Diagnosis cyberattack: When hospitals become the target of cyberattacks

Diagnosis cyberattack: When hospitals become the target of cyberattacks

When the clinic’s computer becomes the target of cyber-criminals, human lives are at stake. The healthcare sector is becoming increasingly digitalized: Patient data is no longer stored in paper files, but on computers. Data from pacemakers and insulin pumps is transferred to smartphones via Wi-Fi. Many medical devices are connected to the internet. The increasing connectivity is causing more and more gateways for cyber-attacks, which can have fatal consequences. For example, if patient data is no longer accessible to nurses and doctors due to an IT failure, medication could be given incorrectly. Which dose of which medication does the patient receive at which time? An overdose can be life-threatening, especially with heart or diabetes medication. And there is also an immense danger in the OR: even a minimal manipulation of a medical device during an operation on a patient’s heart or brain can lead not only to irreversible damage, but also to death.

Network-enabled machines in medicine – a danger?

In the medical sector, digitalisation and networking play an increasingly important role – whether in the OR, in the laboratory, or in nursing care. For example, the DaVinci medical robot, is already being used in many US clinics and German hospitals for minimally invasive surgery. The surgeon controls the instruments from a control panel, and DaVinci’s robotic arms execute the hand movements.

Robots that help humans in the laboratory handle potentially dangerous substances and nanorobots that move through blood vessels to bring pharmaceutical substances to the required point in the body. The future of medical technology is promising, but also facing a constant danger: Because every IT system can be attacked if security is inadequate and represents a potential target for cyber criminals.

As early as 2015, security researchers found almost 70,000 medical devices with security breaches, including equipment for nuclear medicine, infusion devices, anaesthesia machines and imaging systems. The vulnerabilities are also found among cyber-criminals. In July this year, the German Red Cross in Saarland and Rheinland-Pfalz became victim of a Ransomware attack. The blackmail software encrypted databases and servers, thus shutting down the entire network of the GRC hospital. For security reasons, the servers were disconnected from the internet. However, the care of the patients was guaranteed at all times, patient admissions and medical reports were done with pen and paper. After a few days the servers of the GRC were put back into operation. Luckily, the data could be restored from a backup.

In the following year, the Neuss Clinic was targeted by hackers. An employee opened an infected attachment of a malicious email which downloaded a Blackmail Trojan onto the internal IT system, which spread across all of the hospital’s computers. Within a very short time, the employees of the highly digitized hospital in Neuss had to switch back to the analogue documentation methods.

Major security vulnerabilities in healthcare facilities

Security measures in hospitals and other health care facilities are less mature than in large companies. Everyday hospital life is busy, computers are often left unlocked when leaving the workplace, and there is hardly time for software updates. Outdated devices and systems are connected to each other through the Internet – security gaps arise in many places. The attack in Neuss shows that the main gateway to cyber-attacks is primarily via email. A lack of awareness among employees allows attacks with malicious attachments in emails to encrypt, copy or steal data. Hackers demand a ransom for decryption, usually in form of crypto currencies like Bitcoins. In the Neuss hospital case, the data could be restored thanks to a backup and no ransom was paid, but the systems still had to be shut down. Despite the backup, the cyber-attack cost the hospital around 1 million Euro.

How can hospitals protect themselves?

Cyber-attacks are no longer just a problem for large corporations in the industry, they belong to the world’s biggest threats, according to the World Economic Forum’s Global Risk Report 2019. In view of the global dangers of cyber-attacks, especially attacks on hospitals and other critical infrastructures, there is a great need for action to secure IT systems.

The problem: Cyber-criminals are using more and more perfidious approaches to smuggle in malware and other harmful programs. A simple anti-virus program is no longer enough to protect the entire company’s infrastructure. In-depth filter systems with sophisticated detection mechanisms, with which malicious emails can be detected at an early stage, form the basis for full protection.

To reduce the success rate of social engineering attacks such as CEO fraud or phishing, the hospital staff needs to learn more about the characteristics of malicious email through IT security training – that reduces the risk of an employee spreading malware and causing subsequent damage.

But the financial means to secure IT systems are limited. And the current legal situation also makes it difficult for hospitals to secure medical devices, because once they have been certified, they can no longer be changed – not even with software updates. Ultimately, digitalization offers more attack vectors for cyber criminals if security gaps are not considered. Although there has not been a targeted cyberattack on a hospital that has harmed a patient, appropriate and effective precautions must be taken to avoid this. The security of the IT infrastructure in hospitals must be given higher priority – because ultimately, any cyberattack on a healthcare facility can not only have financial but also health consequences.

