Views on Cybersecurity Threats to Health-Care Facilities From Duo Security Director of Security Research Steve Manzuik

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

A recent wave of ransomware attacks targeting hospitals highlight the cybersecurity vulnerabilities of health-care facilities.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor Jimmy H. Koo posed a series of questions to Duo Security Inc. Director of Security Research Steve Manzuik on cybersecurity threat trends and what health-care facilities should do if they're subjected to a ransomware attack.

Bloomberg BNA:

Are you seeing any recent trends in cybersecurity threats to health-care facilities?

Steve Manzuik:

Health-care facilities are an interesting problem from a cybersecurity perspective. They have a lot of systems running older, potentially unsupported software that, for various reasons, can't be replaced or updated. Security teams at these facilities have to deal with outdated application frameworks like JBOSS, outdated client side software like java and flash, old medical devices running unpatchable operating systems and now, we can add cryptolocker/ransomware to the list of potential threats.

While these aren't really new trends there seems to be a heightened attention on attacking health-care organizations. The ability to monetize a successful attack as well as the willingness for organizations to pay out a ransom seems to have compounded the threats.

Bloomberg BNA:

The use of ransomware is on the rise and recently, the U.S. and Canada released a ransomware alert. Are health-care facilities particularly vulnerable against these types of malware?


I don’t think health-care facilities are more vulnerable to this threat than other organizations. However, thinking from an attacker’s perspective, you are almost guaranteed to capture sensitive data—health records, billing information and other personal identifying information—when you attack a health-care facility with a cryptolocker/ransomware type threat. Combine that with the dangerous precedent set by those organizations who have paid the ransom and you have a very attractive target for an attacker.

Ransomware has been around since sometime before 2013 where we saw a variant called cryptolocker that wasn't used in targeted attacks but more randomly sent to targets of opportunity. For cryptolocker, many end users—consumer—were infected with only a few corporations being hit. The big change here is the targeting of health-care organizations which as stated is due to the nature of the data they have.

The ability to monetize a successful attack as well as the willingness for organizations to pay out a ransom seems to have compounded the threats.

Bloomberg BNA:

What kind of techniques do hackers employ to plan malware in a health-care facility’s information system?


The most common way this malware gets introduced is via a phishing attack where they essentially trick a user into either visiting a malicious link or opening a malicious attachment. Typically, these links or attachments leverage known vulnerabilities in components such as Flash and Java which give the malware elevated access to the target system.

While we like to think of hackers as big Nation States with billions of backing behind them, the reality is that most attackers will go for the target with the most damning data and which takes the least amount of effort. With the recent Medstar compromise it was rumored, but since debunked, that an out-of-date application server may have been the culprit. While these types of issues definitely exist in the health-care space, phishing attacks have proven to be more reliable and harder to detect until after the attack.

Bloomberg BNA:

If a health-care facility is under attack by a ransomware, what should it do?


Before they become under attack by ransomware, health-care organizations should be reviewing their requirements under the Health Insurance Portability and Accountability Act. HIPAA requires organizations to not only have proper backups in place for important data but also an emergency plan to allow data to be accessed in the event of an incident or other emergency. Having good backups is key here.

Views on Cybersecurity Threats to Health Care Facilities

Just as health-care companies have routinely stated for the public: prevention is key. Rather than constantly responding to attacks after they happen, health-care organizations would be wise to put better protections in place to prevent attacks from happening in the first place. In the case of preventing phishing attacks, Duo Security recommends internal trainings and basic security solutions such as password managers and two-factor authentication, which both quickly and simply raise the bar against an attack.

It’s back to the basics—Duo recommends the following security practices to increase overall security hygiene for health-care organizations:

  •  keep all devices/systems patched and up-to-date;
  •  prevent sensitive systems and medical devices from directly connecting to the Internet by segregating sensitive devices from the rest of the network where possible;
  •  have insight as to who and what is connecting to the network and the hygiene of those devices;
  •  ensure that users are only given the access they need to perform their job;
  •  use two-factor authentication; and
  •  educate users to trust, but verify e-mails that contain attachments and links. Awareness that every e-mail could be a phishing attempt is essential to making sure employees are careful about clicking links and downloading attachments that look suspicious.

    These recommendations apply to the majority of security problems, not just ransomware.

    Just as health-care companies have routinely stated for the public: prevention is key.

    Bloomberg BNA:

    Are there lessons to be learned from the recent cyberattack on Medstar?


    I think the overall lesson here is that organizations are still failing to plan for these kinds of attacks before they happen. The ransomware aspect is what is making these health-care attacks particularly compelling for readers and the media. The actual attacks themselves aren’t much different than what every organization, no matter their size or industry, should be actively trying to prevent from happening in the first place.

    The fact that this type of attack is successful on an organization that has regulatory requirements designed to prevent exactly this type of thing from happening is troubling. Regulatory requirements alone are clearly not enough to prevent attacks. Organizations need to be proactive and vigilant, perhaps even beyond what is required by law.

    Medstar’s response, especially the criticism they have aimed at the media attention, has been rather curious and suggests that organizations need to be better prepared to not only proactively defend against attacks but also have a proper response plan in place that includes how to handle public reports. While no one wants to see themselves make the news due to a breach, all organizations should have a plan in place on how to put their best foot forward and calm public fears versus trying to simply stop the conversation.