by James Scott, Sr. Fellow, Institute for Critical Infrastructure Technology
While the Bitcoin and cryptocurrency trend may turn out to be a massive bubble, the underlying technology and innovation could forever alter the digital landscape of the health sector [1]. Until 2016, cybersecurity and cyber-hygiene were stagnant in the health sector. The lackadaisical vulnerable microcosms, the high-value of electronic health records (EHRs), and the preoccupation of essential personnel contributed towards the sector’s status as the most vulnerable and targeted critical infrastructure sector. Ransomware attacks conducted by cybercriminals and the ensuing cyber-hygiene education initiatives launched by ICIT and similar thought leaders galvanized a cybersecurity renaissance into the significantly vulnerable healthcare zeitgeist. Nevertheless, innovation and adaptation have been slow in part because health personnel persistently face situations in which cybersecurity is not a priority. Ensuring patients’ wellbeing is commendably the utmost concern; but, staff fail to recognize that if medical devices fail or EHRs are stolen as a result of an adversarial campaign that exploited known vulnerabilities in critical systems, then patient well-being will be jeopardized when the systems or data are weaponized to serve the attacker [1].
Blockchain may revolutionize the health sector
Traditional models of perimeter-based security failed to protect healthcare systems and data, yet many organizations negligently continue to rely on the expensive, inefficient, and antiquated systems. The modern volume of patient data already stresses these devices. Many do not and cannot support native application layer security. Stringent industry standards based on minimal compliance according to the least common denominator have not improved patient care or data security because the regulations and guidelines do not mandate layered security or privacy by design [1].
Investing in cryptocurrencies and ICOs is highly risky and speculative. Nevertheless, ICOs, which were popularized by the cryptocurrency boom, are the trending way to launch blockchain-based startups that are increasingly focused on healthcare products and services. Many healthcare-focused digital tokens and coins have been launched in the past year, and more may be emerging. For instance, BlockMedX, aims to address the rampant opioid crisis in the U.S. by helping to increase the security and accountability in the prescription drug industry. BlockMedX analyzes millions of prescriptions to protect patients and to help find concerns. Dentacoin, which has a market cap of nearly $2 billion, aims to modernize the directories, review board procedures, and payment systems of the dental industry. Medicalchain uses blockchain technology to store, securely share EHR, and increase interoperability between providers and patients [1].
In the health sector, blockchain technologies are under consideration for a range of applications. The CDC is even testing Blockchain Projects to Manage Pandemics. The industry features some of the facets that distributed ledgers, and smart contracts were designed to enhance such as security restrictions, shareable data, networking, and consistent, reliable service. Blockchain technology has the potential to transform healthcare by placing the patient at the center of the healthcare ecosystem and implementing increasing layers of security, privacy, and interoperability mechanisms around health data [1]. Blockchain may facilitate secure and privacy-protective database exchanges between health insurers, operators, and providers. Blockchain systems are made more secure by their distributed nature; there is not a single point of failure where an adversary can compromise the exchange. As a result, blockchain can be used to apply advanced analytics from distributed sources without compromising the privacy of individuals [2]. It returns a measure of control over health information to the subject. To one degree or another, models suggest allowing the patient to determine which first and third parties gain access to their data [3]. Blockchain offers the possibility of creating a reliable place to track the changes in EHRs across systems in a manner that gets around many of the concerns associated with data integration between proprietary systems. In effect, blockchain serves as the unifying glue that holds together a highly fragmented healthcare record. Blockchain’s independent architecture could form the foundation of a high integrity, real-time tracking capability to mitigate financial errors and reduce fraud. Blockchain offers the possibility for trust between researchers to be hard-coded into the process of collaborative R&D thereby removing the fear of data theft and galvanizing collaboration and increased innovation [4].
