Cybercrime (40)

As a criminal business, ransomware’s big. It’s set to be bigger. Jack Danahy, a Barkly co-founder, writing in Barkly’s blog says cyber-attackers will use three new methods in 2017.

  1. An extra threat of doxxing, public disclosure of private records, either a file at a time or as a catastrophic dump to increase the chances of victims paying the ransom
  2. Ransomware infections will spread more quickly and easily
  3. Fileless ransomware will increase rapidly.

A Barkly survey reports only 5% of US organisations say they paid ransoms. Better back-ups and easier data recovery have reduced ransom attack’s effectiveness. Cyber-criminals are shifting their attacks to businesses instead of consumers to demand more. It means they’re increasing the potential damage and disruption of not paying. Other countries are seen as softer targets too. It’s a warning for Africa’s eHealth and healthcare.

Ransomware attacks will also increasingly bypasses scanners and signature-based anti-virus security. It raises the chances of infection for less sophisticated organisations. These’ll add to the more common technique of phishing emails with malicious attachments. Fileless attacks aren’t easy to identify using conventional endpoint security tools.

The lessons for Africa’s eHealth are stark. Two main themes are:

  1. Stepping up basic cyber-security measures rapidly, and not just to deal with ransomware
  2. Adopt more sophisticated cyber-security to deal with emerging new threats, especially ransomware threats.

Health systems will need investment in new cyber-security skills and solutions. They’ll need new eHealth strategies too.

The nature of cyber-crime’s changing. Health systems are no longer safe. Cyber-criminals have moved on from stealing personal data to using more disruptive tactics. An article in Healthcare IT News says healthcare’s seen the largest jump in ransomware attacks, so more than other organisation.

Joel Brenner, a Massachusetts Institute of Technology (MIT) research fellow who focuses on cyber-security, privacy and intelligence policy explained “We’re facing industrial espionage on an industrial scale.  If espionage is not the oldest business in the world, it’s the second oldest.”

While he admits healthcare may not top the list in terms of incidents or breaches, it’s ahead on four unwanted scores:

  1. Highest percentage of incidents
  2. Highest number of incidents by stolen assets
  3. Loses more information
  4. Very high ratio of incidents to breaches.

These combine into an uncomfortably high success rate for the number of cyber-attacks succeeding more often than not.

Tangible actions organisations can take to reduce vulnerabilities include privilege misuse and BYOD, which Brenner caustically calls ‘Bring Your Own Disaster.’ Also recognize that not everyone needs access to everything. “It’s about training your people repeatedly,” Brenner said. “You don’t need a big plan, no one opens that manual in times of crisis. You need a simple checklist.”

Unbroken cyber-security’s essential too. Unfortunately, most organisations can’t afford it and don’t trust a vendor enough to tackle the problem. Information silos offer an equally pressing challenge. Brenner says high-level executives are part of the problem and the solution. “Unless someone high level in these siloes comes in with a baseball bat,” Brenner said, “it’s not going to be solved.” 

Africa’s health systems can learn from the US’s experience. Putting in place an easy check lists for cyber-security measures and continuously training staff may be two simple steps, but they go a long way in keeping eHealth secure. They’re essential components of cyber-strategies, so why wait until the strategies and plans are in place. Checklists and training can be set up now.

Many healthcare organisations are inexperienced and under-resourced in coping with ransomware attacks. A guide from KnowBe4, Ransomware Hostage Rescue Manual, sets out technical descriptions of the actions to responding to and recovering from an attack. It also details preventative measures needed. Africa’s health systems, eHealth governance teams and technical eHealth teams should use it as a core reference before their organisations are attacked.

It’s themes include:

  1. A description of ransomware and Bitcoins, the ransomware currency and The Onion Router (TOR), a network and browser that enhances and anonymises Internet traffic
  2. How to identify an infection from symptoms and  Infection Vectors of emails, drive-by downloads free software downloads to avoid
  3. How to respond to an infection
  • Disconnect
  • Determine the scope
  • Identify the ransomware strain
  • Evaluate response option of restore, decrypt or do nothing
  1. Negotiate or  pay the ransom
  • First, restore from backup or shadow volume
  • Second, try decryption
  • Third, do nothing and lose the files
  • Fourth, negotiate or pay the ransom
  • Fifth, review the ransomware attack response checklist
  1. Learn and protect from future attacks with improved:
  • Defence in depth
  • Security awareness training
  • Simulated attacks
  • Antivirus, antispam and firewalls
  • Backups
  1. Implement better cyber-security resources, including a ransomware attack response checklist and a ransomware prevention checklist.

