On May 5, 2020, the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) released an updated cybersecurity alert for hospitals and healthcare industries warning of advanced persistent threats (APTs).
CISA and NCSC are investigating cyber threats against pharmaceutical companies, medical research organizations, and universities by APT groups seeking to steal COVID-19 related healthcare research, national health policies and recommendations, and intellectual property. According to CISA,
“Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.”
CISA and NCSC report APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software, specifically “Citrix vulnerability CVE-2019-1978 and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.” These bad actors seek this information for private sale and foreign state use.
Recently, the following breaches and cyber attacks against hospitals networks and pharmaceutical companies were reported:
May 6, 2020 – Brian Krebs released article describing how “Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products” suffered a ransomware attack on its technology systems in which more than 300,000 people were affected. Interpol is investigating.
May 5, 2020 - St. Louis-based BJC HealthCare released a notice to its patients of a data breach that resulted in compromised protected health information of its patients. BJC’s notice informed the public that the incident was initially noticed on March 6, 2020, when it identified suspicious activity within three BJC employee email accounts. The investigation is on-going. The incident affected 19 BJC affiliated hospitals and service organizations.
April 21, 2020 - Parkview Medical Center in Pueblo, Colorado became aware that it was the victim of a cyber incident. On April 23, 2020, the hospital released a statement, in which it informed the public that a third-party forensic expert was “immediately engaged” to investigate and mitigate the incident. A subsequent news article stated that Meditech, the hospital’s system for storing patient information, was hacked with ransomware, and rendered inoperable, requiring the hospital to use a paper record system for treatment.
April 17, 2020 - ExecuPharm Inc. sent a “Notice of Data Breach” to the Vermont Attorney General’s Office. In the notice, ExecuPharm stated that on March 13, 2020 it was hit with ransomware, which it believes originated from employee phishing emails. The attackers not only stole information belonging to ExecuPharm employees, but also those of Parexel. Parexel International is a global provider of biopharmaceutical services. It conducts clinical trials on behalf of its pharmaceutical clients to expedite the drug approval process. According to website TechCrunch, ExecuPharm’s stolen data is available on the dark web.
April 13, 2020 - Doctors Community Medical Center in Lanham, Maryland posted an alert to the community that it fell victim to a phishing email sometime between November 2019 and January 2020. Upon investigation, the hospital determined the intrusion occurred after certain employees opened a phishing email, in which the bad actor obtained the employees’ credentials. The investigation further revealed that some of the hacked email accounts contained data sheets with patient information, including military identification numbers, financial account information, treatment and prescription information, and Medicare/Medicaid numbers. This same medical center also suffered a massive cyber breach in 2016.
As these APTs persist, CISA’s alert suggests the following mitigation efforts:
Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations.
Use multi-factor authentication to reduce the impact of password compromises. See the U.S. National Cybersecurity Awareness Month’s how-to guide for multi-factor authentication.
Protect the management interfaces of your critical operational systems. In particular, use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets.
Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions.
Review and refresh your incident management processes (or create them).
Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position.