Cryptojacking is the new ransomware
Digital threat actors consistently develop methodologies to weaponize innocuous emerging technologies. Cryptocurrencies have surged in value, popularity, and variety. There are at least 1,300 cryptocurrencies according to CoinMarketCap, and new ICOs are introduced daily. Cybercrime quickly adopted cryptocurrency as the payment method in the ransomware plague, dark web transactions, and other nefarious operations due to the interoperability and anonymity inherent in digital currencies. Adversaries leverage cryptocurrency technologies to protect their nefarious activities and to launch sophisticated attack campaigns. For instance, stolen account and credit card shops now employ the peer-to-peer DNS technology in blockchain as a technique for bulletproofing their offerings. The process of weaponizing the computational resources and electricity of a victim to mine cryptocurrencies for the attacker is known as cryptojacking. Hackers on dark markets sell point-and-click tools and as-a-service offerings to inject JavaScript that operates a coin mining function into vulnerable websites and referred advertisements. Other tools inject the simple codes into publicly discoverable IoT devices and applications. A discouraging amount of healthcare devices and digital assets can be discovered using tools like Shodan, Metasploit, etc. [5].
Ransomware rates are declining in favor of cryptojacking attacks due to a bloated threat landscape and as a result of increased cyber-hygiene and a degraded trust between the attacker and victim. Too many threat actors did not decrypt victim information after ransoms were paid. Meanwhile, the cybersecurity community popularized system redundancy and evangelized proper cyber-hygiene. As a result, fewer systems were infected, and fewer victims paid the ransom. In 2017, the average ransom demand decreased to $522, less than half the average in 2016. Though the number of ransomware variants increased by 46%, the number of unique families decreased. The statistics indicate that while attackers are still modifying the code to bypass security, less innovation is occurring, and fewer sophisticated actors are participating in the attacks. The number of ransomware families and the demand for ransomware also decreased in 2017 in part because cryptojacking has a low to entry, requires no adversarial resource expenditure, and does not depend on victim complicity. Attackers only profit from ransomware when the victim decides to pay. Unlike ransomware, cryptojacking does not require victims to act. With cryptojacking, the user has no decision. Only requires a few lines of code are necessary for criminals to mine cryptocurrencies using processing power and cloud CPU stolen from consumers and enterprises. Once a system is infected, it will relentlessly work to profit the attacker. Rising cryptocurrency values and the normalization of the coinage caused cryptojacking infections to increase by 8,500% since September 2017, around the same time the price of Bitcoin and Etherium rose [6].
Ransomware became less lucrative as cyber-hygiene improved and as more hospitals adopted redundancy architectures. Further, EHRs and other PII are decreasing in value due to surpluses in Deep Web markets. Meanwhile, cryptojacking is 100% percent profitable for hackers because they do not pay for electricity or computational resources. More infected devices directly correlate with increased profits, even if the infected units have limited CPU. 2017 saw a 600% increase in overall IoT attacks; when adversaries inevitably spread coin-miners to health sector IoT microcosms, they will laterally exploit every networked device en masse and impact the performance of vital assets [6].
The internet is a great equalizer in that no application, no matter its located or host, is entirely immune to cryptojacking. Every application on every system is a potential target. Every individual in every organization in every sector is a potential victim. Healthcare and IoT devices are valuable targets because they are often unmanaged, under secured, and always on. The likelihood that infections will be discovered or remediated are minimal [6]. Cryptojacking attacks against healthcare infrastructure are underreported and under-detected. For example, in January 2018, Decatur County General Hospital in Parsons, Tennessee., disclosed that an unauthorized party accessed the server for its electronic medical record system and implanted cryptomining malware. It is believed that the intrusion occurred in its third-party vendor operated EMR system around September 22, 2017. The breach was discovered around November 27, 2017. It remains unclear whether electronic health records were accessed, but it appears the hacker’s primary motivation was to utilize the server’s processing power to mine cryptocurrency. Patient data on the system included names, addresses, dates of birth, Social Security numbers, clinical information such as diagnosis and treatment information, and insurance billing details. As many as 24,000 patient records may have been compromised. The disclosure notice from the hospital comments, “Over the past several months, there have been numerous news stories about computer systems around the country being affected by similar incidents involving the unauthorized installation of this type of software. Again, while our investigation continues into this matter, we have no evidence that your information was actually acquired or viewed by an unauthorized individual, and based upon reports of similar incidents, we do not believe that your health information was targeted by any unauthorized individual installing the software on the server” [7]. If the incident had not been discovered or if the attacker had been more sophisticated, the malware could have laterally spread across the network onto MRI machines, X-ray systems, and other essential equipment. After installation, the code would have monopolized the CPU to benefit the attacker. Cryptojacking attacks often cause mobile devices, PCs, and other units to lock, overheat, fail, or experience permanent damage. If infected, the outdated, overworked, and under-maintained medical devices within the health sector could become a liability to organizations and a significant risk to patients’ wellbeing.
