Flattening the Cyber Curve
The COVID-19 outbreak reaching pandemic proportions rightly has the World worrying about means of reducing transmission rates in order to keep our health systems from being overwhelmed. An overwhelmed health system may not be able to provide ventilators, or other necessary care, in a timely enough manner and this situation will result in a much higher number of adverse patient outcomes than if we can keep our hospitals from being overrun. Thus, much of the media attention surrounding COVID-19 has been centered around the theme of flattening the curve. Healthcare organizations all around the world have been rapidly shifting towards adopting and rolling out remote access technologies, telehealth platforms, and making systems public facing in order to help meet these newly arisen needs. Yet, little, if any, thought is often given to the security implications of such decisions.
It is critical, however, that healthcare organizations keep in mind that in a modern connected hospital, cybersecurity is often synonymous with patient safety and that cybersecurity cannot be ignored, especially in a time of crisis. Just look at the recent ransomware attack that hit the hospital in the Czech Republic as the region was experiencing their own COVID-19 outbreak. Healthcare organizations need to consider how much faster their organization will go to a state of overwhelmed if it’s EHR system suddenly becomes unavailable or, worse yet, critical medical devices, such as connected ventilators, were to become encrypted and unusable due to ransomware. Likewise attacks on the United States Department of Health and Human Services, the Word Health Organization, and on pharma companies looking to test potential COVID-19 vaccines all work to further demonstrate that this pandemic does mean that any organization, no matter how good it’s mission, is safe from cyberattack.
Malicious actors are all set to capitalize on the fear created by the pandemic and coronavirus themed malware has been skyrocketing in recent weeks as attackers know that there is a very high chance of a successful click on a malicious link or attachment for anything promising to alleviate the risks created by the pandemic. The last few weeks have produced attacks impersonating government agencies sending out COVID-19 updates, attacks promising access to N95 masks, fake coronavirus tracking maps, and a plethora of other COVID-19 related attack themes. The attacks have risen in prominence so much so that cybersecurity practitioners around the World have banded together as members of the COVID-19 Cyber Threat Intelligence League (https://cti-league.com/2020/03/23/welcome-to-the-cti-league/) to volunteer their time and help combat this global threat.
Attacks on hospitals are rising and coronavirus themed attack vectors are exploding. In many cases these attacks are being linked back to hostile nation states (https://www.cyberscoop.com/coronavirus-phishing-scams-iran-china/), which raises the extremely troubling question of – what if one of these hostile nation states were to launch a concerted cyberattack against a large number of US hospitals just as the confusion and panic of peak coronavirus hit? It would undoubtedly lead to a devastating loss of life as it would potentially redefine what overwhelmed would mean to hospitals. As security professionals, it’s always important to prepare for the worst, even as you hope for the best and this raised the question as to what are actions that even the smallest and least resourced hospitals could take now to prevent themselves from becoming victims to one of the coronavirus themed malware campaigns? What are things that hospitals could be doing to flatten the cyber curve to ensure that the spread of malware to hospitals is dramatically slowed and that hospitals don’t fall victim to attackers as easily. The result of thinking about these questions led to the development of the top ten list below. The list is by no means an exhaustive list of all things that hospitals should be doing and the assumption is being made that industry standard security controls such as patching, antivirus, firewalls, etc. are already in place. The list is intended to be a set of controls that will impactfully bolster an organization’s defenses against coronavirus themed malware while at the same time remaining limited to controls that can rapidly be put in place with minimalistic IT resources. The control set is as follows:
- In firewalls or proxies, block access to any unclassified domains or any newly registered domains.
- In spam filters, block/quarantine any emails containing links to unclassified domains or any newly registered domains.
- Set your spam filter to strip out macros and other executable content from Office documents and PDF files if this functionality is supported. Hospitals are also encouraged to disable macros in Office documents and executable content within PDFs on all endpoints where this is possible.
- For hospitals without an international presence or a need to communicate internationally, turn on Geoblocking in firewalls and spam filters.
- Make use of dynamic block lists as a way to ingest and put into action external sources of threat intelligence (e.g. https://www.dshield.org/block.txt) as well as implement an internal block list. An internal block list is a great way of speeding phishing incident response as putting a rule in a firewall or proxy typically requires escalation to a network team, whereas anyone on the helpdesk can edit a text file with a little bit of training as to what appropriate additions are. This can reduce the implementation of blocks to a matter of minutes.
- Embed a canary email in your hospital website that is machine ingestible but in no way human readable. Any email coming to this address is at best spam and it can be used as a kind of “IDS” for ongoing phishing attacks that IT may otherwise be unaware of.
- Implement software restriction policies or AppLocker to prevent executables from running within the user’s profile as a signatureless way to prevent malware that AV may not detect.
- Implement a DNS Sinkhole as it’s a great way to identify infected medical and IoT devices that cannot typically run an endpoint security suite.
- Audit your external perimeter to ensure that no unneeded devices or services are exposed and remove public facing access to anything not required to be public. Ensure all public facing systems are fully patched.
- Audit your remote access configuration to ensure a compromised home PC does not turn into a vector for a compromised hospital network.
Despite all of the confusion and demands for time to prepare for the COVID-19 patient surges, it’s well worth the time for organizations to take a moment and consider how connected hospitals have become and how dependent on computer systems and computerized devices modern medicine has become. Let’s work together to mitigate the currently exploding risk of coronavirus themed attacks against healthcare and in doing so help to ensure the safety our patients. Let’s work to keep medical resources available to treat patients worldwide by flattening our collective cyber risk.
RETURN TO CHIME MEDIA