Russia-Ukraine War: Threats Facing the Healthcare SectorExpert: As the Military Invasion, Cyberattacks Escalate, Entities Must Prepare
As Russia's military invasion and cyberattacks on Ukraine escalate, critical infrastructure entities, including those in the health and public health sector of the U.S. and other countries condemning Russia's actions, must also be on high alert for potentially disruptive cyber assaults, some experts warn.
"Any state-sponsored Russian attacks aiming to support the Russian invasion of Ukraine, or to retaliate for U.S., NATO, or other foreign measures taken in response to the Russian invasion of Ukraine, are most likely to be destructive or disruptive in nature, rather than aiming to steal data," says Paul Prudhomme, a former U.S. Department of Defense threat analyst who is now a researcher with cybersecurity threat intelligence firm IntSights, a Rapid7 company.
"There have already been reports of DDoS attacks on Ukrainian websites, and Russia has historically used DDoS in support of operations against other former Soviet republics, such as Georgia, in the past," he says.
It is a plausible scenario for state-sponsored Russian actors to expand the use of DDoS to include attacks against the U.S., NATO members and other foreign targets, such as government and financial services infrastructure, in retaliation for measures taken against Russia for its invasion of Ukraine, such as sanctions, he says.
"Healthcare is a potential target, but probably a much lower priority than the other more obvious ones, like government, financial services - particularly in response to sanctions against Russia - and utilities."
State-sponsored Russian actors previously used destructive malware to cause blackouts in Ukraine in 2015 and 2016, and state-sponsored Russian groups have also targeted the utility sectors of the U.S. and Europe, but without causing any disruptions, Prudhomme says.
"It was believed that these compromises of Western utility services aimed to maintain access to them in order to have the ability to disrupt them on demand in the event of a confrontation with NATO."
"The ability for malware and other types of attacks that bleed over and come into the homeland is a concern."
—Erik Decker, Intermountain Healthcare
The disruptive impact of such attacks would depend on the type of attack and also the location. For example, an attack on Ukrainian targets would probably have a more severe impact, Prudhomme says.
"Ransomware and destructive malware attacks would have the most disruptive impact on the provision of clinical services, if healthcare organizations are unable to access patient records and other information and systems that they need in order to treat patients," he warns.
Prudhomme says that state-sponsored Russian actors could also pose as criminals by using ransomware to disrupt foreign targets, as they did in the 2017 NotPetya ransomware operation that targeted Ukraine.
"The attackers could simply refrain from decrypting files," he says, "even if they receive ransom payments, in order to maximize and extend the disruptive impact on victims."
As the conflict in the Ukraine worsens, a top concern for healthcare sector entities is potential "collateral damage" related to cyberattacks and corresponding kinetic attacks, says Erik Decker, CISO at Intermountain Healthcare.
"Right now, there's no threat against the [U.S.] homeland directly that we’re aware of due to that conflict, but the ability for malware and other types of attacks that bleed over and come into the homeland is a concern," says Decker, who is also co-lead of a U.S. Department of Health and Human Services cybersecurity task force and an executive council member of the Healthcare Sector Coordinating Council, a critical infrastructure advisory group to HHS.
Website defacements "are often just a nuisance and probably the easiest to resolve," Prudhomme says. "DDoS attacks could disrupt public-facing websites, but the duration would depend in large part on how long the attackers choose to sustain the attack," he says.
Ukraine already has been experiencing website defacements, which provide attackers with an opportunity to spread messaging, he says.
"Website defacement is a more typically hacktivist tactic, but state-sponsored Russian actors could pose as hacktivists in order to disguise Russian state involvement and spread their strategic communication themes to international audiences by defacing Western websites," according to Prudhomme.
On Wednesday, the U.S. Department of Health and Human Services' Health Sector Cybersecurity Coordination Center, or HC3, issued an alert for the healthcare and public health sector - based on a recent advisory from CISA.
The agencies warn about incidents involving malicious actors using influence operations, including tactics like misinformation, disinformation and malinformation - aka MDM - "to shape public opinion, undermine trust, amplify division and sow discord."
Foreign actors engage in these actions to bias the development of policy and undermine the security of the U.S. and its allies, disrupt markets and foment unrest, the HC3 alert says. CISA's warning is intended to ensure that critical infrastructure owners and operators are aware of the risks of influence operations leveraging social media and online platforms, HC3 says.
As the conflict in the Ukraine worsens, all critical sectors, including healthcare, should be reviewing response plans, increasing network and endpoint monitoring, says Michael Hamilton, CISO of security firm Critical Insight and former CISO of the city of Seattle.
Hamilton especially recommends that healthcare organizations ensure that vendor and business associates know to report their own compromises to covered entities. "An attack against a poorly-protected third party that has business relationships with lots of hospitals, for example, should initiate a response at those hospitals. If it happened to one of your suppliers, it may be headed toward you," he warns.
