AABB News: Protecting Information Technology Infrastructure

March 05, 2021

Note: This article originally appeared in the February 2021 issue of AABB News, a member benefit of AABB.

By John W. Link
Contributing Writer 

Cybersecurity has been the subject of increasing attention following the massive Solarwinds cyber-intrusion that infected hundreds of government and commercial systems. Even though facilities throughout the world are spending more money and resources to protect themselves from cyberattacks, they are, in many ways, less secure. 

Medical and health care-related facilities may be at particular risk for cyberattacks. "Cyberattacks on health care providers are expected to triple next year," according to Black Book's November 2020 “State of the Healthcare Industry Cybersecurity Report.” "Cybersecurity threats are now four times more likely to be targeted on health care than any other industry," said Brian Locastro, lead researcher.

To keep data and systems safe in hospitals, blood centers and cellular therapy centers, it is critical to understand how cyber intrusion works and how users in the transfusion medicine and biotherapies community can limit it. Although it would not be possible to prevent all cyberattacks, there are ways to reduce the risk, reduce exposure and impact, and help facilities respond to these events more effectively.

Those who penetrate information systems are called “hackers.” Because of different motives and behaviors, there is a designation that alludes to old Hollywood westerns. “Black Hat Hackers,” also called “crackers” for this article, penetrate systems for criminal and destructive ends. Most are driven by the desire for money, whether through data theft or ransomware. Others may focus on the destruction or disruption of systems for national strategic or political ends. “White Hat Hackers,” also called “Ethical Hackers” for this article, break into systems to help fix their weaknesses. There is an actual profession and certification of "Ethical Hackers," paid to break into systems to find security flaws. “Grey Hat Hackers” break into systems for the challenge and thrill. Many hackers shift from one hat to another over their lifetime.

Ransomware
"The No. 1 threat to the information systems of the medical community is ransomware — and the number two threat barely registers," according to Chip Block, VP and Chief Solution Architect at Evolver, a converged security solutions company. Ransomware is a class of malware that encrypts or blocks the information system's critical applications and data. Hospitals have become a favorite target of ransomware attacks because taking a hospital information system offline during a crisis puts patients’ lives in danger, making the ransom more likely to be paid. These ransomware crackers demand a ransom scaled to what the hostage hospital or blood bank will likely pay. An electronic "ransom clock" ticks away with the message to pay the ransom or permanently lose the data and networks. 

According to Block, "Rural hospitals are increasingly being targeted because they are typically easier targets and have fewer options to protect their patients since the nearest hospital might be a hundred miles away." This forces rural hospitals to weigh paying the ransom or put the patients' lives and health in jeopardy, incur the cost of system restoration, and risk civil liability from not paying the ransom. If they pay the ransom, the crackers provide the key to decrypt and release the hostage system.

Data Theft
There is a very mature information cybercriminal "business model" composed of crackers that penetrate information systems and steal Personal Identifiable Information (PII), such as credit card numbers and/or medical records. While many crackers sometimes exploit the information themselves, many sell it on the Dark Web, a shadowy information system for criminal activity and underground political organizing. Both groups use PII, medical records or other information to engage in medical fraud, getting loans in others' names, stealing from bank accounts or using credit cards via compromised credentials. Many of those who exploit the data now hire crackers for a fee as subcontractors.

Terrorists or State Actors
A terrorist or nation-state cyber-attack could shut down the electrical grid or other designated aspects of national infrastructure. AABB members provide services to two parts of the national infrastructure in the United States: emergency services, and health care and public health. In a cyber-war, the national infrastructure elements could be potential targets for cyberattacks from national cyber forces. 

After Sony Pictures released a satirical movie about North Korea leader Kim Jong-un, North Korea unleashed a unit of cyber-attackers who destroyed the Sony IT infrastructure and accessed the company’s intellectual property, including films in production. The North Koreans then released hundreds of Sony Pictures’ internal emails, some of which led to secondary scandals. Attacks from terrorists or state actors is a low probability but high impact threat.

Hacktivists
Hacktivists are mostly hackers who penetrate systems for political or ideological reasons and are a very low level threat. The most famous hacktivist group is "Anonymous," but others may emerge around medical policy issues. They tend to steal and disclose embarrassing information, deface websites with political content, or redirect users to other sites. 

Targets for Intrusion
Larger hospitals hold many medical records and PII but tend to be more secure. Blood centers and cellular therapy facilities have a fair number of medical records and PII but tend to be easier targets. Hospitals, especially those in rural areas, may be the likeliest targets for ransomware attacks. The prize targets for those looking to steal data are folders and databases of medical information. Those looking to ransom the systems will look to encrypt databases or controls of networks and medical technology. 