Every dollar extorted by an attacker could cost a life
When healthcare devices fail to operate as expected, lives are jeopardized. When medical devices are leveraged in cryptomining campaigns, healthcare networks are crippled while adversaries profit. Comprehensive security at each digital and physical layer of the healthcare network is essential to preventing cryptojacking infections. Additionally, hospitals and affiliated entities need to consider cybersecurity and risk through the mindset of attackers ranging from low-level script kiddies to cybercriminals to hail-mary threat actors to nation-state sponsored advanced persistent threat (APT) groups. Systems need to be secured against external attackers, insider threats, and even against attacks from third-parties and competitors. Penetration testing can reveal technical security vulnerabilities while psychographic monitoring of Deep Web can reveal emerging adversarial tools, techniques, and procedures. Intelligence is never static. Risk analysis must be a continuous and iterative cycle championed by key stakeholders, conducted by a qualified Information Security team, and evangelized by cyber-hygienic and cyber-secure personnel [3].
Sources
[1] Reiff, N. (2018). Blockchain Technology Could Revolutionize Health Care. [online] Investopedia. Available at: https://www.investopedia.com/news/Blockchain-tech-could-restructure-health-care/ [Accessed 8 May 2018].
[2] Woolf, N. (2018). What Could Blockchain Do for Healthcare? – Welcome to Blockchain – Medium. [online] Medium. Available at: https://medium.com/s/welcome-to-blockchain/what-could-blockchain-do-for-healthcare-59c17245448e [Accessed 8 May 2018].
[3] Sullivan, T. (2018). Cryptomining: What to know as the new cyberthreat surpasses ransomware. [online] Healthcare IT News. Available at: http://www.healthcareitnews.com/news/cryptomining-what-know-new-cyberthreat-surpasses-ransomware [Accessed 8 May 2018].
[4] Bean, R. (2018). How Blockchain Is Impacting Healthcare And Life Sciences Today. [online] Forbes.com. Available at: https://www.forbes.com/sites/ciocentral/2018/04/02/how-blockchain-is-impacting-healthcare-and-life-sciences-today/#65fe5b58738f [Accessed 8 May 2018].
[5] The State of Security. (2018). Malicious Trends: Cryptojacking Could Surpass Ransomware as Primary Money Maker. [online] Available at: https://www.tripwire.com/state-of-security/featured/malicious-trends-cryptojacking-surpass-ransomware-primary-money-maker/ [Accessed 8 May 2018].
[6] Kreikemeier, T. (2018). Cryptomining: Fast-Becoming the Web’s Most Profitable Attack Method – Dark Reading. [online] Dark Reading. Available at: https://www.darkreading.com/partner-perspectives/f5/cryptomining-fast-becoming-the-webs-most-profitable-attack-method-/a/d-id/1331421 [Accessed 8 May 2018].
[7] Barth, B. (2018). Adversary breaches Tennessee hospital’s medical records server to install cryptominer. [online] SC Media US. Available at: https://www.scmagazine.com/adversary-breaches-tennessee-hospitals-medical-records-server-to-install-cryptominer/article/743319/ [Accessed 8 May 2018].
James Scott is a Senior Fellow and co-founder of the Institute for Critical Infrastructure Technology, Senior fellow at Center for Cyber Influence Operations Studies, Center for Space Warfare Studies and the author of more than 50 books with 9 best sellers on the topics of hacking cyborgs, energy sector cybersecurity, nation-state cyber espionage and more. He advises to more than 35 congressional offices and committees as well as the American intelligence community, NATO and Five Eyes on cyber warfare and digital influence operations. Mr. Scott’s work gains regular coverage in domestic and international publications such as the LA Times, Wired, New York Times, Motherboard, Newsweek, Christian Science Monitor, Fox News, and PBS News Hour, and his work was referenced by media, academia and industry more than 3000 times in 2017 alone.
