In the last few years, we have seen rising incidents targeting the Healthcare sector. From network outages to hampered monitoring, to hacked pneumatic pumps and IV infusion tubes administering fatal doses to patients, a cyber attack on the healthcare industry can have huge repercussions.
CSW researchers investigated 56 vendors and 846 products overall, and identified 624 vulnerabilities across them and here are our key findings.
Key Findings
-
CSW researchers identified 624 vulnerabilities overall that could be exploited by attackers to target a healthcare facility. Of these 43 are weaponized, 12 of them are trending in the wild, four are being exploited by Advanced Persistent Threat Groups and two are associated with ransomware.
-
8 CVEs are categorized as RCE/PE exploits which makes them dangerous and attractive to hackers.
-
We have identified six vulnerabilities that exist in healthcare products and medical devices that could cause patient fatality and disability.
-
We investigated 56 vendors and 846 products and found the highest number of vulnerabilities (64%) in software applications that are used in the healthcare industry.
-
29% of vulnerabilities identified in our study have a high chance of exploitation by hackers.
Our researchers identified that it is not just medical devices that pose a danger to the health care sector. Indirectly used products like software applications, firmware, hardware, and operating systems also gave rise to vulnerabilities, compromising which could give attackers control over healthcare equipment.
In this blog, we dive deep into CSW’s research into healthcare products, and spotlight the danger that this critical industry segment faces day on day.
CSW’s Healthcare and Medical Device Products Investigation
CSW researchers identified 624 vulnerabilities overall that could be exploited by attackers.
Healthcare Vulnerability Overview
The Dangerous Targets: 43 weaponized vulnerabilities exist in products used day in and day out for delivering patient care. These vulnerabilities either have publicly available exploits or are actively targeted by threat actors, making them a danger to healthcare networks, if left unpatched.
High Impact Targets: With over 50% of the vulnerabilities belonging to the high and critical severity categories, attackers have 351 different ways to enter into hospital or healthcare networks and cause maximum damage.
Easy Targets: It is also important to note that 11 low-scoring vulnerabilities exist in these products – the ones that will most likely be sidelined amongst the never-ending list of higher severity ones.
High Chatter: 12 of the healthcare vulnerabilities have been observed as having high interest in the deep and dark web, with multiple posts discussing them – an indication that the vulnerability is being observed as a candidate for exploitation.
Attackers’ Prize: Eight healthcare vulnerabilities fall under the RCE/PE exploit category, implying that they can be remotely exploited to execute custom code, or easily used to elevate privileges to change the specified behavior of systems.
A Product Perspective: The whopping majority of vulnerabilities observed in our study are present in software applications regularly used in the healthcare industry. Hardware equipment takes the second spot with 30% affected products, followed by operating systems.
Vulnerability Exploitation: CSW has been tracking healthcare vulnerabilities for a long time now and predicts their probability of exploitation, based on threat chatter, hacker activities, and exploits published, among a host of other parameters. According to our analysis, 29% of the vulnerabilities are 38 times more likely to be exploited, and this serves as a dire warning for healthcare institutions that are yet to invest in a cybersecurity strategy.
Organizations that are unaware of the existence of such vulnerabilities in their network will remain exposed to malicious attackers. A continuous and exposure-aware attack surface management platform can help discover such undetected attack vectors and address them in time.
Six vulnerabilities in healthcare-related products have known associations with ransomware and APT groups. This translates to attackers having a tried and tested method that can create maximum disruption, thus marking them as highly dangerous.
The products exploited by these ransomware/APT groups are one hospitals worldwide would use for convenience and better diagnosis, without a second thought. Imagine the horror if a ransomware group attacks a hospital, encrypts all files, and demands a huge ransom payout. Most government healthcare institutions would not be in a position to pay the ransom, or have a backup that they can fall back on. On the other hand, an APT actor getting hold of such confidential information can serve as fodder for state-sponsored espionage activities.
APT Group Associations
Our analysis associates three products as having vulnerabilities that have been previously exploited by popular threat actors, aka APT groups. Incidentally, all the four vulnerabilities are present in Oracle’s products; and all of these are associated with the APT1 or the BrownFox group, a Chinese-sponsored actor in existence since 2006.
|
Vendor |
Product |
Product Type |
Vulnerability |
APT Association |
|---|---|---|---|---|
|
Oracle |
Healthcare Foundation |
Application |
CVE-2020-11022 |
APT1 |
|
Oracle |
Health Sciences Inform, Healthcare Translational Research |
Application |
CVE-2020-11023 |
APT1 |
|
Oracle |
Healthcare Translational Research, Healthcare Foundation |
Application |
CVE-2015-9251 |
APT1 |
|
Oracle |
Healthcare Translational Research, Healthcare Foundation |
Application |
CVE-2019-11358 |
APT1 |
Ransomware Associations
Two vendors and five healthcare products have two ransomware vulnerabilities. Stryker’s navigation platforms that are used in surgeries have the dangerous PrintNightmare vulnerability that is associated with three ransomware groups, including the highly active Conti ransomware. An attack on these devices can impede surgeries, leading to fatal consequences.
|
Vendor |
Product |
Product Type |
Vulnerability |
Ransomware Association |
|---|---|---|---|---|
|
Biomerieux |
Biomerieux |
Operating System |
CVE-2020-0601 |
BigBossHorse |
|
Stryker |
ADAPT Platform, Nav3i Platform, Nav3 Platform, Scopis ENU |
Application |
CVE-2021-34527 |
Cerber, Conti, |
CSW’s Ransomware Index Report for the first quarter of 2022 flagged 310 vulnerabilities dangerously deployed by ransomware groups. Read the full report here.