Applying the guide needs someone with ICT skills. It’s appropriate for someone in each of Africa’s health systems’ ICT teams to take responsibility. They should be accountable to an executive, who in turn should report on progress, risks and actions to eHealth governance teams. Where these are already in place, the Ransomware Hostage Rescue Manual offers an opportunity for a comprehensive review of the effectiveness of the arrangements.

As cybercrime expands and eHealth becomes more affected and infected, India’s planning legislation for comprehensive civil and criminal remedies for eHealth data breaches. It’ll also set up an enforcement agency. Provisions are being drafted to deal with any breach of patients’ data.

A report in the Times of India says the legislation will include a comprehensive legal framework to protect individual’s eHealth data, ownership of eHealth data, and health data standardisation for data collection, storage and exchange. African countries could benefit by monitoring India’s initiative as a comparator for their own eHealth legislation and regulation.

Much of Africa’s eHealth in its infancy, so most African countries don’t have specific eHealth regulations. In 2012, a study for the European Space Agency (ESA), led by Greenfield Management Solutions (GMS), identified a 45% gap in Africa’s eHealth regulation compared to developed countries. Not much has changed since then. eHNA reported previously on Africa’s eHealth regulatory perspectives. Much more remains to be done, but it must not stifle innovation.

It’s not only the frequency of cyber-attacks in Kenya. It’s the size and sophistication of these assaults that has government and businesses on edge. The recent hacking of Kenya’s Government in November 2016 has highlighted the increasing attacks in the country and spotlighted the vulnerabilities and losses to government and online businesses. An article in Arbor Networks says the losses, a staggering US$146m a year.

It has attributed to the major increase in connected devices. “Kenya and its surrounding countries has continuously attracted nefarious activities by cyber criminals, and the proliferation in distributed denial-of-service (DDoS) attacks in the region is today as much a reality as it is globally,” says Bryan Hamman, territory manager for sub-Saharan Africa at Arbor Networks. the world’s leading provider of DDoS protection in the enterprise, carrier and mobile market segments, according to Infonetics Research rates it as the world’s leading provider of DDoS protection in enterprise, carrier and mobile markets.

Paul Roy Owino, president of Information Technology, Security and Assurance (ISACA), says Kenya has recorded up to 3,000 cyber-related crimes a month. They include banking fraud, money transfer using M-pesa and interference with personal data.

Mark Campbell, consulting engineer for sub-Saharan Africa, highlights another security risk. Many IoT devices run on Open Source (OS) operating systems, mainly because it’s cheaper to develop, so more affordable and with a shorter time frame from development to use. “However, the result is that the code is poorly written with numerous security vulnerabilities. Of course the majority of users do not have the time, patience or expertise to test these for vulnerabilities, making many IoT devices, including our home appliances, a threat actors’ dream” says Campbell.

Although government sites are generally not built solely for commerce, Hamman warns that often when cyber-criminals take sites offline they often do it as a smokescreen for more devious behaviour. He says “Whilst site owners are distracted by their website being down, cyber criminals use this shift in focus to create a more threatening and targeted DDoS attack on the company or institution with the purpose of infiltrating the network and holding the victims to ransom for money or political motivations, or to steal valuable data and intelligence, such as flight plans for private or military planes, amongst others.”

Hamman warns that:

  1. Security is a multi-layered problem and continuous process
  2. A one size fits all security solution doesn’t exists
  3. Preparation is key
  4. When under attack, every second counts
  5. Organisations need people, policies and processes in place so actionable intelligence and a practiced workflow to investigate a breach are kicked off immediately
  6. Organisations need pervasive visibility across its fixed, mobile and cloud network feeding into a threat management solution
  7. Never assume that a single breach or compromise was it, so it’s over, because a DDoS attack is almost always part of a wider cyber-crime strategy, so the right tools must be in place to understand the breadth and scope of breach.

Cyber-security has  become a major requirement for successful eHealth. With complex attacks on the rise, it’s more important than ever for healthcare organisations to have policies and strategies in place to protect their data and specify what they must do in response to a breach.

Firewalls and high fences aren’t sufficient to stop phishing attacks. Imprivata, an ICT security firm, says only 33% of organisations feel fully prepared to defend against phishing, but now there’s whaling and spear phishing too, aiming at precise targets with maliciously disguised techniques. Its report Avoid becoming the catch of the day: Four steps to combat phishing attacks, says preventing phishing depends on users’ abilities to deal with the difference between legitimate and illegitimate information requests, but it’s becoming harder to do. Imprivata proposes:

  1. Asses internal vulnerabilities
  2. Take away the keys
  3. Improve the lock
  4. Increase end-user education.

Assess risks of internal vulnerabilities needs CIOs and cyber-security teams to:

  1. Identify the most likely forms of attack, such as key employee behaviours
  2. Identify contributing factors and workflow needs that cause clinical and administrative staff to favour risky behaviours using techniques such as internal penetration testing
  3. Understand why these vulnerabilities exist
  4. Eliminate vulnerabilities’ root causes by managing risky employee behaviours through technology, policy, and social means.

