• Cybercrime
  • Expect more cyber-attacks on healthcare

    The next cyber-attack never seems far away, and healthcare may be in criminals’ sights. A UK conference organised by The Guardian, a newspaper, and supported by technology company DXC, has some dark, ominous warnings for the UK’s NHS. They apply to healthcare everywhere.

    The report says some NHS employees expect another cyber-attack similar to WannaCry. In 2017, it caused widespread disruption to hospitals and GP surgeries. Not enough has changed to seek to avoid it.

    Poor leadership, budgetary constraints, deficient ICT systems and a lack of qualified staff combine to make the NHS vulnerable. A member of parliament and chair of the UK parliament’s public accounts committee commented that these limitations are exacerbated by:

    No particular benefit for patients from good eHealtheHealth isn’t a big enough issueIt’s not an instant winMany NHS staff don’t trust their IT systems.

    Lack of clarity on patients’ benefits is another theme that needs attention. It reveals inappropriate eHealth investment.

    A report on the WannaCry incident by the National Audit Office (NAO) found that the attack could have been prevented by basic ICT practices. Cyber-security was weak too. An NHS Digital cyber-security assessment of 88 England’s NHS trusts, about 37%, before WannaCry found none passed. NHS Digital has no power to require action. Consequently, the NHS remained vulnerable.

    These commentaries and findings provide a vital checklist for all health systems’ cyber-security and eHealth investment activities and goals. Waiting for the next attack without preparation’s a high risk approach.

  • Singapore health system hacked

    About 5.9m people live in Singapore. About 25% of their demographic and personal data has been stolen from SingHealth. A report in Channel News Asia says theft of 1.5m records by the cyber-attack was the “most serious breach of personal data.” Some 160,000 patients had their dispensed medicines’ records stolen too. 

    The Ministries of Health and Communications and Information revealed that Prime Minister Lee Hsien Loong’s records were “specifically and repeatedly” targeted. It included his outpatient dispensed medicines details. Several other ministers were also affected. 

    Data taken included names, National Registration Identity Card (NRIC) numbers, addresses, genders, dates of birth and racial origins. Hackers didn’t amend or delete records. Nor did they steal medical records, such as diagnoses, doctors’ notes and health scans

    Database administrators detected unusual activity on a SingHealth’s IT database on July 4. They immediately to stopped it.

    Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) investigations found that the cyber-attack was “deliberate, targeted and well-planned.” They concluded that it was not the work of casual hackers or criminal gangs. They are not revealing more because of operational security reasons.

    Channel News Asia hints at a country’s behind it, with only a few that have the sophistication required. The motivation’s not known. 

    The incident’s another reminder for Africa’s health systems that cyber-security’s essential. Technical measures are not enough. SingHealth’s database managers’ rapid intervention shows that constant vigilance’s needed too. Without them, the breach could have affected more than 25% of the population.

  • AI is also attractive for cyber-criminals

    As healthcare increases investment on eHealth projects and services, there should be synchronous investment in security measures.  In 2017, 25% of all data breaches were related to the healthcare industry.  This is because cyber-criminals have been working to make their attacks more advanced to easily target connected devices, cloud, and multi-cloud environments.  These advanced cyber-attacks are even able to evade detection by most legacy security solutions in place. 

    Advancements are aided by adopting AI and machine learning to carry out complex attacks at a rapid pace. Botnets such as Reaper have been made more sophisticated, enabling them to target multiple vulnerabilities at once.  Others, such as polymorphic malware allows for hundreds of variations of a threat to be created for different purposes in a matter of hours. 

    To address these challenges, Fortinet has recently released a few product enhancements that will tip the scales back in the favour of the healthcare industry;

    Fort iOS 6.0 – provides an integrated security architecture that spans the distributed networkFortiGuard AI – is an AI solution that is able to address automated attacksThreat Intelligence Services (TIS) - provides visibility into network activity and metrics to give healthcare security teams an understanding of their threat landscape 

    It has become inexpensive for criminals to mount attacks on healthcare data, but increasingly expensive for their targets. One key to the healthcare security transformation is flipping this paradigm.

  • India’s patient and personal information data's been hacked

    Wide-ranging, Interoperable (IOp) eHealth depends on effective, secure Unique Patient Identifiers (UPI). India’s extending Aadhaar, its national identity number, as the UPI for healthcare. The Tribune has a report saying it’s been hacked. Rs 500, 10 minutes, and you have access to billion Aadhaar details refers to the Unique Identification Authority of India (UIDAI), responsible for Aadhaar, claim in November that Aadhaar data for over a billion people’s fully safe and secure and there has been no data leak or breach.

