Posted
Learn about the threats and how to protect your healthcare organization
Summary
Medical and health organizations, which include organizations operating in the pharmaceutical sector, face a variety of threats that are inherent to the services they provide and the data they safeguard. Within medical and health verticals the risks associated with compromise are often significantly augmented as patient care and personal information are at stake. This report highlights notable threats to those organizations and corresponding intelligence within the ThreatConnect platform that may facilitate those organizations’ defensive efforts.
Ransomware – this was the most notable malware threat for healthcare and medical organizations in 2016 after Hollywood Presbyterian paid $17,000 to a hacker that had successfully debilitated their services using Locky. The use of ransomware continued throughout 2016 and 2017, many attacks of which came against other medical/health organizations. These organizations are viable targets to ransomware attackers because there is significant pressure to re-enable medical services after they are taken offline. Several other ransomware variants popped up during 2016 and 2017 including SamSam, TeslaCrypt, NotPetya, and WannaCry.
Chinese Advanced Persistent Threats (APTs) – Deep Panda, a Chinese APT, has been associated with attacks against medical and health organizations. Notably this includes the 2015 Anthem BCBS breaches as well as 2015 attacks against the pharmaceutical sector. Deep Panda’s interest in healthcare organizations likely stems from a motivation to garner intelligence on US government individuals (Anthem BCBS provides insurance to a majority of federal employees participating in the Federal Employee Health Benefits program). Deep Panda’s interest in pharmaceutical and medical device organizations likely is the result of a goal to collect intelligence on intellectual property to enable domestic production. Other Chinese APTs that have been associated with attacks on the healthcare vertical include Wekby (Dynamite Panda) and Suckfly. Identified and openly reported Chinese APT activity targeting US organizations has decreased since the 2015 Rose Garden agreement on cybertheft between the US and China; however, recent Chinese operations overseas have been identified and knowledge of these groups and previous operations may facilitate future defensive efforts.
Considerations
Generally, medical and health organizations have the following considerations and data holdings that they must incorporate into their risk assessments, defensive strategies, and intelligence requirements:
- Personally identifiable information (PII) and personal medical information (PMI)
- Intellectual property (IP), notably in pharmaceutical and biomedical industries
- Continuity of operations
- Medical devices
Example Intelligence Requirements
Intelligence requirements define topics on which organizations should focus intelligence collection, processing, analysis, and production. Intelligence requirements can be used to drive both strategic and tactical defense efforts, efficiently drive procurement, and identify gaps in intelligence collection. ThreatConnect provides the following general intelligence requirements for organizations in the medical and health sector to enable organizations’ intelligence-related discussions and focus research efforts:
- Which threats — including nation state, criminal, and hacktivist groups, specific adversaries, or malware — target our organization?
- What types of notable attacks has our organization experienced before?
- Which advanced persistent threats (APTs) have specifically targeted organizations within the medical and health sectors?
- How do these APTs typically conduct operations against their targets?
- What specific tactics do these APTs employ prior to conducting operations against their targets?
- What are these APTs’ motivations with respect to their operations against medical and health organizations?
- What types or variants of malware have been used to steal, delete, or ransom PII, PMI, or IP specific to medical and health verticals?
- What ransomware has been used in attacks against the medical and health verticals?
- How does this ransomware work and how does it ransom the targeted data?
- What ransomware has been used in attacks against the medical and health verticals?
- What vulnerabilities have been identified in software commonly used at our organization or that would enable access to pertinent data holdings?
- What vulnerabilities have been identified in medical devices that we develop or employ?
In The Platform
Below, we identify notable Threats, Incidents/Campaigns, Tags, and Communities within the ThreatConnect platform that are pertinent to medical and health organizations. The links and information provided below are from our Common Community; however, our ThreatConnect Intelligence source has more significant, enriched, and timely information on these threats and others pertinent to the medical and health sectors.
Threats:
Threats capture both nation state and criminal threat groups, as well as malware groups that have been used in multiple operations.
Deep Panda / Black Vine – Chinese APT Associated with the 2015 Anthem/BCBS breaches and attempts against pharmaceutical companies
APT10 / Stone Panda / menuPass – Chinese APT associated with 2016-2017 activity targeting European and Japanese organizations in a variety of sectors, including the pharmaceutical industry.
Suckfly – Chinese APT that has primarily targeted organizations in India, including a US healthcare provider’s business unit
Locky – Ransomware variant that was initially identified in February 2016, has been leveraged in successful attacks, notably against hospitals and the healthcare sector.
SamSam – This ransomware family seems to be distributed via compromising servers and using them as a foothold to move laterally through the network to compromise additional machines which are then held for ransom.
Nymaim – Nymaim is a two-stage malware dropper. It usually infiltrates computers through exploit kits and then executes the second stage of its payload once it is on the machine, effectively using two executables for the infection routine.
Incidents/Campaigns:
Incidents capture individual attacks emanating from a given group or using specific malware. Incident may also be used to capture research efforts into a group or malware. Campaigns generally are a collection of multiple incidents that are associated with a group or malware.
20170627B: PetrWrap / Petya / NotPetya Indicators
20170407B: PwC Report on Operation Cloud Hopper
Tags:
Tags are commonly used within the ThreatConnect platform to specify targeted sectors, types of malware or tactics used, or attributed threats for identified activity or groups. ThreatConnect users can also follow tags to be alerted to new activity that is pertinent to their interests.
Communities/Sources:
The following communities and sources may be pertinent for organizations looking for intelligence on activity targeting medical and health verticals. These communities also facilitate the sharing of intelligence with other members that have similar intelligence requirements.
-
- Medical and Health Community – Community for sharing incidents/intelligence with other members of the medical and health community.
- ThreatConnect Intelligence – Incidents from ThreatConnect Research as well as profiles on significant threats to the Medical/Health sector.
- Common Community – ThreatConnect’s open community with wider access that houses intelligence on a variety of threats.
- Technical Blogs and Reports – This source automatically captures and tags intelligence shared in dozens of open source cybersecurity blogs and reports.This creates a one-stop-shop for organizations to review recently identified intelligence.
Making Life Easier with Dashboards
With ThreatConnect’s new Dashboard feature we can create populated tables and graphs for medical and health verticals based on the aforementioned relevant threats and tags. Below is a simple example showing a Dashboard with four tables capturing Groups and Indicators tagged with medical and health sectors and the threats that are pertinent to them. Dashboards like this one make it easy for organizations to quickly identify and triage intelligence that is relevant to their investigations or defensive efforts.
Conclusion:
Given the speed at which previous attacks and compromises within the medical and health sector have escalated, coupled with the inherent need to ensure continuity of operations, staying apprised of pertinent threat intelligence is a must for those organizations. Further, once attacks or specific threats are identified, an organization can mature toward proactively identifying and defending against future attacks. The ThreatConnect platform assists organizations at any threat intelligence maturity level in quickly and efficiently identifying, researching, and defending against their most pertinent threats.