Under the skin: the medical device industry and the dark web

“Healthcare data is the richest form of PII,” says Bromium CEO Ian Pratt. “We’ve seen that information get used in a variety of different ways. One particularly nasty way we’ve seen it used is in doxxing attacks where healthcare providers have had their systems compromised and personal information has been exfiltrated.”

In a doxxing attack, hackers breach someone’s personal data and publish it online. The word comes from hacker vernacular for ‘documents’, which became ‘docs’ and then ‘dox’. Doxxing attacks can include the publication of full names, addresses, phone numbers and personal healthcare records.

The most famous cases of doxxing are those motivated out of a sense of retribution, such as the case of Kyle Quinn, a biomedical engineer who was doxxed after being falsely identified as a participant of the 2017 Charlottesville Unite the Right rally. However, when it comes to malicious dissemination of patient healthcare data, Synopsys principal security engineer Chris Clark says: “The important thing to remember is that an attacker is looking to generate cash flow, not necessarily to harm a specific individual.”

Instead of being motivated by the desire to publicly shame someone, healthcare doxxing is primarily motivated by financial profit.

Pratt says: “Sometimes doxxing is combined with a crypto malware attack, where criminals will encrypt all of the information so the healthcare provider doesn’t have it anymore and then demand payment, contacting folks whose health records they have exfiltrated. They’ll find individuals with embarrassing conditions and get them to contact the healthcare provider and urge them to pay the ransom. Through this, cybercriminals can extort large sums of money from healthcare providers.”

Alongside data about a patient’s medical history and current medical needs, healthcare records can also contain financial data and insurance data, which can be exploited in its own way. Hackers, or third parties who’ve purchased data from the dark web, may extract money from patient’s bank accounts, or issue bills to their credit cards for goods and services they didn’t purchase. But what exactly is the dark web, and how does this shadowy digital underworld facilitate online threats to healthcare and medtech organisations?

The ‘dark’ web refers to online content which is not accessible via standard web browsers, but can be accessed through specialised darknet software, the most popular of which is known as Tor. The dark web is not to be confused with the ‘deep’ web, pages which can be accessed through standard web browsers but are password-encrypted, such as personal internet banking and government databases.

Tor looks and behaves like a normal web browser. The key difference is that instead of registering each user’s IP address straight away, Tor bounces it around computers around the world, encrypting and decrypting the user’s identification as it goes. That way no one knows where the request has come from. By browsing the internet anonymously, the user can access certain websites that can’t be reached through a mainstream browser, including online black markets.

According to McGuire’s report, there has been a 20% rise in listings on dark net marketplaces, which have potential to cause harm to corporate and government organisations. This includes targeted malware for sale, distributed denial of service (DDoS) solutions, corporate data for sale and brand-spoofing phishing tools. However, most listings on these marketplaces are for illegal drugs.

Of all the non-drug listings assessed in the report, 60% represented an opportunity for direct harm while a further 15% represented an opportunity for indirect harm.

Pratt says: “Organisations really need to start taking security more seriously. People believe that after we install a few security products, antivirus and perhaps some email scanning, then its job done. But the bad guys are making so much money right now that it just doesn’t work anymore.”

The regulatory net is closing in on companies that have failed to protect their data against cybersecurity breaches. The UK Information Commissioner’s Office (ICO) recently issued a fine of £183m to British Airways for a breach of customer data from its website and mobile app.

Between 21 August and 5 September 2018, around 380,000 financial transactions processed by British Airways were believed to have been compromised. While customers’ personal and financial details were stolen, their travel and passport information was not affected.

From electronic databases to software-powered medical devices, a lot of healthcare technology is still powered by Windows XP, an operating system which is now 17 years old. This out-of-date system is incredibly vulnerable to cyberattacks, particularly as it is no longer being supported with security updates.

Clark says: “Healthcare providers must look at security across their entire healthcare delivery organisation. That means a strong defence-in-depth solution that looks at each entity within the healthcare delivery organisation and determines necessary security measures based on risk.

“An actionable starting point is to gather a clear data-driven view of the activities currently in place to secure the software currently in use within your business. This can be done through a Building Security In Maturity Model (BSIMM) assessment—from the results, firms are able to assess the current state of their software security initiative, identify gaps, prioritise change, and determine how and where to apply resources for immediate improvement.”

The risks presented by the dark web, and the criminal operations it facilitates, are a problem for governments and cybersecurity experts to address. As the balance of power continues to shift back and forth between cybercriminals and the systems designed to thwart them, a technical solution may emerge to reduce the impact of IP-blocking dark web browsers like Tor. In the meantime, vulnerable medical organisations must ensure that their security systems are up to scratch to ensure that they don’t fall victim to the next big hack, whatever its point of origin.