3 Payloads in Healthcare Data Breaches

The news is full of a variety of attacks on healthcare data, ranging from ransomware attacks on small clinics and large hospitals to the massive data theft from the behemoth Veteran’s Administration and myriad threats in between. But as is the case with attacks in other sectors, typically little thought is given to how many ways attackers can profit from data breaches after the initial round of attacks.

For example, 73 percent of IT security professionals at utilities reported a public security breach, according to a 2016 Cisco study. But that study is focused on data breaches (IT security) rather than on operational technology (OT) security. That is not an uncommon approach in narrowing the focus necessary for a meaningful study. It is also in keeping with the general thinking among many security professionals, which is that data breaches are the point of the exercise, rather than the means to a different end.

A year after that study, the U.S. government issued a rare public warning about attacks on the energy and industrial sectors. That report followed an earlier government release of a Mission Support Center analysis report citing, among other things, threats to the power grid from nation states and new risks emerging from the complexity of modern control systems. Added to a litany of reported air gap fails, such as using a system’s fan or connected surveillance cameras to bridge airgaps for a malware leap, no control system or data set appears to be safe.

But attackers, particularly nation-states, may be taking a much longer view than many in the security community may expect. For example, data from utilities might not be used exclusively against that specific entity or sector. It potentially could be mined for vulnerabilities in companies and government agencies that use those utilities. Or, those utility control systems could be commandeered to attack an entity or persons served by the utility, such as the Iranian attack on a New York dam. Utilities data also could be used to extract and exploit data from connected but external internet of things (IoT) devices. In other words, attacks on utilities could be about more than disrupting smart grids—it might also be about taking over or destroying smart cities, too.

Stolen healthcare data similarly can be used for myriad purposes. One example would be for a nation-state to use war veterans’ health data—stolen in the VA breach—to study the immediate and long-term maiming effects of certain weapons, the vulnerabilities in military protective gear and vehicles and the American susceptibility to certain diseases. Why? To develop more effective weapons, including bioweapons. This is a scenario I explored in my book, “Data Divination: Big Data Strategies.” But this information could also be weaponized against the American public at large, too. After all, data on the world’s largest military is more than a representative sample of Americans overall.

Healthcare data conceivably also could be used to carry out assassinations. For example, an attacker could hack a pacemaker to assassinate a person. If a pacemaker is connected to the internet (which most healthcare devices are these days), a hacker could shut it down or cause it to work outside the bounds of safety restraints. Another example: Surgical robotics, already commonly in practice, could be used to murder someone during surgery.

A third example would be to blackmail people with embarrassing health conditions that could jeopardize their marriage, job or social standing. There are probably even more ways to leverage stolen healthcare data, too, than the three listed here.

It is prudent to map out all possible dangers resulting from a data breach based on the specific information that was stolen. Forewarned is forearmed, after all. This might require a tighter collaboration between security and data science professionals, or at least the regular use of highly specialized and machine learning-based analytics.

In March alone, Tufts Healthcare, BJC Healthcare in St. Louis and St. Peter’s Surgery in New York all reported large-scale breaches, affecting more than 230,000 patients combined. Attacks on healthcare data appear to be escalating. It’s important to take a look at what data attackers are currently targeting in health care and how they typically are getting it.

According to a new Mimecast study, social engineering is king and email is the preferred virus carrier. Email is overwhelmingly the most common source of a data breach in both Q3 and Q4 2017, in this survey. Locky malware and Locky variants are the most common known malware threats. Microsoft Office documents are 80 percent of malicious attachments; 3 out of 4 are Microsoft Word. Attackers appear to be targeting small to medium-sized health organizations now.

Further, data analysis in the study “found targeted emails to 6 employees, primarily working in IT analyst roles, at a company of 4,300.” These were attempted patient data thefts. However, attempts to trigger fraudulent wire transfers of money were also found. Data analysis found targeted emails to 10 people, primarily working in finance positions such as CFO, finance director, HR, and the CEO, at a company of 9,000.”

Pam Baker