{"id":9285,"date":"2020-07-20T13:43:13","date_gmt":"2020-07-20T18:43:13","guid":{"rendered":"https:\/\/sterling.com\/?p=9285"},"modified":"2020-07-20T13:43:13","modified_gmt":"2020-07-20T18:43:13","slug":"securing-healthcare-supply-chain","status":"publish","type":"post","link":"https:\/\/sterling.com\/stargazer\/?p=9285","title":{"rendered":"Securing the Healthcare Supply Chain"},"content":{"rendered":"

Who is attacking the healthcare industry?\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

Advancement<\/span>s<\/span>\u00a0in technology ha<\/span>ve<\/span>\u00a0offered healthcare\u00a0<\/span>an opportunity to save lives and operate efficiently.\u00a0<\/span>\u00a0<\/span>T<\/span>his technology\u00a0<\/span>has<\/span>\u00a0<\/span>create<\/span>d<\/span>\u00a0<\/span>vulnerabilities<\/span> to threats<\/span>\u00a0<\/span>that\u00a0<\/span>infiltrate, steal<\/span>,<\/span>\u00a0or hijack networks<\/span>\u00a0of confidential data<\/span>\u00a0and systems<\/span>.\u00a0\u00a0<\/span>Whatever the reason for the threat, hospitals<\/span>\u00a0and medical facilities are targeted\u00a0<\/span>using\u00a0<\/span>a\u00a0<\/span>differe<\/span>nt variety of methods.\u00a0 Ransomware,\u00a0<\/span>phishing, and\u00a0<\/span>other nefarious software\u00a0<\/span>loaded into medical equipment,\u00a0<\/span>infiltrate networks that could potentially compromise patient\u00a0<\/span>data\u00a0<\/span>or hospital\u00a0<\/span>infrastructure<\/span>.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

N<\/span>ation-states have\u00a0<\/span>used these opportunities to<\/span>\u00a0gather intelligence using software espionage tools and customized malware in social engineering attacks<\/span>\u00a0to\u00a0<\/span>steal intellectual property or gain competitive advantage.\u00a0<\/span>For instance, the second<\/span>–<\/span>largest healthcare insurance provider in the\u00a0<\/span>United States was affected by a foreign government attack in this way in 2014<\/span><\/a>.<\/span>\u00a0C<\/span>yberterrorists, meanwhile, launch disruptive or destructive cyberattacks to cause physical destruction of property, loss of life and spread terror. Hacktivists are internet activists who attack cyber assets to draw attention to their political causes and tend to choose highly visible or high-profile targets.\u00a0<\/span>\u00a0More recently,\u00a0<\/span>Cybersecurity Ventures predicts that the healthcare industry will spend more than $65B cumulatively on cybersecurity products and services over the five<\/span>\u00a0years<\/span>\u00a0from 2017 to 2021 as published in the\u00a0<\/span>2020\u00a0<\/span>Healthcare<\/span>\u00a0Cybersecurity Report.<\/span><\/a>\u00a0<\/span><\/p>\n

Another category of possible attackers is the insider threat.\u00a0<\/span>I<\/span>nsider threats may be borne out of negligence, like opening a phishing email by mistake. Data privacy Patient and employee\u00a0<\/span>Personally Identifiable\u00a0<\/span>Information<\/span>\u00a0(<\/span>PII<\/span>)<\/span>, which includes patient diagnosis and treatment data, insurance and financial information<\/span>,\u00a0<\/span>research and drug trial data, payroll,\u00a0<\/span>and\u00a0<\/span>intellectual property\u00a0<\/span>may be compromised<\/span>\u00a0in this way.<\/span>\u00a0<\/span>Most of which could be minimized with a secure supply chain model and internal education of staff.<\/span>\u00a0<\/span><\/p>\n

Why is the healthcare industry being attacked?\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

