Looking out the window of a top-floor suite in the Mandalay Bay Hotel, across the Las Vegas skyline, a helicopter full of tourists sets off towards the Grand Canyon.
But inside this room full of cybersecurity experts, TechInformed is prepping for a different kind of sightseeing.
More than 20,000 cybersecurity professionals have gathered in the Nevada city in the August heat for Black Hat — a weeklong event that offers security consulting, training, and briefings to hackers, corporations, and government agencies
We were invited to join several of those experts in this suite for an immersive tabletop exercise demonstrating a ransomware attack on a medical facility from both the offensive and defensive sides.
Tabletops are like the war games used to prepare military forces across the globe during times of peace.
The healthcare sector is a prime target for cyber criminals, and a surge in ransomware attacks on hospitals threatens patients’ safety and data.
High-profile attacks have included the Change Healthcare ransomware attack in February, which shut down the largest healthcare payment system in the US and led to a reported $22 million ransom payout.
When lives are at risk, the stakes are high: In May, an attack on Ascension Health, the operators of over 140 hospitals in the US, put patients’ lives at risk and crippled revenue flow in the healthcare industry for weeks.
In the UK, meanwhile, a cyber-attack in June on pathology service Synnovis impacted several London hospitals and led to an unprecedently low level of blood stocks across England.
And so, a dozen or so people have gathered in this tabletop – Operation 911.
Participants include several hospital executives, the FBI, software developers, security professionals, hackers who have worked for various military organisations and local law enforcement officers from the Las Vegas Metropolitan Police Department.
They are split evenly into two teams: The red team, ‘The Red Raccoons,’ is charged with launching a high-stakes ransomware attack against Sunshine Healthcare, a fictitious hospital located in Las Vegas renowned for its patient care, new innovations, and recent acquisitions.
They are led by Semperis security researcher Tomer Nahum, who has recently achieved Microsoft Most Valuable Researcher (MVR) status.
The Purple Knights, meanwhile, take on the role of the hospital incident response and crisis management team. Former ransomware negotiator Jeff Wichman guides them, currently Semperis director of incident response.
Both teams are shepherded through each step by Marty Momdjian, Semperis EVP of services, who boasts over 20 years of healthcare cyber protection.
Momdjian explains that the tabletop is based on a real-life scenario that lasted around 30 days from the start of the event to the recovery.
Profiling Sunshine Healthcare, he adds that the company turned over $9bn in revenue last year and has a total of 2,500 licensed beds in its five Vegas locations. The company owns the only trauma centre in the region and has 50 in-state clinics. For simplicity, all patient records are kept on a single medical record system (an EMR).
“One of the reasons we wanted to feature an expanding facility is that healthcare facilities go through a lot of M&A, and they become vulnerable targets for hackers,” explains Momdjian.
He adds that because there’s a trauma centre, the stakes are higher because this must be kept up and running – it’s not a case of shutting all systems down.
“This is a real scenario that’s occurred in major metropolitan areas where there are always Level 1 and 2 trauma centres. When those go offline, it becomes extremely chaotic. And it’s very, very painful,” Momdjian adds.
According to the health sector cyber expert, every healthcare company has been striving towards a single EMR for the last decade, but having one centralised point for medical records also makes it more open to attacks.
“If the EMR goes down, all your sites will go down. All physical locations, units, departments, patient care workflows, ADT (patient tracking), and anything that goes through the EMR are on a single platform,” Momdjian points out.
“The Purple Knights especially need to think about that when they are going through the exercise and the steps and what the impact is with any decision you are making.
“On the red team, that’s your target – to get to the EMR, get the data, exfiltrate and then extortion, disrupting patient services to the extent that the hospital has no other option but to pay the ransom.”
For the Purple Knights, Momdjian suggests following the latest guidelines from the US Department of Health and Human Service’s HC3 framework, which he has contributed to, as well as the standard NIST framework.
Frameworks like these can help frequently attacked organisations see the wood from the trees. He explains: “There are alerts coming out every single day — it’s complete overload. So the focus for us is working through what really matters when a major ransomware attack occurs—because the faster you respond, the faster you can recover.”
The red team, meanwhile, is instructed to follow the kill chain (the phases or steps involved in a cyber-attack), which, Momdjian adds, is well-documented by healthcare adversaries.
In terms of finding a way into the hospital group’s systems, the red team decides to target VIP executives attached to the company in some capacity. “We’re looking for names of executives that have been in the news a lot and have active social media accounts,” explains one red team member.
“We’ll look at what systems they’re using and what their admins are so that we can come up with some kind of social engineering strategy to gain access to the network,” he added.
As Sunshine Health also has a university relationship and a research department, the red team are also sniffing around this to find a way in.
“Universities are notorious for having weak security,” adds another red team member. “We’re using that connection between the university and the main hospital system as an access point so that we can look for weaknesses and external apps.”
The targeting of a prestigious university researcher rings true with one member of the Purple Knights, who asks Momdjian for advice. The expert says he’s encountered this type before.
“They want to be published and are posting a lot. They tend to use the same password for their healthcare system as they do for social media and LinkedIn. And they make it easy for hackers to find because they tend to use their work email address to sign up for other accounts,” he says.
He advises that if these high-profile medics/ researchers don’t cooperate, you need to apply protective measures against them. “Limit their access. If an incident is escalated to a specific level, remove their access because you know they are an easy target. Tell them that it is part of your policy.”
He adds that it’s standard for hackers to find a way in by buying a password dump from the dark web. “So incident response (IR) should start by making a list of their VIP execs — doing dark web checks on execs and VIPs.”
In terms of other defence measures, another member of the Purple Knights added that a lot has been done in terms of setting up the tech stack and putting in defence vectors. “The main threats we identified were any types of social engineering and phishing emails – user training is useful here,” one member suggests.
The team is also working with Sunshine Health’s chief security officer to develop a disaster recovery (DR) plan and an Incident Response (IR) plan.
However, there’s trouble ahead: the social engineering exercise used by the red team has worked – and they’ve gained access to the network. It’s time for them to start collecting information and living off the land. What steps can the Purple Knights take to mitigate an attack and protect Sunshine Healthcare from these criminals?
For Anatomy of a healthcare attack – part 2: Going for the jugular click here
Subscribe to our Editor's weekly newsletter
Newsletter
Share
