Cyber Threat to Healthcare and Pharma in times of Covid-19:  Strategy vs. Tactical Approach

by Danilo Maruccia
Partner & Principal Consultant @PQE Group;
and Jo Pangilinan
Director and Principal Advisor @PQE Group;

The cybersecurity landscape: hackers threatening remote working, home routers and remote devices

The convergence of technological platforms is creating an increasingly complex cyber threat landscape. The COVID-19 pandemic has shifted business to remote work, contributing to widespread use of less protected devices and inconsistent network connections from home and other remote locations. In June 2020, a hacker group, EVIL Corp., attempted ransomware attacks on many Fortune 500 companies and a major news organization. EVIL Corp identified employees working from home or remotely during the pandemic and attempted to infiltrate their networks with malware intended to cripple their operations. Threat actors had exploited the sudden change in work habits with injecting code into corporate networks with a speed and breadth not previously witnessed.1

As well, home routers were targeted in the early days of the COVID-19 pandemic in which a router’s DNS settings were hijacked so that web browsers display alerts for a fake COVID-19 information app from the World Health Organization that is the Oski information-stealing malware. It was determined that these alerts were being caused by an attack that changed the DNS servers configured on their home routers (Linksys, and possibly D-Link) to use DNS servers operated by the attackers2

Tactical approach and Strategic approach: from authentication and vulnerability management to Governance and Network-Endpoint-Cloud strategy, user training and awareness.

Tactical responses include multi-factor authentication (MFA), vulnerability management, regular and frequent patching and regular system and data backups.3  Strategic considerations should include Network/ Endpoint /Cloud strategy (re-)evaluation, Governance (policy and procedures) aligned with updated Network/ Endpoint /Cloud strategy and equally important, develop employee Training and Awareness campaigns.

Java applications targeted via Log4j vulnerability: Crowdstrike reporting attacks to institutions

New security flaws and malware are constantly appearing, as in the Log4j vulnerability found in December 2021, has been defined as the most critical of the last decade. The ‘Log4jShell’ bug allows an attacker to execute arbitrary code by getting a malicious string logged by a vulnerable Java application.4  This is very easy to do and Java — and thus Log4j — is everywhere. Logging in all types of software is pervasive and this bug can be triggered simply by placing a malicious string into anything that might be logged, including HTTP requests5, usernames, and even iPhone names. Microsoft reports exploitation of Log4Shell from both sophisticated state actors and commodity attackers.6 Crowdstrike identified that an actor used a Log4j exploit in an attempt to compromise a “large academic institution”.7 A Vietnamese crypto exchange was hacked after attackers used Log4Shell to access a development server that unfortunately had access to production Amazon S3 buckets.8  The Belgian Ministry of Defence was affected. 9 CISA and the Dutch NCSC are making a list of which applications use Log4j and the range of products affected is huge [see this list of affected products 10 and this list of security advisories11].

Again, vulnerability management (scanning) and regular and frequent cadence of patching, as well as analysis of appropriate cloud security configurations and settings along with User ID and credential (dead account) clean-up.

Ransomware threatening healthcare and lifesciences sectors

Ransomware attacks are now a permanent feature of the cyber threat landscape, increasing in number and sophistication. Ransomware as a service (RaaS) has made it easier for various threat actors — including those who have little technical knowledge — to deploy ransomware against targets. This new paradigm consists of a core group of developers who set up and maintain the ransomware and payment sites and the affiliates they recruit who breach victims’ networks and encrypt devices. One infamously notable example is the LockBit 2.0 ransomware gang.12

In the life sciences and healthcare arena, ransomware is consistently prevalent:

  • London-based insurer Beazley experienced twice as many ransomware-related claims in 2019 than the year prior, and that 35% of the 700+ organizations claiming losses from ransomware attacks in 2019 were healthcare providers.13
  • In September 2020, a ransomware attack crippled over 250 hospitals in the United States after the corporate network of Universal Health Services (UHS) was infected with Ryuk ransomware, forcing the hospitals to resort to pen and paper. UHS decommissioned systems used for “medical records, laboratories and pharmacies” at 250 US sites as a preventative measure after detecting the malware infection.14
  • Hospitals in Czech Republic15 , as have fintech firm Finastra16 and local governments in France.17

Because of the significance and prevalence of ransomware in its impact, the United States Cybersecurity and Infrastructure Agency published guidance on ransomware.