Mirai – The Botnet of Things

Mirai – The Botnet of Things

The dynamic of the Internet of Things shows us the daily progress of digitalization. More and more devices are connected to the Internet, providing users comfort and efficiency. The market is constantly filled with new devices and the variety of functions attracts many users. Today, there is already a huge network of data, servers and connected intelligent devices – which, however, represents a new and above all enormous target for cyber criminals due to the unconsidered security vulnerabilities of smart devices.

The malware Mirai took advantage of this weakness: In October 2016, the botnet virus became widely known for the first time due to the largest DDoS attack ever launched, targeting the DNS provider “Dyn”. As a result, the websites and services of many international companies, including Amazon, Netflix and Spotify, were unavailable for a long time. For businesses, this can mean a loss of millions. What exactly is the story behind the malware that exploits the weaknesses of technological progress?

The origin of the Mega Botnet

2016 wasn’t the first time such an IoT botnet “hit” the market: according to independent security journalist Brian Krebs from krebsonsecurity.com, there have been Mirai-like predecessors since 2014, known as Bashlite, Gafgytm, QBot, Remaiten and Torlus. The Botcode of Mirai was created from the improved codes of its forerunners, compiled by several developers. It was finalized by a group of hackers who joined forces in 2014 and started DDoS attacks on competing Minecraft servers under the pseudonym “lelddos”, using the Mirai Botnet to slow them down or take them off the Internet, which cost their operators a lot of money.

Mirai has been designed to eliminate malware from already infected IoT devices and eventually takes it over itself. Affected devices, again, looked for other vulnerable devices to take over. Due to the growing number of IoT products controlled by Mirai, the botnet became more extensive and hackers attempted larger targets. In September 2016, the French hosting company OVH suffered a DDoS attack with a total capacity of up to 1.5 terabits per second.

Mirai – The Botnet of Things

Shortly after that attack, one of the co-developers Mirais, published the source code of the malware online under the name “Anna-Senpai”. Thus, the author enabled many hackers to copy and further develop the code. The release led to a rapid increase in imitators operating their own Mirai botnets. This eventually ended in an attack on Dyn’s server just a month later. Due to the amount of new variations of Mirai, tracing those responsible became much more difficult. But only a few weeks after that, the FBI tracked down three young Americans.

On the 5th of December 2017, the hackers pleaded guilty in court in Alaska for developing the malware and merging it into a botnet to harm companies and “other targets”. According to the court documents, the cybercriminal group also planned to earn money with its own DDoS-as-a-Service offer and racketeering. To avoid a prison sentence, the 21- and 22-year-olds agreed to assist the FBI in solving complex cybercrime investigations. Nevertheless, the sentence included a five-year suspended sentence, 2,500 hours of community service, and $127,000 in refunds. Even though, the criminal malware developers are now kept in check, the malware code still exists and can be reused, converted and improved by other hackers.

The Return of Mirai

In March 2019, security experts discovered a new type of Mirai, which is aimed primarily at IoT devices within companies. Cybercriminals expect this to increase their attack power even more as they gain access to greater bandwidth over corporate networks. The new Mirai version contains several more features, including 11 additional exploits, bringing the total number of exploits of the malware to 27. These additional features give the program an even larger attack surface. The malware spreads primarily through presentation systems, smart TVs, routers and IP cameras.
Companies are advised to change the credentials of the implemented IoT devices and to consider the security of these devices in their IT security strategy as well.

This development shows the uncertainty IoT devices face in the digitized world – the security factor is essential for businesses and users. A study by the Berkeley School of Information and the Center for Long-Term Cybersecurity (CLTC) identified the total cost for consumers caused by a hack of a smart device and additional power consumption when that device is involved in a cyberattack: For example, the combined costs of the attack on Dyn in October 2016 amounted to around 115,000 dollars for IoT users. In a worst-case scenario, the calculator results in a sum of about 68 million dollars, about 100 dollars per user, for a DDoS attack involving 600,000 IoT devices.

The rise of DDoS Attacks

The additional attack surface, which results from the very weakly protected Internet of Things, is also reflected in the increasing number of DDoS attacks on companies.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Whereas three years ago, there were still around 9,000 attacks per quarter on corporate infrastructure and servers in the German-speaking area, attacks increased year by year.
In the 1st quarter of 2019, there were already 11,177 DDoS attacks registered in Germany, Austria and Switzerland alone. But not only the number of attacks is on the upswing, the volume is also growing significantly. According to the Link11 DDoS Report Q1 2019, the largest DDoS attack in German-speaking countries reached a volume of 224 gigabits per second. With an increase of 70 percent compared to the same period last year, the average of the middle range of this quarter was already 3.8 Gbps. The Internet of Things is contributing significantly to the increased performance of attacks – a fact that takes cyber security to a new level once again.