The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Why cybersecurity experts are so concerned about the health-care industry

Analysis by
Assistant visual enterprise editor, reporter
May 16, 2018 at 7:37 a.m. EDT

with Bastien Inzaurralde

THE KEY

New research released by two security companies paints an unsettling picture for the health-care industry: Hackers are stepping up their attacks on hospitals and other health organizations that may be ill prepared to defend against the wave of malicious activity. 

In its quarterly threat report unveiled Tuesday, cybersecurity company Rapid7 found that the health-care sector experienced a surge in cyberattacks during the first quarter of 2018 — so many that it ranked as the top-targeted industry in the first three months of the year. 

The spike marked a continued shift away from attacks on the financial, professional and administrative services industries as hackers seek to take advantage of health organizations’ aging and complex IT systems, which are difficult to secure quickly, according to Rapid7.

Right on the heels of Rapid7’s research, the Internet of Things security firm Pwnie Express is going live this morning with an unrelated survey containing more troubling news: In a poll of more than 500 security professionals, 51 percent of them said the health-care and public-health sectors were the least prepared for cyberattacks. The pros said the industry was the most vulnerable among the country's 16 critical infrastructure sectors — and 85 percent of them said a major cyberattack on critical infrastructure was likely in the next five years. 

Health organizations “have a lot of work to do” to secure their systems, said Rebekah Brown, Rapid7’s head of threat intelligence.

“Given everything we know about how the health-care sector operates and some of the legacy systems they use, they are probably more vulnerable than other sectors based on the systems they use alone,” she told me.

The health-care sector makes an appealing target for hackers for a few reasons, according to Brown. For one, hospitals and insurers keep troves of data that are easy for a cybercriminal to monetize — such as billing and insurance information. The biggest risks to most patients are identity theft and fraud.

But personal health records carry a different kind of value for more sophisticated attackers. Information about someone’s personal or family health history could be used for blackmail or phishing, or help an adversary masquerade as someone else. State-sponsored attackers could use such details for intelligence purposes, according to Brown.

“Any information they can get on someone they’ve targeted is useful little pieces that become valuable, even if they’re not monetizable,” she said.

Hospitals are vulnerable in part because they often rely on equipment that’s built to last 15 to 20 years, meaning it runs older software that’s trickier to update than, say, a typical office computer. And with so many hospital devices interconnected, it’s hard to tell how an update to one will affect other equipment in the system.

The problem extends from MRI machines to the devices nurses wear on their wrists that remind workers to wash their hands, said Todd DeSisto, chief executive of Pwnie Express. “Those are great in terms of productivity enhancements, but you’re also more exposed because they’re all connected to the Internet,” he told me.

DeSisto also said the health-care and energy sectors are particularly at risk because of the range of devices they use. “The IoT [Internet of Things] penetration is higher in those environments because these are sophisticated pieces of equipment,” he said. “There’s lots of different kinds of attack points.They’re ripe targets.”

We've seen this in practice. Just last month, the cybersecurity company Symantec revealed that an attack group called Orangeworm was targeting the health-care industry and had infected malware on X-ray and MRI machines. Orangeworm was also observed meddling in machines used to help patients fill out consent forms, according to Symantec. 

Brown said it was important to note that the spike in attacks on the health-care sector didn’t necessarily mean a spike in successful attacks — indeed, plenty of attempts failed. But health organizations should take note of the growing threat and respond carefully, she said.

“The fact that they’re still trying, that they don’t just fail and give up, shows that this is a true interest,” Brown said. “And they seem determined to see what they can do.”

PINGED, PATCHED, PWNED

PINGED: The U.S. government has identified a suspect in a massive leak of CIA hacking tools that were published by WikiLeaks last year, but prosecutors have been unable to bring charges against him, The Washington Post's Shane Harris reports

“Joshua Adam Schulte, who worked for a CIA group that designs computer code to spy on foreign adversaries, is believed to have provided the agency’s top-secret information to WikiLeaks, federal prosecutors acknowledged in a hearing in January,” Harris writes. WikiLeaks published the code in March 2017 under the label “Vault 7.” Current and former intelligence officials told Harris that last year's leak, which revealed cyberweapons and spying techniques that might be turned against the United States, was among the most serious in the agency's history. 