    A Tribune employee paid Rs500, about US$8, for a service offered by anonymous sellers to provide unrestricted access to details for Aadhaar numbers. Contact was made over WhatsApp, and took ten minutes to complete. Data provided included a login ID and password for access to any Aadhaar number in the portal and access the data that individuals have submitted, including name, address, postal code, photo, phone number and email address. Another Rs300, almost US$5, bought software that can facilitate Aadhaar card printing by entering an Aadhaar number of any individual.

    The Tribune says IDAI officials in Chandigarh were shocked at the revelations. It’s classified as a major national security breach. It seems the breach was some six months ago. Anonymous groups were created on WhatsApp. They targeted over three unemployed Village-Level Enterprise (VLE) operators hired by the Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS). 

    CSCS operators produced Aadhaar cards. They lost their jobs when the service was restricted to post offices and designated banks to avoid security breaches. Initial illegal Aadhaar access was used to print and sell Aadhaar cards to low income villagers. Cyber-criminals have expanded the service.

    There are several lessons for Africa’s planned UPIs. Cyber-security should never be seen as safe. It required constant vigilance. Changes in personnel and providers always need corresponding changes in access rights and monitoring. These should be part of a rigorous cyber-security strategy.

  • England’s NHS could have prevented the WannaCry cyber-security breach

    It was a bad day for England’s NHS. On 12 May, the WannaCry ransomware attack breached over a third of its organisations’ cyber-security defences. Without access to data, many patient services and schedules were disrupted and brought to a halt. It was a shock to the health system. NHS Digital believes not data was stolen.

    A report from the UK’s National Audit Office identified 14 facets of the breach. The lessons are essential for Africa’s eHealth. 

    The NHS was not the specific target, but it resulted in a major incident and emergency arrangements to maintain health and patient careOn the evening of 12 May, a cyber-security researcher activated a kill-switch, stopping WannaCry locking devices and avoiding more disruptionWannaCry was the largest cyber-attack to affect the NHS, following attacks on several organisations, the NHS trusts, before 12 May 2017, two of which breached by WannaCry had been breached beforeThe Secretary of State for Health asked the National Data Guardian and the Care Quality Commission (CQC) to reviews and report on data security, identifying, in July 2016, that cyber-attacks could lead to patient information being lost or compromised and jeopardise access to EPRs, resulting in all health and care organisations needing to provide evidence that they were improving cyber-security, including moving off old and obsolete operating systems, such as Windows XPThe Department of Health (DoH) and its arm’s-length bodies did not know if local NHS organisations were prepared for cyber-attacks, including their responses to NHS Digital alerts in March and April 2017 warning organisations to patch their systems to prevent WannaCry, crucial knowledge because NHS Digital cannot mandate local bodies to act, even if it has vulnerability concernsWannaCry spread across the Internet, includingthe broadband network connecting all NHS sites in England, the N3 network, but there were no instances of it spreading across the NHS email system, NHSmailAt least 34% of England’s NHS trusts were disrupted, but DoH and NHS England don’t know the full extent of the disruptionThe scale and scope of the disruption isn’t known, but an estimated 19,000 thousand appointments were cancelled, operations were cancelled and in five areas, patients had to travel further to A&E departmentsThe Department, NHS England and the National Crime Agency confirmed that no NHS organisation paid the ransom, in line with NHS Digital advice, but the DoH doesn’t know how much the service disruption cost the NHS and patientsA DoH plan that included roles and responsibilities of national and local organisations in responding to cyber-attacks had not tested at local levels, so the NHS was not clear about actions it should take when WannaCry struck, a deficiency exacerbated because WannaCry was different to previous incidents, such as a major transport accident, and took more time to determine the cause and scale of the problemWithout rehearsals for a national cyber-attack, it was not immediately clear who should lead the response, and there were communications problems tooIn line with its existing procedures for managing a major incident, NHS England initially focused on maintaining emergency care All organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to prevent the breach by patching obsolete Windows operating systems and managing their firewalls facing the Internet would have guarded organisations against infection.