The key motivator for the vast majority of cyberattacks\u00a0<\/span>happen<\/span>s<\/span>\u00a0<\/span>for\u00a0<\/span>monetary gain<\/span>. Healthcare information is 10 times more valuable on the black market than social security numbers and credit card information. But in the healthcare world, not all perpetrators attacking healthcare providers will be motivated by money. Healthcare providers such as hospitals are highly visible targets and attacks against them will <\/span>cause a major disruption in operations or threat to data housed within a hospital network<\/span>.<\/span>\u00a0Disruptive<\/span>\u00a0attacks can disable, sabotage, or knock\u00a0<\/span>critical systems\u00a0<\/span>offline\u00a0<\/span>inside a hospital. The health and safety of vulnerable patients suffer as a result.\u00a0<\/span>I<\/span>ntellectual property, research data, drug trial data, PII, financial\/<\/span>\u00a0<\/span>insurance data, medical records<\/span>\u00a0could be accessed and used<\/span>\u00a0in<\/span>\u00a0various ways.\u00a0<\/span>\u00a0<\/span><\/p>\n

The healthcare industry is a massive, complex, interconnected ecosystem with thousands of endpoints, systems, and users. The size, complexity, and functions of this\u00a0<\/span>ecosystem create large and oftentimes unpredictable attack surfaces. In a technical sense, threat actors can use several attack routes to infiltrate or sabotage a system.\u00a0<\/span>\u00a0<\/span><\/p>\n

How are they attacking the healthcare industry?\u00a0<\/span><\/b>\u00a0<\/span><\/p>\n

Entry points that threat actors can use to compromise the hospital supply chain range from manufacturers to distribution centers and transportation companies, from third-party contractors to developers of software and mobile apps hospitals use, from past to non-core services staff.<\/span>\u00a0(<\/span>figure 1.\u00a0<\/span>image supply chain flow)<\/span>\u00a0<\/span><\/p>\n

\"\"Figure 1.0 Supply Chain potential Risk access points<\/span>\u00a0<\/span><\/h6>\n

\u201cSupply chain threats arise as a result of outsourcing suppliers, and the lack of verifiable physical and cybersecurity practices in place at the suppliers,\u201d\u00a0<\/span>Sterling OEM,\u00a0<\/span>Trendmicro<\/span>\u00a0<\/span>pointed out<\/span>.<\/span>\u00a0<\/span><\/p>\n

\u201c<\/span>Suppliers do not always vet personnel properly, especially companies that have access to patient data, hospital IT systems, or healthcare facilities. Vendors do not always vet their products and software for cybersecurity risk<\/span>\u00a0<\/span>and maybe outsourcing resources as well.\u201d<\/span>\u00a0<\/span><\/p>\n

The following statistics from the HITRUST Cyber Threat\u00a0<\/span>XChange<\/span>\u00a0(CTX) program \u2014 a threat indicator sharing platform \u2014 show a few chosen markers about the\u00a0<\/span>health<\/span>care<\/span>\u00a0<\/span>industry cyber<\/span>\u00a0<\/span>threat landscape that provide a snapshot about the most common infection vectors<\/span>.<\/span>\u00a0<\/span><\/p>\n

Other threats, as illustrated in Figure\u00a0<\/span>2<\/span>.\u00a0<\/span>ar<\/span>e supplies, equipment, and software that come from <\/span>unvetted sources<\/span>.\u00a0 Education is key to procurement personnel to know that the supplier has been vetted to eliminate gray market equipment making its way into a hospital or medical facility.\u00a0 As a reseller, Sterling Sr. VP, Jeff Moore states<\/span>\u00a0in a recent\u00a0<\/span>article published by\u00a0<\/span>MeriTalk<\/span><\/a>, \u201cThe bottom line is that <\/span>facilities<\/span>\u00a0<\/span>need comprehensive assessments of their suppliers to understand the total risk.\u00a0 Training\u00a0<\/span>procurement staff<\/span>\u00a0and buyers<\/span>\u00a0to look beyond the Bill of Materials (BOM<\/span>)<\/span> and the part number is essential.\u201d\u00a0\u00a0<\/span>\u00a0<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n

\"\"<\/span><\/span><\/p>\n

Figure 2. Distribution of Indicators of Compromise (IoC) types, 2017 Q4 <\/span><\/span>(Source CTX Enhanced Pilot)<\/h6>\n

To date, the majority of publicly reported cyberattacks against hospitals have been one of the following:\u00a0<\/span>\u00a0<\/span><\/p>\n