But Schulte is being held in jail in Manhattan on unrelated charges. “Federal authorities searched Schulte’s apartment in New York last year and obtained personal computer equipment, notebooks, and handwritten notes, according to a copy of the search warrant reviewed by The Washington Post," Harris writes. "But that failed to provide the evidence that prosecutors needed to indict Schulte with illegally giving the information to WikiLeaks.”

PATCHED: Cambridge Analytica has said it is shutting down, but its troubles may not be over. The Justice Department and the FBI are investigating the former political data firm and have reached out to former employees and to the company’s banks, the New York Times’s Matthew Rosenberg and Nicholas Confessore write.

“Prosecutors have questioned potential witnesses in recent weeks, telling them that there is an open investigation into Cambridge Analytica — which worked on President Trump’s election and other Republican campaigns in 2016 — and ‘associated U.S. persons,’” Rosenberg and Confessore report. “But the prosecutors provided few other details, and the inquiry appears to be in its early stages, with investigators seeking an overview of the company and its business practices.”

The news of the investigation comes as Christopher Wylie, a former Cambridge Analytica employee who has publicly criticized the company, is scheduled to appear this morning before the Senate Judiciary Committee to answer questions about the firm. 

PWNED: The White House is eliminating its cybersecurity coordinator position, Politico's Eric Geller reports. “According to an email sent to National Security Council staffers Tuesday, the decision is part of an effort to 'streamline authority' for the senior directors who lead most NSC teams,” Geller writes.

Rob Joyce, who held the White House's top cyber policy job, left the position last week and is set to return to the National Security Agency. And Trump's new national security adviser John Bolton did not want to replace him, Geller reports. The decision came in an email Tuesday from a Bolton aide — despite a slew of experts and lawmakers who urged against scrapping the position. 

In a series of tweets, Sen. Mark R. Warner (D-Va.), vice chairman of the Senate Intelligence Committee, urged Trump not to allow the position to be cut because it's the only one “in the federal government tasked with delivering a coordinated, whole-of-government response to the growing cyber threats facing our nation.”

Reps. Jim Langevin (D-R.I.) and Ted Lieu (D-Calif.) introduced a bill, titled the Executive Cyberspace Coordination Act, to essentially reinstate the cybersecurity coordinator position and create a National Office for Cyberspace in the White House. Lieu said the bill would fill the void left by the White House's cancellation of the cyber policy job, a decision he called “outrageous.”

“A coordinated effort to keep our information systems safe is paramount if we want to counter the cyber threats posed by foes like Russia, Iran and China,” Lieu said in a statement. “To do anything less is a direct threat to national security.”

CHAT ROOM

— The termination of the White House cybersecurity coordinator position lit up Twitter: 

From Langevin:

From George Little, a former spokesman for the CIA and the Defense Department:

PUBLIC KEY

— The Department of Homeland Security on Tuesday published a 35-page report presenting the agency's cybersecurity strategy for the next five years “to keep pace with the evolving cyber risk landscape.”

“The cyber threat landscape is shifting in real-time, and we have reached a historic turning point,” Homeland Security Secretary Kirstjen Nielsen said in a statement. “Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself.” The agency's goals include reducing vulnerabilities within federal government information systems, partnering with key stakeholders to protect critical infrastructure and countering transnational criminal organizations.

— Trump signed an executive order aiming to give more authority to federal agencies' chief information officers. You can read the order here.

— William R. Evanina, Trump's nominee for director of the National Counterintelligence and Security Center, told Sen. Angus King (I-Maine) during his confirmation hearing yesterday that he agrees with the intelligence community's assessment that Russia interfered in the presidential election to undermine the public’s confidence in the democratic process and help get Trump elected.

Separately, in response to a question by Sen. Marco Rubio (R-Fla.), Evanina also said that he would not use a phone from ZTE, the Chinese tech company that Trump promised to bring back from the brink of collapse:

For more info: The Cybersecurity 202 on Monday delved deeper into how Trump's about-face on ZTE flouted warnings from his top national security officials

— More on the ZTE controversy and other public sector cybersecurity news:

After ZTE reversal, Democrats accuse Trump of jeopardizing national security (Damian Paletta)

President Trump signs executive order to elevate the role of agency CIOs (FedScoop)

Homeland Security sends officials to Pennsylvania on primary day (The Hill)

Cyber attack delays Atlanta mayor's first budget pitch (Reuters)

This Continually Updated Map Shows Which Cops Have iPhone Cracking Tech GrayKey (Motherboard)

A DC Think Tank Is Using Fake Twitter Accounts And A Shady Expert To Reach The NSA, FBI And White House (BuzzFeed News)

PRIVATE KEY

— Facebook is starting to lift the veil of secrecy over its enforcement of the rules on the social network. The company announced Tuesday that it removed about 583 million fake accounts and 837 million pieces of spam during the first quarter of the year. It was the first time that Facebook released numbers about the content that it takes offline.