    In response, the NHS’s:

    Developing a response plan setting out what it should do to respond to cyber-attacksEstablishing roles and responsibilities of local and national NHS bodies and the DoHEnsuring organisations implement critical CareCERT alerts for emails sent by NHS Digital providing information or requiring action, including applying software patches and keeping anti-virus software up to dateEnsuring essential communications work during attacks when systems are downEnsuring organisations, boards and their staff take cyber-threats seriously, understand the risks to front-line services and work proactively to maximise their resilience and minimise impacts on patient care. 

    Since WannaCry, 39 CareCERT alerts have been issued by NHS Digital between March and May 2017. They require essential action to secure local firewalls.

    These insights and lessons are valuable for Africa’s eHealth. They provide a component of the cyber-security strategies and plans they need.

  • Does spambot Onliner have your email address?

    It’s described as the largest spambot. ZDNet has a report about the finding by Benkow, a cyber-security researcher in Paris, who discovered an open and accessible web server hosted in the Netherlands which stores dozens of text files. They contain a batch of 711 million email addresses, passwords server login information and 80 million email servers used to send spam. The credentials came from other data breaches, such as the LinkedIn and Badoo hacks.

    Malevolent goals are to send email spam through legitimate servers to defeat many spam filters. Onliner delivers Ursnif banking malware into inboxes globally. Ursnif is a Trojan. It steals data such as login details, passwords and credit card data. A spammer then sends a dropper file as normal-looking email attachments. When it’s opened, the malware downloads from a server and infects the machines. Spamming is still an effective way to deliver malware, but email filters are becoming smarter, with many spamming domains blacklisted. 

    There’s been over 100,000 unique infections up to the end of August 2017. Cyber-attackers need large lists of Simple Mail Transfer or Transport Protocol (SMTP) credentials that authenticate them to send bogus legitimate emails that by-pass spam filters. The more servers they find, the bigger the campaign. 

    When bogus emails are opened, they send back to the cyber-crookss the IP address and user-agent information used to identify the type of computer, operating system and other information about the devices. Cyber-attackers use this to identify who to target with Ursnif. They specifically target Windows computers. iPhone or Android users aren't affected by the malware.

    Focused hacking instead of scatter bombing reduces the malevolent campaign’s cyber-noise. It can help to slow down responses from law enforcement agencies. 

    Benkow’s discovery re-emphasises the need for Africa’s eHealth programmes to train, then train again and again, health workers in cyber-security. It’s an essential components in the constant cyber-security response. 

  • Do these 7 steps help you defend against cyber-security breaches?

    Cyber-security breaches are inevitable. Maximising cyber-security can minimise them, but can’t eliminate the risk entirely, so effective responses are essential. 7 Ways to Improve Your Security IncidentResponse, a white paper from R.sam, specialising in governance, risk and compliance, aims to help. A summary’s:

    Integrate with Security Information and Event Management (SIEM), products, services, technology and teams that provide real-time analyses of security alerts generated by network hardware and applications, and ensure the right data reaches the incident response team promptlyPrioritise Incidents using SIEMs and end users, and inform decision-makers by highlighting incidents in dashboards derived from calculated values such as priority or severityLeverage threat and  vulnerability data from a central repository of security operations, including threats, vulnerabilities, incidents, patch managements, asset management and other data sources and provide incident handlers with real-time viewsStandardize playbooks and configure automated dynamic rules to address unique handling requirements and criteria to help avoid mistakes in high-stress situationsAutomate responses for repeatable, measurable and auditable response tasksEnable collaboration so everyone working on an incident has a single view into activitiesShare real-time dashboards to leverage incident and event data.

    These can help to avoid four causes of inappropriate responses:

    Lack of process maturityPoor data quality and  availabilityUnsatisfactory toolsetsChanging policies and disparate teams.

    The seven steps comprise a platform that can overcome these limitations. They offer Africa’s eHealth programmes a way to step up their responses to cyber-security breaches.

    -------------------------------------

    Are you interested in reading more about the implications for African health systems? Download Acfee's paper on Cyber-security: themes for Africa's eHealth.

  • All-Wi-Fi standard has a cyber-security vulnerability

    A serious weakness’s been found in Wi-Fi networks.  Mathy Vanhoef of imec-DistriNet at KU Leuven found it. The paper on Krackattacks says WPA2, a security protocol, can be exploited by cyber-criminals using key reinstallation attacks (KRACK) within victims’ range. Once in, they can read information assumed to be encrypted, and steal sensitive information such as credit card numbers, passwords, chat messages, emails and photos.

