How Healthcare Threats Are Going Low

When it comes to IT and cybersecurity, few industries can compare to Healthcare. A diverse fleet of high-value devices, supporting mission-critical systems, and carrying highly sensitive and regulated data are all just table stakes for most healthcare security teams. 

And while this has always been the case, the threat landscape has gotten even more intense in the years following COVID-19. Advanced threat actors have ramped up efforts to steal sensitive medical research, and ransomware groups have sought to extort hospitals by disrupting clinical systems. In both cases, the often overlooked supply chains and firmware within critical devices have played a major role in how attackers gain initial access into a network and subsequently maintain persistence, evade security, and cause damage. 

Our new paper, The Threat Landscape for Healthcare Organizations, takes an in-depth look at the threat landscape facing healthcare organizations today. We look at the different threat actors that are involved, their motivations, and the recent trends in how they operate. Most importantly, we look at the evolution of attacks that are going “below the operating system” or BtOS. We look at real-world examples of how this strategy is used across multiple phases of real-world attacks, including a demonstration of the same techniques used in the wild, one that shows how in under three minutes, an attacker can go from the Internet to a critical internal medical device inside a hospital, for example.

The goal of the paper is to give healthcare teams visibility into how adversaries are causing damage and imposing real-world clinical risk, so that teams can make smart, threat-informed decisions to protect their critical data and systems. Here are some of the key takeaways:

The Threat Landscape Most Healthcare CISOs Don’t See

Attackers naturally gravitate to the areas where their actions will have the biggest impact while facing the least resistance. In recent years, attackers have found a way to meet both of these goals by targeting the supply chains of critical assets and clinical devices. Specifically, actors have targeted the highly privileged code, components, and settings that reside below the operating system (BtOS) on devices both externally-facing and within medical environments 

This trend accomplishes two critical things for attackers – it allows them to attack below the well-defended operating system layer, while also taking advantage of the trust in an organization’s technology vendors. 

Over the years, the industry has put considerable effort into making operating systems more secure and resilient to attacks. Likewise, virtually all traditional cybersecurity defenses look for threats running at the OS level, and those same security tools often depend on the operating system for their visibility and detection of threat activity. By driving the attack below the operating system, attackers can shift the battle away from a hardened target with many defenses to an area that is comparatively unguarded, yet provides even more stealth, power, and persistence. 

By targeting the technology supply chain, adversaries can insert malicious code within the products or updates even before they are delivered to the clinical environment.  Every piece of equipment from laptops, to servers, to networking infrastructure, to medical devices all rely on complex technology supply chains. A compromise at any supplier or sub-supplier can potentially put the integrity and security of the entire asset at risk. 

Attacks in Clinical Environments

Thus far, we have covered why attacker techniques are shifting. Yet it is important to understand how these techniques apply in real-world scenarios, specifically for healthcare organizations. 

  • Every Asset Has a Supply Chain – Supply chains are not just about technology – they also represent chains of trust. And each of these points of trust can potentially be a point of attack. Every underlying technology within a supply chain introduces the potential for problems, both intentional and unintentional. Each supplier or sub-supplier can introduce vulnerabilities within critical code that can lead to a compromise of the asset. External attackers or malicious insiders can embed malicious code or backdoors within underlying components, systems, or product updates. Products can be potentially tampered with by any party that controls the asset before it is delivered to the ultimate buyer. This means that clinical IT and Security teams need to be able to verify the true integrity and posture of every asset down to the lowest level of code.
  • Firmware is Everywhere – Healthcare IT and Security teams must protect an incredibly wide range of devices, and almost all of them can be critical to a hospital’s operations. This can include IoMT devices ranging from basic patient monitors to the most advanced diagnostic imaging systems. PACS and EHR systems carry critical data. Likewise, healthcare organizations rely on a wide range of IoT and OT devices. While an inconvenience for most organizations, a failure of HVAC or refrigeration systems in a hospital can be life-threatening. While these devices may or may not have a traditional OS, they all have firmware. For an attacker looking to cause damage and disruption, firmware is a universal way to completely disable a target device.
  • Attacks Cut Across the Organization – Once the tactics of sophisticated state-based attackers, BtOS techniques have become mainstream and are now seen in everything from APTs to the most widespread, opportunistic ransomware groups. Notably, vulnerabilities within the firmware of network devices such as VPNs, firewalls, and network controllers have become some of the most common initial access vectors for attackers. This entry point provides the ideal location for an attacker to spread, again using very well-known vulnerabilities and exploits. As the attacker moves to new devices, vulnerabilities lying below the OS allow attackers to install firmware implants and backdoors that make it possible to establish long-term persistence and security evasion. And as we’ve mentioned earlier, attackers can then target the firmware to cause either temporary or permanent damage to a device.
  • Clinical Impacts – Ultimately, as defenders, we care about how BtOS attacks can impact healthcare and clinical systems. The video below walks through one scenario and illustrates how readily available exploits and techniques can and are being used by attackers today in clinical environments. 

And while is this one example, the full paper digs into additional scenarios device firmware is being targeted, and how they can impact healthcare operations including:

  • Loss of Patient Data – How firmware and BtOS techniques can be used to access data within EHR systems, PACS systems, and clinical SaaS applications.
  • Financial Extortion –  The role of firmware in the context of ransomware attacks and other forms of financial extortion. This can include the ability to access or steal sensitive data, or the ability to disable critical systems.
  • Destructive or Political Attacks – Unlike ransomware groups, some threat actors have no goal other than to inflict maximum and permanent damage. These attacks can cause long-term disruption to an organization’s ability to deliver care and can be incredibly costly in terms of recovery. 

To learn more, we encourage you to review the full paper available here. The paper gives far deeper insights into the adversaries currently targeting the healthcare industry and their motivations and techniques. Additionally, we provide a framework that security teams can use to build a BtOS security program that can help keep their organization and assets safe. With newer purpose-built technologies, vulnerabilities and threats BtOS are finally visible and can be proactively mitigated by those protecting medical environments. For additional questions, or to schedule a discovery call to explore this attack surface (and how to address it) further, please reach out to the Eclypsium team at [email protected].