Anatomy of a Cyberattack

Cyberattacks have remained an ongoing security threat for organizations around the world. As society has gone increasingly digital, cybercriminals have sought to maximize their profits by exploiting our vulnerabilities.

The work-from-home trend that accompanied the COVID-19 pandemic increased our vulnerability, and threat actors have been quick to escalate their attempts at cybersecurity attacks. Since the pandemic, we’ve seen an increase in both the frequency of cyberattacks and size of ransom payments – in 2020, the amount companies paid to hackers grew by 300%, according to the Harvard Business Review.¹

And the data-rich healthcare industry continues as a top target of cyberattackers.

In this article, we will discuss what a cyberattack looks like and how medical practices can be as prepared as possible in light of the ever-increasing chances of an attack.

What is Cybersecurity? 

According to the Department of Homeland Security, cyberspace and its underlying infrastructure are vulnerable to a wide range of risk stemming from both physical and cyber threats and hazards.

Sophisticated cyberattackers and nation-states exploit vulnerabilities to steal information and money and are developing capabilities to disrupt, destroy or threaten the delivery of essential services. Many traditional crimes are now being perpetrated through cyberspace. This includes banking and financial fraud, intellectual property violations, health record theft and identity theft, all of which have substantial human and economic consequences.² In 2020 alone, the FBI received 15,421 Internet crime complaints.³ In the first half of 2021, there was a 102% increase of ransomware attacks over the previous year.⁴

Health records are particularly valuable to cyberattackers. By coupling an individual’s health records with financial records, a cyberattacker can create an identity for multiple purposes. They not only can get a loan in your patient’s name, but also commit Medicare fraud. They can bill for services that never actually happened. 

So it’s no wonder that according to IBM’s Cost of a Data Breach Report 2023, the average price of a healthcare data breach is the highest of any industry — $10.9 million per incident — for the 13^th consecutive year. Costs include everything from downtime to lost business to legal costs to regulatory fines, lost productivity and brand damage, and can add up very quickly.⁵ Sources estimate that the healthcare industry will spend $125 billion on cybersecurity in the next few years.⁶

Though we hear about cyberattacks constantly in the news, people tend to believe that “it can’t happen to me. I’m a small practice. I’m not on the radar. I don’t have anything that anybody wants to steal.” Then, rationalization kicks in. You tell yourself, “I’m going to just put up better defenses and then I’ll be safe.” Both those mindsets must change. It’s not a matter of if cyberattackers get in; it’s when — and whether you will be prepared when it happens.  

Cyberattackers are experts at being quiet and hunting information. They know how your staff members work, where they tend to make security mistakes and where to find your most valuable data. An attacker is typically in a network for 207 days before detection. Afterward, it takes 70 days on average to get rid of them.⁶ During that time, they’re sitting in your network, watching, mining information and evading your attempts to hunt them, and likely have gone through every bit of information you have a dozen times over.

How Cyberattacks Happen 

Most medical practices have a general level of cybersecurity defenses in place. They may have a firewall and anti-virus and anti-malware software, all with default configurations. They likely have email encryption and spam filters. Patient health data is stored in an electronic health record (EHR) platform with encryption. Some practices also are doing some social engineering testing.

All of this is a good start, but cyberattacks have gotten increasingly sophisticated, and cybercriminals know how to evade these security measures. That means you need to better understand how cyberattacks occur and you need even better defenses.  

Step 1: Payload Download 

Cyberattacks begin with attempts to download a piece of software, generally known as malware and designed to allow access to or infect your system. This can happen when somebody at your practice unknowingly clicks on an Internet link, opens an email attachment or inserts a USB drive. Unfortunately, most people tend to be very trusting of the content they see on their computer, and it is common for a staff member to click on a link sent to them before realizing the risks.

Defending against these downloads requires hypervigilance from all staff members, who need to understand they should not click on links from unknown or suspicious sources. Even if they think a link is legitimate, it’s worth a call to the sender for verification.

In addition, given today’s climate, you should prohibit the use of USB drives unless they serve as a software licensing key for equipment such as MRI machines, in which case you can make an exception. Otherwise, ban USB drives to avoid them becoming a source of infection in your network (or data loss if they are stolen). 

Step 2: Installs to Machine 

The next step in the cyberattack process is to install downloaded malware in your system. When users are the local administrators of their hardware, that can be easy. Only your IT team should be able to download programs onto your practice computers and other devices. However, even that is no guarantee against an attacker successfully downloading malware.

Step 3: Command and Control 

Next, the downloaded and installed file calls back home. In other words, it has to get its instructions from somewhere, so the attacker is going to set up a command-and-control server. For example, the attacker may be in Russia, but is not going to set up their command-and-control server there. They are going to establish it on the Amazon cloud on the Eastern seaboard. That is within the U.S., so geo-blocking defenses on your firewall (which restrict access to content based on the user’s location) are now defeated. Once the installed file calls back home, your machine can respond to the attacker. 

Step 4: Gain Persistence 

Once the cyberattacker has a connection, which means the download has called back to them and they are now controlling your machine, they need something called persistence, which is the ability to live through a reboot. If the user logs off or closes the application, the attacker is not going to be able to trick the user to click on the link again. So once the attacker has a connection, they are going to make a change to the operating system, such as a new service, a scheduled task, a print monitor or a startup link in the registry. 

Now, the attacker is set, and when the user’s machine reboots it will automatically call back to the attacker when it comes back online. A call back also can be set up as a scheduled task, in which, for example, the machine calls back to the attacker every hour.

The machine is now contacting the attacker directly with no user intervention, which means that the attacker is able to maintain control of it. To defend against this, your practice will need monitoring services for task creations and modifications. Your IT team should know what your workstations look like and should be able to identify changes with regular checks.