    Attack succeed against all modern protected Wi-Fi networks. Depending on the network configuration, data can be injected and manipulated. Ransomware and other malware could find its way to websites.

    Weaknesses are in the Wi-Fi standard itself, not in individual products or implementations. Any correct WPA2 implementation is likely to be affected. Prevention needs users to update affected products when security updates are. If a device supports Wi-Fi, it’s probably affected.

    Vanhoef’s initial research found that Android, Linux, Apple, Windows, OpenBSD, MediaTek and Linksys are affected by variants of attacks. A proof-of-concept executed a key reinstallation attack against an Android smartphone. Attackers could easily decrypt all data transmitted by victims because the key reinstallation attack’s exceptionally devastating against Linux and Android 6.0 or higher. These can be tricked into reinstalling an all-zero encryption key.

    While attacking other devices finds it harder to decrypt all packets, large numbers of packets can be decrypted. A demonstration in Vanhef’s paper shows the type of information that a cyber- attacker can access using key reinstallation attacks.

    Africa’s eHealth programmes need to seek and install patches and updates from their vendors. The findings show, yet again, a cyber-world full of holes, many of which may still be unidentified. Constant vigilance is essential. As participants at Acfee’s recent eHealthAFRO 2017 said, cyber-security is everyone’s business.  

  • Cyber-threats keep evolving

    Cyber-criminals have sent millions of fraudulent emails as crude, random attacks, hoping to trick people to reveal their personal or financial information. As organisations and people worked out how not to respond, cyber-criminals began switching to bespoke targeted attacks. These use advance reconnaissance, research and testing, using use specialised knowledge and details about targets to try by-pass defences and penetrate organisations’ networks. They’re more lucrative than random cyber-attacks.

    Trend Micro, a global cyber-security firm, has published a white paper available through Health IT Security. Navigating the evolving threat landscape with a more complete approach to network security deals with:

    How targeted attacks change network security landscapesResponding to increasingly complex threats A cross-generational approach to network securitySecurity fuelled by market-leading global threat intelligenceDetection techniques comprising a smart network defenceIntegration with other security solutionsSeamless threat intelligence sharingCentralised visibility and control.

    Its findings from 264 organisations are alarming:

    80% had experienced a network-based attack or exploit90% had active command and control activity on their network65% had been infected by zero-day or unknown malware17% were being actively breached.

    Zero-day vulnerability is an important concept in cyber-security. It’s an undisclosed software vulnerability that cyber-criminals and other hackers can exploit to disrupt computer programs, data, additional computers and networks.

    An effective response, Trend Micro says, has to be “smart, optimized and connected.” Part of this is sophisticated cyber-security tools that operate alongside existing platforms and applications. Rigorous integration and interoperability ensures a stronger defence. These other technologies include:

    Security Information and Event Management (SIEM)Vulnerability assessment and managementApplication securityNext-generation firewallsBreach detectionVisibility and enforcement of Transport Layer Security (SSL), derived from Secure Sockets Layer and including encryption Software-defined networking and the cloudNetwork Packet Brokers (NPB) that optimise incident analyses by enabling ICT and security services to acquire situational awareness and security intelligence about intrusion and extrusion incidents, enabling faster incident responsesIncident response automation.

    Africa’s health systems should consider enhanced cyber-security as part of their eHealth strategies. It’s affordability can measured against the estimated costs of cyber-security breaches.

  • Bitpaymer’s offspring disrupts hospitals

    A variant of Bitpaymer ransomware’s been breaching hospital’s ICT. It’s been in Scotland’s Lanarkshire Trust, previously breached earlier this year by WannaCry, reported on eHNA. Some operations were cancelled, GPs’ work disrupted and patients asked to attend Accident and Emergency only if their needs were essential. ZDNet has a report saying systems were taken offline. Perpetrators say they’ve gathered "private sensitive data."

    Unlike most hacks that prefer to be covert, ransomware makes contact with users to ask for a ransom in return for a decryption key. The ransom request was very high, some 50 bitcoins, about £168,000, US$218,000. Failure to pay may result in the cyber-crooks sharing data they’ve acquired.

    ZDNet has short ransomware guide. Ransomware: An executive guide to one of the biggest menaces on the web. Other guides are Remove All Threats has a guide on removing Bitpaymer. Protect PC Health has a guide too. Both are for PCs.