“We believe that increased transparency tends to lead to increased accountability and responsibility over time, and publishing this information will push us to improve more quickly too,” Guy Rosen, Facebook's vice president of product management, said in a statement. “This is the same data we use to measure our progress internally — and you can now see it to judge our progress for yourselves.”

In addition from fake accounts and spam, Facebook also said it took down content that includes graphic violence, adult nudity and sex, terrorist propaganda and hate speech, Rosen wrote. He added that the company needs to review the technology that it uses to remove hate speech because it “still doesn't work that well.”

Jillian York, director for international freedom of expression at the Electronic Frontier Foundation, told the New York Times's Sheera Frenkel that Facebook was making the right call by releasing the information. "It’s a good move and it’s a long time coming," York told Frenkel. “But it’s also frustrating because we’ve known that this has needed to happen for a long time. We need more transparency about how Facebook identifies content, and what it removes going forward.”

— Despite this transparency push, it looks like there are some questions about data privacy and other issues that Facebook isn't ready to answer yet. Rebecca Stimson, Facebook UK's head of public policy, told a British parliamentary committee in a letter that Facebook chief executive Mark Zuckerberg “has no plans to meet with the committee or travel to the UK at the present time,” the Verge's Jacob Kastrenakes reports.

Stimson's letter answered multiple questions from the British lawmakers, but Damian Collins, the committee's head, didn't seem impressed. “If Mark Zuckerberg truly recognises the 'seriousness' of these issues as they say they do, we would expect that he would want to appear in front of the Committee and answer questions that are of concern not only to Parliament, but Facebook’s tens of millions of users in this country,” Collins said in a statement

— More cybersecurity news on the private sector:

Twitter changes strategy in battle against internet 'trolls' (Reuters)

THE NEW WILD WEST

— The government of Ecuador spent at least $5 million over more than five years on a secret surveillance operation to protect WikiLeaks founder Julian Assange as he remained in the country's embassy in London, the Guardian's Dan Collyns, Stephanie Kirchgaessner and Luke Harding report.

“Documents show the intelligence programme, called 'Operation Guest', which later became known as 'Operation Hotel' — coupled with parallel covert actions — ran up an average cost of at least $66,000 a month for security, intelligence gathering and counter-intelligence to 'protect' one of the world's most high-profile fugitives,” they write.

Additionally, a source told the Guardian that Assange infiltrated the embassy's communications system and intercepted the correspondence of the staff. WikiLeaks denied those claims and said it would file a lawsuit.

—  Researchers from mobile security company Lookout said Tuesday that they have identified spying tools used to monitor Android phones and mobile devices using Apple's operating system iOS as part of an intelligence-gathering operation by members of Pakistan's military.

“Our investigation indicates this actor has used these surveillanceware tools to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians,” according to Lookout's report.

The data that was extracted from compromised devices includes government documents, travel information, pictures of IDs and other information, according to the report.

— More international cybersecurity news:

New Privacy Rules Could Make This Woman One of Tech’s Most Important Regulators (The New York Times)

Kaspersky to Relocate Some Operations Out of Russia Amid Tampering Suspicions (The Wall Street Journal)

Google Is Now Under Investigation After Oracle Accused It of Secretly Tracking Android Users (Fortune)

ZERO DAYBOOK

Today

Coming soon

EASTER EGGS

Nielsen grilled on separation of children and parents at border:

Dept. of Homeland Security Secretary Kirstjen Nielsen testified before the Senate on May 15. (Video: Reuters)

Remembering Tom Wolfe, author of "The Right Stuff":

Washington Post critic Ron Charles explains how Tom Wolfe revolutionized the world of fiction writing. (Video: Whitney Leaming/The Washington Post)

Watch Vladimir Putin drive a truck on a new bridge connecting Russia to Crimea

On May 15, Russian President Vladimir Putin drove a large orange construction truck at the opening of a bridge linking Russia to the Crimean peninsula. (Video: Reuters)