Alex Swan
Jr DevOps Engineer at Itirra
The increasing number of healthcare data breaches continues to highlight some of the sector’s biggest vulnerabilities.
Cyberattacks are becoming more targeted, sophisticated, and severe. According to a recent report, many healthcare organizations still lack the resources to appropriately protect themselves. Less than 35% of healthcare providers believe they have sufficient budget to support strong IT security and 87% don’t have the personnel needed to achieve a more effective cybersecurity posture.
In September 2020, a ransomware attack shackled US facilities of the Universal Health Services, forcing doctors and nurses to go back to paper and pencil for record-keeping and slowing lab work. We work with the company and experienced their disruption first-hand. That same month, the first known fatality related to ransomware occurred in Duesseldorf, Germany, when an IT system failure forced a critically ill patient to be routed to a hospital in another city.
Medical records stolen during data breaches contain personally identifiable information, names, addresses, financial information, and social security numbers. As such, medical records are among the most valuable documents sold on the dark web. Cybersecurity is no longer just a priority but a necessity for modern healthcare organizations.
How cyber criminals get access to healthcare data
Just a few weeks ago, our Washington State client’s care facility system was attacked by cyber criminals. But before we get to that story, let me tell you more about some of the ways cybercriminals can breach your network and exploit your data. The OWASP non-profit foundation (Open Web Application Security Project) is one of the best resources for learning about cyber-security. Every organization serious about protecting their data should make sure that their systems are protected against the following types of attacks:
Injection. Injection flaws, such as SQL, NoSQL, OS, and LDAP occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities temporarily or permanently.
Sensitive Data Exposure. Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities (XXE). Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
What happened in our case
Perpetrators took full control of the public-facing marketing WordPress site of the healthcare facility we work with. They have modified every single page to make sure users are auto-redirected to different malicious destinations. To be precise, an “_a.php” file with harmful content was created on the backend side of the client’s website. After a preliminary check of the “_a.php” file, I could already say that there was a database connection created that executed a malware JavaScript code on every page of their website.
In our case, intruders went for the Cross-Site Scripting (XSS) attack, a way of incursion I haven’t yet talked about. It is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It enables an attacker to bypass the origin policy designed to separate different websites from each other.
XSS works by manipulating a vulnerable website so that it returns malicious JavaScript to users. When the malicious code executes inside a victim’s browser, the attacker can fully compromise their interaction with the application. This vulnerability allows an attacker to steal session tokens or login credentials, perform arbitrary actions on a victim’s behalf, log their keystrokes, and deliver malware.
A combination of measures is usually implemented to effectively prevent XSS vulnerabilities. These include: filtering input on arrival, encoding data on output using appropriate response headers, and applying Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.
We are here for you
With cyber attacks predicted to triple in 2021, we need to do all we can to protect healthcare organizations from future breaches. If you want to know more about how we can help you protect your organization from cyber-attacks, contact us, or schedule a meeting with our CEO, Michael Nikitin.