Methods of Entry
Users need to be aware of the ways that crackers get inside computers and systems. Typically, the initial targets for crackers are user credentials, followed by stealing system administrator credentials and privileges to gain system access and control. Each user in the network is a potential entry point for the crackers. Crackers use several techniques to get inside user's computers or to get their credentials:

  • Phishing is the email that one gets from a cracker pretending to be "PayPal" or some other source, informing a user of unauthorized activity and requesting information, or telling them to download a document or click a link. Doing these will infect the user’s computer with malware.
  • Spear-phishing is an elaborate version of phishing that pretends to be from someone the user knows or an authority, such as a boss, the CEO or the Human Resources Department.
  • Keyloggers are downloaded malware that records keystrokes so that crackers can get passwords or other data.
  • Compromised Websites Crackers infect them with malware so that once a user clicks on a specific link, it injects malware into their computer.
  • Brute Force Attacks use computer programs to try every combination of letters and numbers to get your password.
  • Password Guessing tries the surprising obvious choices of poor passwords such as "password," "123456" or the user's birthdate.
  • War Driving occurs when hackers drive through neighborhoods or business districts with sensitive scanners looking for unencrypted WIFI to gain entry to networks.

Protecting Yourself and Your Organization

Experts warn, “Please think before you click,” and this advice should be followed whether it is an unknown email, a web link or a pop-up dialog box. It may be fine, but cyber-attackers are counting on our inattention, misplaced trust, compliance and fear. For example, some adware will superficially infect a user’s browser, redirecting it to certain web pages. Then, a box or page pops up telling the user that their computer is infected with a virus and professes to be the Microsoft or Apple support desk, offering to sell anti-virus software as protection. By not clicking on any link or buttons and shutting down, a user may remove the adware from the browser before it infects their computer’s system. 

Below are some specific actions and techniques that
can help users prevent cyber-intrusions:

  1. Email Cyber-Hygiene Phishing and spear-phishing are the primary cyber-attack vectors. Most attacks can be prevented by practicing good email cyber hygiene:
    • Unless you are expecting an email, regard all emails with some suspicion. A good rule of thumb is that "all emails are dangerous, until proven not."
    • In unexpected emails, look for anomalies in the sender, subject or first lines. Clues include small things such as poor spelling, strange fonts and logos not in the right place.
    • You can check the source of an email by hovering your cursor over the sender's name in the email inbox. The real address of the sender will show up in a little box. If it does not match the apparent sender, it is a fake or "spoofed" address.
    • If the sender's real address does not show up, it has been blocked, and that should be considered suspicious.
    • If you find an email from a coworker in your spam folder, it should be considered suspect, since the email system regarded its real address as suspicious.
    • Do not open emails that seem suspicious. Some phishing malware can infect upon opening.
    • Most require a user to hit a link, go to a website or download a file, all of which should be avoided.
  2. Limit What You Share on Social Media. Crackers often search personal or corporate social media for details about users that they can use to create authenticity in phishing attacks.
  3. Avoid Public WIFI. Don't set your phone or laptop to look for open networks. If no password is required, it means the WIFI is unencrypted, so all your data is exposed to the WIFI site. It is best to use your cell phone provider's data services or buy and use "portable hotspots."
  4. Keep Your Software and Operating Systems Up to Date. Many upgrades include patches to existing software problems. When you don't keep up with your software updates, security problems remain unpatched.
  5. Antivirus Software. It is important to have anti-virus software and keep it up-to-date so that it will recognize new malware.
  6. Encrypt all Email. This is especially true if you are sending medical or other PII via email. Almost all email systems have a simple command that will encrypt your email until it reaches the person to it was sent.
  7. Password Hygiene The first objective of many attacks is getting your password. Many crackers just guess or use Brute Force attacks to figure out the password. Here are steps to protect your passwords:
    • Use a Unique Password. Don't use the same password for multiple sites.
    • Close Your Browser. When you log out of a password-protected website, close your whole browser, not just the tab.
    • Change Your Passwords at least every 6 months.
    • Never Share Your Password. Help Desks don't need your password and would prefer you change it rather than disclose it.
    • Use Password Keys Programs, which have unbreakable passwords that you use for each website or function.
    • Never Loan Out Your Cell Phone. If a stranger asks to use your cell phone, decline. If they insist it is an emergency, ask for the number they want to call, call it for them and leave it on speaker. Real people in real need will be comfortable with that.

Signs You Have Been Hacked
These are symptoms of being hacked but are not necessarily diagnostically conclusive:

  • Your login is denied or the password is changed.
  • Your computer or network dramatically slows.
  • Your cursor moves or page scrolls on its own.
  • Certain computer functions do not work as they should.
  • Flashes of a webpage show up and disappear.
  • You have pop-up ads and redirects to other web pages.

Your Response to Being Hacked

  • Stop what you are doing!
  • Don't send the email or finish what you are doing. Don't spread the contagion.
  • Power down your computer.
  • Immediately contact your IT Team.
  • If you receive a ransomware notification, still shut down all systems, but leave the ransom note up on a screen.

END NOTES
Ponto, Cole (2018 August 9) An Intro to the Dark Web SBS Cyber https://sbscyber.com/resources/an-intro-to-the-dark-web
Rubens, Paul (2017 July 27) How does ransomware work? Understanding the economics CSO Online https://www.csoonline.com/article/3211305/how-does-ransomware-work-understanding-theeconomics.
html
Black Book Research (2020 November 13) Attacks Predicted to Triple in 2021, Black Book State of Healthcare Industry (Press Release) Retrieved https://www.prnewswire.com/news-releases/attackspredicted-to-triple-in-2021-black-book-state-of-the-healthcareindustry-cybersecurity-industry-report-301172525.html