Why should Healthcare organizations be worried about these vulnerabilities?
Healthcare, as a sector, is classified by the US Government as one of the 16 critical infrastructures that is vulnerable to cyber-attacks. Considering how crucial the healthcare industry is, an attack on any healthcare provider has the potential to lead to disastrous consequences – from disrupting administrational activities to hampering patient care.
On the other hand, attackers have long found it profitable to force the hand of healthcare centers and hospitals to pay ransom for their patient data. Thus, it is not surprising that the sector has seen several significant attacks in the past year, for example, the Ireland healthcare attack that impacted regular functioning for over a week.
Patients can be impacted directly as well as indirectly when an attacker affects the operations of a healthcare institution. Here are some ways in which patients may be impacted by dangerous vulnerabilities.
-
Leaked Personal Information
-
Shields Health Care and its list of 56 healthcare centers were affected by a data security breach in June 2022, that impacted approximately 2 million patients.
-
The healthcare and personal information of up to 70,000 Kaiser Permanente patients in Washington state may have been exposed following unauthorized access to the US healthcare giant’s email system.
-
Vice Society’s attacks on Eskenazi Health and Waikato DHB led to hundreds of thousands of patients’ information being leaked following ransomware attacks.
-
Patient Death Caused by Cyber Attacks
-
Hackers attempted to alter dosages of medications by using a simple hack that affects vulnerabilities in pumps used for administering medicines to patients.
-
Springhill Medical Center in the US faced a ransomware attack which resulted in the death of an infant when neonatal staff were cut off from fetal heartbeat monitors due to network outage in the wake of the attack.
-
Chance of Disability Caused by Cyber Attacks
-
Illumina Local Run Manager (LRM), a DNA-sequencing instrument used for diagnostic uses as well as for testing for various genetic conditions were recently identified with five severe vulnerabilities and highlighted by CISA on June 3. The vulnerabilities have the potential to allow a remote, unauthenticated attacker to take over an impacted product.
What can healthcare providers do to stay safe
-
Reduce Window of Attack by Avoiding Latency
Healthcare vendors and organizations using these products must double-check software versions and use the latest versions that address these vulnerabilities or apply recommended mitigation measures to ward off a ransomware attack.
Vulnerability Disclosure Latencies: Attackers are also going after the small windows of opportunity available to them, where even the best security measures fail. In the case of healthcare vulnerabilities, NVD disclosure delays have provided this opportunity to attackers in two ways:
- The time period between a vulnerability being identified and being added to the NVD. CSW observed high threat chatter for 36 of these vulnerabilities with mentions in the deep and dark web, before they could be added to the NVD.
- NVD disclosure delay with respect to exploit codes for the vulnerabilities being made public. 12 vulnerabilities in healthcare devices had exploit codes publicly available, even before they could be added to the NVD.
While the NVD is a reliable source, organizations must look beyond just that one source, and factor in vulnerability trends, exploitation trends, threat activity, and hacker activity, to secure their assets. What is interesting to note is that only four of these 624 vulnerabilities are part of CISA’s Known Exploited Vulnerability catalog. CSW’s vulnerability intelligence is powered by multiple authentic sources and aims to provide a realistic risk outlook that can serve as a basis for vulnerability prioritization.
-
SASE Solutions Coupled with Biometric Security
Secure Access Service Edge (SASE) Solutions are an amalgamation of various cybersecurity solutions starting from secure remote access to on-premises, cloud services, and online resources offered as an enterprise strategy to securely manage and connect users, systems and endpoints to applications and services anywhere.
With biometric security predicted to play a major role in cybersecurity management in the coming years, providing a consistent clinical experience will not only help improve the quality of healthcare services but also the security by adding an extra layer of protection from external or internal attackers.
-
Using Electronic Health Record (EHR) Systems
Having the ability to seamlessly share digital data like complete patient records between doctors, providers, and caregivers, Electronic Health Record (EHR) systems offer the maximum benefit to patients. Given its growing importance in the healthcare sector, a sharp rise in cybercrime specifically aimed at EHRs has also been noticed. EHRs must be carefully monitored to ensure that sensitive patient details and personal information stay away from attackers.
-
Implement Multi-factor Authentication
Multi-factor authentication, commonly known as 2FA or two-factor authentication, has become a major security reinforcement tool, adding an extra layer of protection and replacing the older password-only method of authentication. Healthcare providers having access to 2FA authentication systems would require soft tokens or physical tokens, including smartphone prompts, to get access to sensitive patient information.
CSW Recommends Vendors of Healthcare Products to Amp up Cyber Hygiene
Devices used in healthcare are easy targets for various reasons – lack of investment in cybersecurity, lack of cyber awareness among the healthcare professionals and healthcare devices, and products riddled with vulnerabilities that provide a comfortable entry point to attackers.
With catastrophic impacts possible if exploited, it is prudent that organizations address the vulnerabilities in devices and applications used in the healthcare industry, directly or indirectly.
Here are four steps healthcare institutions must adopt:
-
Implement a regular pentesting or exposure assessment to identify possible exposures in their attack surface.
-
Prioritize vulnerability patching based on risk and contextual implications.
-
Where a direct or complete fix is not possible, adopt appropriate remediation measures.
-
Medical device makers must inculcate security by design, as emphasized by FDA’s latest guidance.
CSW’s VMaaS and Pentesting services can help healthcare institutions identify if they are vulnerable to threats, and prioritize the ones that need to be patched immediately.