Tony Cole, CTO at security firm Attivo Networks, offers similar recommendations. "Talking now with your internet and cloud service providers is a good first step to understanding how your offered services can be impacted and what should be done in your enterprise to counter an attack," he says.
Cole says ransomware attacks are likely to increase significantly, and organizations need to "ensure that multifactor authentication is in place, identity services are managed and protected, proper cyber hygiene is being followed, and pristine backups are stored off-site and ready for use."
Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center, tells Information Security Media Group that it in light of the escalation in the Russia-Ukraine conflict, the group is issuing additional reports and intelligence for its members, including strategic analysis and possible implications for healthcare and pharmaceutical firms.
Health-ISAC has also published common exploits observed in a Russian state-sponsored toolkit and remediation strategies from the Health Sector Coordinating Council and CISA, he says.
"Health-ISAC received a number of alerts and briefings from government and other subject matter experts on the geopolitical threats the sectors face as a result of the Eastern European situation," he says.
"Health-ISAC and our members globally are currently monitoring the rapidly developing events very closely to determine any anomalies or impacts from geopolitical tensions and shoring up business continuity plans as well as cybersecurity policies, plans and procedures."
In the U.S., for example, Health-ISAC has established sharing protocols with the Department of Homeland Security, HHS, the FBI and the Office of the National Cyber Director and others to ensure the delivery of timely indicators of compromise, vulnerability and threat information to help protect members' networks, Weiss says.
"Health-ISAC has established communication and reporting mechanisms with many government agencies to provide a common operating picture of the health sector during times of crisis like what we’re seeing unfold now."
'Plan for the Worst'
Brett Callow, a threat analyst at security firm Emsisoft, says U.S. healthcare providers "should adopt a 'hope for the best,' 'plan for the worst' strategy and immediately review CISA’s Shields Up advice, taking whatever action is necessary to address any weaknesses in their defenses."
The CISA Shields Up guidance recommends that organizations - of any size - should prepare for the likelihood of a damaging cyber intrusion, especially as the Russian government potentially considers escalating "destabilizing actions" in ways that may affect others outside of Ukraine.
Health-ISAC is encouraging its member organizations to take immediate steps to review and, if necessary, upgrade their cybersecurity to prepare for potential consequences that might result from a nation-state-sponsored cyberattack, Weiss says.
"Even if the healthcare sector isn’t specifically targeted, it could still potentially experience spillover attacks or disruption due to a myriad of other issues."
—Brett Callow, Emsisoft
It is also important for entities to remember that "the Russians use proxies - both as cutout threat actors but also in terms of attacking through a proxy," Hamilton says. "Know what’s happening with your business partners, because you may be the actual target. This is especially important for health, finance, energy and other sectors that we rely on for life safety and quality of life. Local governments are high up on that list as well."
Hamilton says everyone should make sure that all their employees are aware that this is a time of heightened tension, and they should limit access to internet messaging through personal accounts and report any strange event, "including unexpected messaging from dubious sources."
Malware attacks, including ransomware propagated via phishing campaigns, are on the rise and a top concern that U.S. healthcare organizations should be better prepared to deal with, says Blaise Wabo, healthcare and financial services leader at security firm A-LIGN. "People are the weakest link … and should have proper security awareness training. Also, organizations should ensure they are using anti-malware software, intrusion detection and prevention systems to proactively filter, identity and block malware attacks."
Security leaders should also keep in mind that nation-state attackers "usually can craft mutated attacks to render threat intelligence unhelpful, use 'living off the land' techniques to bypass endpoint security and focus on disruption rather than ransoming data which can, in many cases, be easier for them to achieve," says Saumitra Das, CTO and co-founder of security firm Blue Hexagon.
"Healthcare entities should assume that there could be cyberattacks to disrupt them - and not just in the critical infrastructure sector - because any disruption helps provide leverage to a nation-state," Das says.
In the meantime, Callow says, the Ukrainian healthcare sector may be at risk due to its own security shortcomings.
"For example, in other areas of the Ukrainian public sector, pirated software is widely used, and that represents a significant security risk. Even if the healthcare sector isn’t specifically targeted, it could still potentially experience spillover attacks or disruption due to a myriad of other issues. At this point, we can only hope for the best," he says.
Aside from the threat of cyberattacks disrupting healthcare delivery in Ukraine, the country is already dealing with physical destruction - as well as deaths and injuries - at hospitals that have been hit by Russian military actions, according to some news outlets.
NBC News on Thursday reports that Ukraine's ambassador to the U.S says Russia has attacked hospitals in Ukraine. The Guardian reported early on Thursday that the Ukrainian interior ministry said four people had been killed and 10 injured after an "occupier’s shell" hit a hospital in the city of Vuhledar in the Donetsk region.