Step 5: Lateral Movement 

Once the cyberattacker has control of one machine, lateral movement allows them to control others. Maybe they already control the practice administrator’s machine, but now they want access to the doctors’ machines or the IT administrator’s machine.

They typically accomplish that through administrative shares or what’s called WinRM or PowerShell remoting. This often works because nobody in the practice turned on the firewalls on their local PCs within the network, or domain users have too many rights, or patching is not up-to-date. If you have unpatched operating system flaws, attackers can exploit them and move around. 

To defend against lateral movement, your IT team needs to take the domain users out of the workstations administrative group. They also should turn on Windows firewalls on personal computers (if they aren’t already), remove access to PowerShell and disable the WinRM service on all Windows machines. 

Step 6: Privilege Escalation 

What happens when attackers start moving around? They are going to find different people logged in at different levels of permissions or rights and can try to escalate their privileges — their ability to access different types of information in your system. To stop privilege escalation, your IT team needs to establish administrative user segmentation, where you have different accounts for different levels of the network to control how much of it might be breached at one time. 

For example, an IT administrator may have an administrator account that works only on workstations, another account for database servers, and yet another account for exchange servers or mail servers, along with a domain administrator account that lives only on the domain controllers. Each account only has rights to the specific target and no rights anywhere else, limiting the amount of access anyone, including cybercriminals, has.

Step 7: Network Recon 

Once your attacker has the control and the administrative rights they want, they can start looking for data. Think about where the treasure trove of information is located on your network. To give a hint, it is not in your EHR system! Your EHR system likely has multifactor authentication requirements and bells and whistles that go off when it is attacked.

Most of the information that is stolen can likely be found right on the Windows network. Attackers will find the reports that didn’t get cleaned up and the emails that are stored incorrectly, courtesy of the data packrats that exist in every practice. Those hoarders are a treasure trove to cybercriminals, who can easily find personally identifiable information (PII) and search it with terms such as “patient presents” or “diagnostic information.” If someone can find your blank files, then they can look for completed ones. The recycle bin is another great place to find data, because people forget to empty it.

If you’re not scanning for this data and you’re not looking for information that shouldn’t be on workstations, laptops and servers, you’re doing a disservice to yourself and your practice. To defend against this step, your IT team must identify, organize and locate where the personal health information (PHI) or the PII exists.

Have your IT team set up group policies to empty recycle bins and turn off exchange caching so that email messages don’t exist anymore on local machines. The goal is to minimize what is on local workstations and to clean up temporary files. Take away the low-hanging fruit so cyberattackers have to work harder. 

Step 8: Data Theft 

Now that your attacker found your data, they are going to zip it and transfer it over HTTPS. That way, your firewalls will view it as regular encrypted traffic, no different than communicating with your bank online.

To defend against data theft, IT teams should remove PHI and PII from your network and configure your web filters and firewalls to look for this type of theft using SSL inspection, application control and something called DLP filtering. DLP stands for data loss prevention and is on 99% of next-generation firewalls. 

DLP looks for data such as Social Security numbers, credit card numbers, driver’s license numbers and Medicare information. All of the things that your attacker would be looking to steal, DLP looks to protect. Some of your next-generation antivirus software will also look for this data as well on the local workstation. 

Finally, your cyberattacker goes quiet and watches for new data to mine and steal. When an attacker gets this far, you’ve failed to protect your network and there are no known remaining defenses to put in place. If the attacker has installed a type of malware called ransomware:

• They have encrypted your data and, just as the name says, will ask you to pay a large ransom to release your system and information back to you.
• Or you discover the attacker, but they already have stolen what they want and execute the ransomware to destroy your system as they make a clean exit. This type of attack is truly insidious and typically is the cause of major data breaches.

Stopping Attacks in Their Tracks

There are a number of steps your IT team can take to prevent and mitigate cyberattacks. In addition to protections discussed above:

• Make sure you are using current antivirus and anti-malware solutions and ensure that they are properly configured.
• Properly configure a web filter that is either on your firewall or use a third-party device that can look for malware downloads and installs.
• Protect your system with ransomware detection software.
• Implement log aggregation (the process of collecting, standardizing and consolidating log data from across an IT environment to facilitate monitoring and analysis of activity, including security issues and cyberattacks).
• Install every patch offered for software to make sure functionality, features and security are up-to-date.
• Use password managers to keep credentials in encrypted programs that are securely stored.

Those measures will remove 95 percent of your vulnerability. Make it hard on cyberattackers to infiltrate your network, and they are more likely to visit the practice down the street that didn’t take action against cyberattacks. 

Sources

1 Sharton, B. R.(2021, May 20). Ransomware attacks are spiking. Is your company prepared? Harvard Business Review. https://hbr.org/2021/05/ransomware-attacks-are-spiking-is-your-company-prepared. 

2 Department of Homeland Security, Cybersecurity & Infrastructure Security Agency. www.cisa.gov/cybersecurity 

3 Federal Bureau of Investigation, Internet Crime Complaint Center. Internet Crime Report 2020. www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf. 

4 Iyengar, R., & Duffy, C. Hackers have a devastating new target. CNN Business. (2021, June 4). www.cnn.com/2021/06/03/tech/ransomware-cyberattack-jbs-colonial-pipeline/index.html. 

5 IBM Security and Ponemon Institute. Cost of a Data Breach Report 2023. www.ibm.com/security/data-breach. 

6 Morgan, S. (2020, September 8). Healthcare industry to spend $125 billion on cybersecurity from 2020 to 2025. Cybercrime Magazine. https://cybersecurityventures.com/healthcare-industry-to-spend-125-billion-on-cybersecurity-from-2020-to-2025/