Taking away the keys starts with improving passwords, hackers’ keys that can be easily stolen by preying on human nature. Single Sign On (SSO) can eliminate access to most keys by replacing manual password entry with automated authentication, such as a proximity badge. It can eliminate the need for manually entered passwords and time-consuming logins.

Improving the lock’s need where passwords are still needed, such as access to remote networks access, such as Virtual Private Networks that need a username and password. These are locations for vulnerabilities. Two-factor authentication technologies can help to protect them, such as using an eToken that can’t be used by hackers, then a username and password

Easing user education should include information that users can apply promptly. Examples are:

  1. Never enter usernames and passwords their apps on the premises because the ICT is already enabled
  2. If they’re prompted for passwords, something’s wrong and needs red-flagging for the ICT and cyber-security teams.
  3. Configuring systems so users can’t enter their passwords manually.

As cyber-criminals turn to Africa’s eHealth, health systems can consider these as part of their defences. It costs, but so does a successful phishing attack.

Cyber-crime in the health care sector is growing. Latest reports show that the healthcare has the highest occurrence of cyber-security mishaps of all industries. It’s bottom of the league table for its ability to fix software vulnerabilities. But there may be a very small silver lining. Healthcare records are not as valuable as banking details to cyber-criminals.

An article in ITONLINE says the price per record for stolen patient medical records remains lower than financial account records and retail payment account information. This is a finding from Intel Security’s McAfee Labs Health Warning which:

  1. Assesses the marketplace for stolen medical records
  2. Compares it with the marketplace for stolen financial services data
  3. Identifies healthcare cyber-crime trends
  4. Profiles cyber-crime targeting intellectual property in the pharmaceutical and biotechnology industries.

The Intel Security research asserts that the development of the market for stolen data and related hacking skills indicate that cyber-crime in healthcare is growing.

“In an industry in which the personal is paramount, the loss of trust could be catastrophic to its progress and prospects for success,” says Raj Samani, Intel Security’s chief technology officer for Europe, the Middle East, and Africa. “Given the growing threat to the industry, breach costs ought to be evaluated in the Second Economy terms of time, money, and trust, where lost trust can inflict as much damage upon individuals and organisations as lost funds.”

In recent years, the cyber-criminal community has extended its data theft efforts beyond financial account data to medical records. Although credit and debit card numbers can be canceled and replaced quickly, protected health information (PHI) which doesn’t change. PHI could include family names, mothers’ maiden names, social security or pension numbers, payment card and insurance data, and patient address histories.

This dynamic has led to industry speculation that the price per medical record could soon rise or even eclipse that of financial account or payment card data, but Intel Security’s 2016 research doesn’t support this theory. It found the average health record price was greater than that of basic personally identifiable information, but still less than personal financial account data. The per-record value of financial account data ranged from $14 to $25 per record, credit and debit cards drew around $4 to $5. Medical account data earned between $0.03 to $2.42.

The findings suggest that financial account data continues to be easier to realise than personal medical data. Stealing medical records may enable cyber-criminals to analyse it, and cross-reference it with other data to identify lucrative fraud, theft, extortion, or blackmail opportunities. Financial data still presents a faster, more attractive return-on-investment for cyber-criminals.

Healthcare records may not currently be as valuable as banking details to cyber criminals, but this may change. Healthcare organisations need to be more vigilant than ever to ensure the security of their systems and their patients’ data. Training and educating staff is an essential component to keeping healthcare data safe and should not be part of each healthcare orginisations’ cyber-security policies.

Suddenly, a deluge of internal calls to the ICT help service had users clamouring for their files to be restored. The ICT team of three, including a new starter on the day of the cyber-attack, couldn’t cope with the volume or the problem. The story unfolds in a blog from Barkly.

A call for help to the ICT consultant used for backups hadn’t been keeping them up to date. The team placed another call to its ICT supplier. In the meantime, a secondary server stopped and wouldn’t restart. Dozens of folders with important data, located on shared drives didn’t have duplicates located separately.

Then, the new starter had opened an email from a company never used saying it had a shipping invoice, but couldn’t remember if she had opened the attached .zip file. Ooops.

Five weeks were dominated by servers, networks, backup research, data recreation and disaster communications. All the other projects were on hold until the server was replaced with and installed, databases were upgraded, fixing software that wasn’t compatible with the newer operating system, rebuilding the network from scratch, but with better group policies and permissions, and suggesting a more secure infrastructure and backup environment to minimise risks and future costs, a battle only partially won.

