。 例如,勒索软件攻击者经常以远程桌面协议(RDP)等远程服务为目标,以获得立足点并向受害者勒索钱财。CyCognito实验室的研究发现,一个大型组织的攻击面通常隐藏两到20个或更多容易被利用的远程访问系统。这个初始入口点被称为“初始访问”点,尽快识别这些点是至关重要的,因为它们对坏人来说是如此重要。 一旦获得初始访问权限,攻击者通常会以患者个人可识别信息(PII)为目标。这些记录每条价值高达250美元,比电子邮件凭据、电话号码甚至信用卡号码等其他PII更有价值,因为个人不能轻易改变自己的健康历史。 数据被盗后,攻击者可以开始赚钱。最直接的是,他们可以出售他们找到的信息。 其次,他们可以勒索这些信息,通常是直接以数百万美元的比特币支付给医疗保健提供商,在某些情况下,还可以返还给患者本人(如2019年Vastaamo精神健康漏洞所示)。 第三种途径是使用勒索软件加密医疗保健IT系统,并要求付款解密它们。这再次具有特别重要的影响,因为获取最新的健康信息对业务和医疗保健操作至关重要。 Q.卫生系统如何应对扩大的攻击面? A.最佳做法要求卫生系统发现其所有暴露的数字资产,测试其安全风险,并与资产所有者合作,迅速关注和补救最关键的风险。这些基本步骤需要在持续的基础上执行,以有效地管理扩展攻击面中的网络风险。 我们的研究表明,网络风险随着作为组织一部分的子公司的数量而增加。因此,包括作为较小医院和其他自有供应商攻击面一部分的数字资产是这一过程的关键部分。 研究还发现,为了使攻击面管理过程尽可能有效地运作,受访者更喜欢专用的攻击面管理解决方案,而不是他们尝试过的各种其他解决方案,认为它们是管理附属风险的最有效的解决方案类别。 推特:@SiwickiHealthit 给作者发电子邮件 Healthcare IT News是一个HIMSS媒体出版物。