Healthcare has long been a primary target for ransomware attacks. This is not changing and is not likely to change. Claroty/Team82’s State of CPS Security – Healthcare 2023 discusses the reasons.
Healthcare comprises a critical industry combining a large-scale use of converged IT and OT with a huge quantity of disparate OT devices dependent on IT control delivered over WiFi – and a very low tolerance for disruption. The industry is eminently exploitable and has a strong incentive to settle extortion attacks as quickly and as seamlessly as possible. Lives may depend upon it.
According to the FBI 2023 IC3 report, healthcare suffered 249 reported ransomware attacks during last year – 31 more than the second most attacked CNI sector (critical manufacturing), and more than double the reported attacks against financial services.
Claroty/Team82’s report analyzes the components of a healthcare IT environment to explain its susceptibility to attack. It notes that the threat to patient privacy (covered by HIPAA) has moved on to a threat to patient life.
The report has some worrying conclusions. 63% of exploited vulnerabilities tracked in CISA’s KEV catalog can be found on healthcare networks. Clearly ‘patching’ is a problem for healthcare, but it is not something that can be easily solved: healthcare has a total of 360 different device manufacturers whose patch certification programs must be observed.
While the IT devices controlling the OT devices are usually Windows and Linux systems that are frequently patched, no such formality applies to the majority of OT devices. “Instead,” says the report, “vulnerability patching is often an add-on to an already expensive support contract.”
Compounding this problem is the length of time it takes to gain FDA device certification. Developing a patch and implementing that patch may require new FDA certification – but the life expectancy of the device may be limited (medical technology is a rapidly advancing field). There is a natural inclination to attempt mitigation through compensating controls rather than formal patching – the old OT adage of ‘if it ain’t broke, don’t fix it lest you break it’ exists on medical steroids.
This problem is compounded by the number of devices that run on unsupported OSes. “Fourteen percent of medical devices in our research run an end-of-life or unsupported OS,” notes the report. These are mostly old versions of Windows, but include Linux, mobile OSes, Sun Solaris, SunOS, and others. Aggravating this, many of the unsupported Windows devices are also unmanaged and not part of an Active Directory domain. Defenders are unable to use domain management to push updates and new policies or enforce ACLs.
The result of these patch or update issues is that medical devices provide attackers with a rich source of ‘forever-day vulnerabilities’: vulnerabilities that are known and fixed by the manufacturer, but are never patched by the customer. Since budgetary restraints mean that HDOs are unlikely to rip the old and replace with new, the vulnerabilities sit and wait to be exploited. Overall, a high percentage of medical devices have no endpoint protection.
Another persistent problem for HDO OT is the huge number of third parties (through delivery rather than supply) that the devices touch. These are patients, who almost by definition have no interest in, or knowledge of, security. Pacemakers are installed in eminently mobile humans (their very purpose is to keep those people mobile). Data is collected from the pacemaker and relayed back to the HDO via wifi or over the internet via the patient’s own domestic router. This is a potential threat to patient privacy. Infusion pumps, while mostly only operational within a hospital, have a long history of vulnerabilities. This is a potential threat to patient life.
Attacks against such devices could harm individual patients, but they are not the primary target of attackers – attackers seek access to the HDOs’ networks. From here they can potentially disrupt all devices as part of an extortion attack. These third party patients can be a weakness.
Firstly, HDOs offer a guest network to provide internet access for their patients. Claroty/Team82’s research suggests that 4% of devices used in surgeries can be accessible via a hospital’s guest network. But secondly, it is not unknown for patients to be given passwords for direct access to the primary corporate network. Nurses’ employment is typically vocational rather than careerist – their motivation is to make the patient as comfortable as possible; and a patient’s struggles with the poor bandwidth of the guest network can be easily solved. But the personal device used, usually a laptop, is unknown to, and unverified by, the network administrators.
The problem that HDO defenders face is one of complexity. Security solutions exist for almost all the issues they face – but the intricacies of patching what can be patched, mitigating what cannot, onboarding new devices and promoting security awareness in staff whose vocational instincts might be diametrically opposed to security, is too complex to guarantee complete and continuous success.
The combination of vulnerable networks and a high incentive to settle extortion attacks speedily explains the reason for the continuing attacks by ransomware criminals. Recorded Future’s Dmitry Smilyanets recently pointed to a post on Ramp Forum (March 3, 2024) purporting to be from the BlackCat/Alphv affiliate that hacked Change Healthcare. The affiliate complained that BlackCat/Alphv had reneged on paying its share of the profits from a paid ransom – $22 million. This claim is supported by evidence of $22 million arriving in a BlackCat/Alphv bitcoin wallet.
Or it could be an exit scam being perpetrated by BlackCat/Alphv to allow them to get a second bite of the cherry… Nevertheless, the implication, currently unconfirmed by Change Healthcare, is that the HDO quietly paid a $22 million ransom to prevent confidential data leakage and obtain decryption keys.
Claroty/Team82’s argument is that any attempt to secure the individual devices within a healthcare network should be supported by network segmentation. “Segmentation is a paramount strategy,” says the report. “Isolate connected medical devices – patient and surgical – from corporate networks. This would mean that if any specific device is compromised, the attacker could be constrained, and the damage limited.