The result was being more secure than before the attack. This was not enough. Systems weren’t as secure and recoverable as they could’ve been. Four lessons emerged from the harrowing episode:

  1. Some scary things are real
  2. Always try to fix broken systems without delay straight away, even if someone else broke them before you inherited them
  3. The pain of forking over some time and cash to set things up right is nothing compared to scrambling to recover from a disaster
  4. Use multi-layered security and backups.

Cyber-security was identified as an important issue at Acfee’s African Economic Forum in September. It’s assembling white papers reports and stories like this to provide Africa’s eHealth leaders with access to advice on cyber-security so they can take action before waiting until there’s a breach.

Africa’s eHealth needs more cyber-security initiatives to prepare to respond better to future onslaughts. Three measures are identified in FierceHealthcare. They’re:

  1. More sharing about breaches
  2. Standardise as many platforms as possible to increase the transferability, so value, of shared cyber-threat experiences
  3. Classify and report all ransomware attacks as cyber-security breaches.

These are some of the views of Jeffrey Vinson, chief information security officer at the USA’s Harris Health System. In his interview with, he goes on to say that platforms are also not yet mature, so healthcare organisations can’t find enough reliable, realistic, actionable intelligence from the information coming to them. They also face resource challenges in digesting the information and taking effective action.

These views are drawn from a Harris Health System project financed by a Department of Health and Human Services grant to study the healthcare cybersecurity landscape. It’s now in its second phase of polling organisations about capacity planning.

While ransomware’s on the increase, and now one of the biggest threats, Vinson says there’s not much guidance on what organisations need to do I the event of an attack. This highlights a challenge for Africa’s health systems too. This may be rectified when the Office of the National Coordinator for Health IT selects one organisation to take a lead role in cyber-threat information sharing. This could be a model for Africa’s health systems.

Following the targeted ransomware attacks on hospitals earlier this year, Intel Security investigated the attacks, the ransomware networks behind them, and the payment structures enabling cybercriminals to monetise their malicious activity. The article in IT-Online identified nearly $100 000 in payments from hospital ransomware victims to specific bitcoin accounts. While healthcare is still a small proportion of the overall ransomware ‘business,’ McAfee Labs expects the numbers to grow.

They attribute the increased focus on hospitals to the reliance on legacy IT systems, medical devices with weak or no security, third-party services that may be common across multiple organisations and the need for hospitals to have immediate access to information to deliver the best possible patient care. “As targets, hospitals represent an attractive combination of relatively weak data security, complex environments and the urgent need for access to data sources, sometimes in life or death situations,” says Vincent Weafer, vice-president of Intel Security’s McAfee Labs. “The new revelations around the scale of ransomware networks and the emerging focus on hospitals remind us that the cybercrime economy has the capacity and motivation to exploit new industry sectors.”

The report also found that retail and financial services organizations have deployed the most extensive protections against data loss, and have been very responsive to cyber-attacks Having sustained fewer cyber-attacks historically, healthcare and manufacturing enterprises have made fewer IT security investments and, accordingly, possess the least comprehensive data protection capabilities.

The weaker defences in these two sectors are particularly disturbing given that cybercriminals are clearly shifting their focus to personally identifiable information, personal health records, intellectual property, and business confidential information.

The cybercriminals’ motive is ease of monetisation, with less risk. Corporations and individuals can easily cancel stolen payment cards soon after a breach is discovered. But you can’t change your most personal data or easily replace business plans, contracts, and product designs.

In the second quarter of 2016, McAfee Labs’ global threat intelligence network detected 316 new threats every minute, or more than five every second, and registered notable surges in ransomware, mobile malware, and macro malware growth:

  • The 1,3 -million new ransomware samples in Q2 2016. It’s the highest ever recorded since McAfee Labs began tracking this type of threat. Total ransomware has increased 128% in the past year.
  • Mobile malware. The nearly 2-million new mobile malware samples. Total mobile malware has grown 151% in the past year.
  • Macro malware. New downloader Trojans such as Necurs and Dridex delivering Locky ransomware saw a 200% increase in new macro malware in Q2.
  • Mac OS malware. The diminished activity from the OSX.Trojan.Gen adware family dropped new Mac OS malware detections by 70% in the second quarter.
  • Botnet activity. Wapomi, which delivers worms and downloaders, increased by 8 percent in Q2.

There is no denying that cyber crime activities and incidents are on the rise. Hospital and patient data is no longer safe. With new malaware and ransomware samples being created daily, hospitals need to be vigilant. Cybercriminals know that their patient data is valuable and hospitals are likely to pay to get their stolen data back. Hospitals need to constantly update their cyber security and train their staff so that they are aware of the risks and can identify and help plug possible loop holes.