U.S. infrastructure and raising questions about how prepared healthcare systems are to handle them.
The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert Monday for critical infrastructure systems such as healthcare systems. The agency warned of potential Iran cyberattacks in response to the U.S. military strike that killed General Qassem Soleimani. The Health Information Sharing and Analysis Center, a non-profit organization focused on enhancing healthcare cybersecurity that keeps tabs on threats to the industry, followed suit.
Iran has not historically targeted U.S. health systems. It has opted instead for targets that would drive greater economic influence. But Caleb Barlow, president and CEO of Austin, Texas-based healthcare cybersecurity firm CynergisTek, said that may be changing.
“This isn’t a point of scaring the living daylights out of people and saying, ‘Hey, the Iranians are going to attack healthcare.’ That’s not what we’re saying at all,” he said. “What we are saying, however, is that the threat landscape just changed dramatically in the last week. The likelihood that a foreign actor — or someone sympathetic to a foreign actor — may try to impact U.S. critical infrastructure, which includes healthcare, and may use known means that work, are very high.”
CISA recommended that industries including healthcare increase awareness and organizational vigilance around cyberthreats. Beyond the potential for an Iranian cyberattack, healthcare CIOs should prepare their organizations for destructive malware attacks.
A growing threat
Iranian cyber threat actors continue to engage in more “conventional” attacks such as website defacement and theft of personally identifiable information, but they have continuously improved their cyberattack capabilities and shown a “willingness to push the boundaries of activities,” according to the CISA alert.
Caleb BarlowPresident and CEO, CynergisTek
Barlow said Iranian cyber threat actors are known for destructive wiper attacks, which he described as “ransomware on steroids.” The number of known wiper attacks is small, but they can be devastating, according to Barlow. IBM X-Force Incident Response and Intelligence Services found destructive malware attacks destroyed about 12,000 devices and cost organizations more than $200 million on average.
Due to recent tensions, Iranian cyberattacks may be shifting away from targets that could provide economic influence to cyberattacks that could provide political influence. Coupled with the threat of destructive wiper attacks, healthcare CIOs should be on high alert.
How healthcare CIOs can respond
Barlow said healthcare security teams need to rethink their response plans.
“This isn’t just about prevention,” he said. “This is also about, can you maintain the resiliency of your business — whether it’s manufacturing, a hospital, or state or local government — without your IT systems? How would you do it? How would you recover it? And how would you get started?”
Healthcare organizations likely have plans for cybersecurity incidents; most start with calling their insurance company. But many cyber insurance policies do not cover the actions of a foreign nation, according to Barlow.
Healthcare organizations are also unprepared for handling ransomware, malware that locks data until a ransom is paid, and often pay the fine to regain access to their data and systems, according to Barlow. But paying a ransom won’t be an option if they’re hit by a destructive wiper attack.
“With a destructive attack, you don’t have that option, it’s just gone,” Barlow said. “If you don’t have a plan in place to maintain resiliency, so is your institution.”
Wiper attacks can destroy everything, according to David Chou, vice president and principal analyst at Constellation Research in Cupertino, Calif. He stressed that even without a potential increase in Iranian cyberattacks, healthcare and government are targets. That’s why organizations like the Health Information Sharing and Analysis Center (H-ISAC) have issued a call to action to become better prepared for ransomware as well as destructive wiper attacks.
“The healthcare industry has to prepare for wiper, which is definitely something that can be serious and potentially wipe out the business of a hospital,” Chou said.
CISA recommended healthcare organizations focus on vulnerability mitigation and incident preparation, which includes taking steps to disable unnecessary ports and protocols, increase monitoring of email and network traffic, and ensure backups are updated and stored in a separate, but easily retrievable, location from the organization.
Chou said H-ISAC recommends backing up data and keeping systems updated, which he said should be done as good practice regardless of the current state of high alert.