Cyber-espionage putting patents and intellectual property at risk for LifeScience companies; wearable and implanted Medical Devices malfunctioning with dramatic risks for both patients and manufacturers

Lastly, and especially for life sciences, pharmaceutical and biotechnology companies, intellectual property and R&D trade secrets are prime targets not just from criminal groups, but from nation state and corporate espionage actors.
“In February 2020, a biotech company BrightGene announced it had copied Gilead’s experimental viral inhibitor Remdesivir and been granted state approval to begin mass production under the name “Ridesivir*”.
At that point, clinical trials were still underway to confirm whether Remdesivir was effective against the coronavirus. BrightGene said it acted on a sense of national duty to begin manufacturing because if the drug proved effective, a company would already have a head start on saving lives. “The company regards imitating the R&D of Ridesivir as its social responsibility,” it told the Shanghai Stock Exchange.”18

The growth in data loss and ransomware attacks on life science companies and healthcare organizations, critically exposes companies and organizations, as well as disabling medical equipment, wearable and even implanted devices. The risks are high probability and catastrophic consequences:

      • Patient Safety / Death
      • Intellectual Property Theft
      • Legal Liability Lawsuit
      • Regulatory penalties and fines
      • Reputational Damage

These threat events represent a significant concern for life science companies and healthcare organizations, where public safety is at stake.  Therefore, it is critically important for organizations to be proactive in preventing threats and ensuring business continuity by having appropriate mitigation and response strategies through:

  1. Organizational Risk Identification (Risk / Asset Register, i.e. “crown jewels”) and Risk Prioritization
  2. Identification and Development of Digital Governance and Cybersecurity Capabilities
  3. Conduct organizational Training and Awareness
  4. Develop strategic roadmap based on Organizational Risk Prioritization and Digital Governance and Cybersecurity capabilities.

References

[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
[2] https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-to-spread-malicious-covid-19-apps/
[3] https://www.cisa.gov/stopransomware
[4] https://nvd.nist.gov/vuln/detail/CVE-2021-44228
[5] https://blog.cloudflare.com/inside-the-log4j2-vulnerability-cve-2021-44228/
[6] https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/
[7] https://www.cyberscoop.com/chinese-hackers-use-log4j-exploit-to-go-after-academic-institution/
[8] https://www.bleepingcomputer.com/news/security/fintech-firm-hit-by-log4j-hack-refuses-to-pay-5-million-ransom/
[9] https://www.cyberscoop.com/intruders-leverage-log4j-flaw-to-breach-belgian-defense-department/
[10] https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/#affected-products
[11] https://gist.github.com/SwitHak/b66db3a06c2955a9cb71a8718970c592
[12] https://www.ic3.gov/Media/News/2022/220204.pdf
[13] https://www.cyberscoop.com/ransomware-beazley-insurance-claims/
[14] https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254
[15] https://www.zdnet.com/article/czech-hospital-hit-by-cyber-attack-while-in-the-midst-of-a-covid-19-outbreak/
[16] https://krebsonsecurity.com/2020/03/security-breach-disrupts-fintech-firm-finastra/
[17] https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/
[18] https://risky.biz/covidespionage/

Want to know more?

How to effectively design risk mitigation and response strategies to protect your products and clients?

Join our Live Webinar on April 6th to learn more from industry experts!

 

PQE Group staff comprises experienced and skilled experts in multidisciplinary teams, available to support your company achieving the highest levels of safety for your systems.

Visit our Digital Governance services page to know more or to contact us, and find the most suitable solution for your company.

Related Articles