Under the skin: the medical device industry and the dark web

Chloe Kent 16 August 2019 (Last Updated August 16th, 2019 15:56)

Medical companies are some of the organisations most frequently targeted by cybercriminals, often using malware tools traded on the dark net, with 24% of dark web vendors offering access to the healthcare vertical market according to a University of Surrey report. But, just how deep does the rabbit hole go?

Under the skin: the medical device industry and the dark web
Credit: Shutterstock

Cybercrime is an incredibly lucrative business, and both corporations and governments aren’t doing enough to protect themselves from it. Healthcare organisations store vast amounts of personally identifiable information (PII), making them uniquely vulnerable to these kinds of attacks.

A report produced by University of Surrey senior lecturer in criminology Dr Michael McGuire, funded by virtualisation-based cybersecurity company Bromium, indicates that the healthcare industry is actually the third most-targeted sector, after banking and e-commerce. More dark net vendors offer access to healthcare vertical market databases than any other industry, at 24%.

The real-world consequences of cybercriminals’ hunger for healthcare data are hard to miss: the UK’s NHS lost £92m and was forced to cancel thousands of appointments during the global WannaCry ransomware hack in 2017, while a 2015 cyberattack on US health insurance provider Anthem saw hackers steal 78.8 million patient records. In 2018, hackers were able to breach the Singaporean Government’s health database and access the data of 1.5 million patients.

Why is the medical sector so vulnerable?

“Healthcare data is the richest form of PII,” says Bromium CEO Ian Pratt. “We’ve seen that information get used in a variety of different ways. One particularly nasty way we’ve seen it used is in doxxing attacks where healthcare providers have had their systems compromised and personal information has been exfiltrated.”

In a doxxing attack, hackers breach someone’s personal data and publish it online. The word comes from hacker vernacular for ‘documents’, which became ‘docs’ and then ‘dox’. Doxxing attacks can include the publication of full names, addresses, phone numbers and personal healthcare records.

The most famous cases of doxxing are those motivated out of a sense of retribution, such as the case of Kyle Quinn, a biomedical engineer who was doxxed after being falsely identified as a participant of the 2017 Charlottesville Unite the Right rally. However, when it comes to malicious dissemination of patient healthcare data, Synopsys principal security engineer Chris Clark says: “The important thing to remember is that an attacker is looking to generate cash flow, not necessarily to harm a specific individual.”

Instead of being motivated by the desire to publicly shame someone, healthcare doxxing is primarily motivated by financial profit.

Pratt says: “Sometimes doxxing is combined with a crypto malware attack, where criminals will encrypt all of the information so the healthcare provider doesn’t have it anymore and then demand payment, contacting folks whose health records they have exfiltrated. They’ll find individuals with embarrassing conditions and get them to contact the healthcare provider and urge them to pay the ransom. Through this, cybercriminals can extort large sums of money from healthcare providers.”

Alongside data about a patient’s medical history and current medical needs, healthcare records can also contain financial data and insurance data, which can be exploited in its own way. Hackers, or third parties who’ve purchased data from the dark web, may extract money from patient’s bank accounts, or issue bills to their credit cards for goods and services they didn’t purchase. But what exactly is the dark web, and how does this shadowy digital underworld facilitate online threats to healthcare and medtech organisations?

What is the dark web?

The ‘dark’ web refers to online content which is not accessible via standard web browsers, but can be accessed through specialised darknet software, the most popular of which is known as Tor. The dark web is not to be confused with the ‘deep’ web, pages which can be accessed through standard web browsers but are password-encrypted, such as personal internet banking and government databases.

Tor looks and behaves like a normal web browser. The key difference is that instead of registering each user’s IP address straight away, Tor bounces it around computers around the world, encrypting and decrypting the user’s identification as it goes. That way no one knows where the request has come from. By browsing the internet anonymously, the user can access certain websites that can’t be reached through a mainstream browser, including online black markets.

According to McGuire’s report, there has been a 20% rise in listings on dark net marketplaces, which have potential to cause harm to corporate and government organisations. This includes targeted malware for sale, distributed denial of service (DDoS) solutions, corporate data for sale and brand-spoofing phishing tools. However, most listings on these marketplaces are for illegal drugs.

Of all the non-drug listings assessed in the report, 60% represented an opportunity for direct harm while a further 15% represented an opportunity for indirect harm.

Fixing the problem

Pratt says: “Organisations really need to start taking security more seriously. People believe that after we install a few security products, antivirus and perhaps some email scanning, then its job done. But the bad guys are making so much money right now that it just doesn’t work anymore.”

The regulatory net is closing in on companies that have failed to protect their data against cybersecurity breaches. The UK Information Commissioner’s Office (ICO) recently issued a fine of £183m to British Airways for a breach of customer data from its website and mobile app.

Between 21 August and 5 September 2018, around 380,000 financial transactions processed by British Airways were believed to have been compromised. While customers’ personal and financial details were stolen, their travel and passport information was not affected.

From electronic databases to software-powered medical devices, a lot of healthcare technology is still powered by Windows XP, an operating system which is now 17 years old. This out-of-date system is incredibly vulnerable to cyberattacks, particularly as it is no longer being supported with security updates.

Clark says: “Healthcare providers must look at security across their entire healthcare delivery organisation. That means a strong defence-in-depth solution that looks at each entity within the healthcare delivery organisation and determines necessary security measures based on risk.

“An actionable starting point is to gather a clear data-driven view of the activities currently in place to secure the software currently in use within your business. This can be done through a Building Security In Maturity Model (BSIMM) assessment—from the results, firms are able to assess the current state of their software security initiative, identify gaps, prioritise change, and determine how and where to apply resources for immediate improvement.”

The risks presented by the dark web, and the criminal operations it facilitates, are a problem for governments and cybersecurity experts to address. As the balance of power continues to shift back and forth between cybercriminals and the systems designed to thwart them, a technical solution may emerge to reduce the impact of IP-blocking dark web browsers like Tor. In the meantime, vulnerable medical organisations must ensure that their security systems are up to scratch to ensure that they don’t fall victim to the next big hack, whatever its point of origin.