Blog

The Untold Secrets of HHS Section 405(d): The Hidden Crisis in Healthcare OT Systems

Jul 19, 2024

The Untold Secrets of HHS Section 405(d): The Hidden Crisis in Healthcare OT Systems

Background

Modern healthcare institutions use digital technology to manage patient information, nursing services, medical testing, and even assist in medical surgeries. It is now common for medical staff to rely on IT and OT systems. However, any cyberattack on these IT or OT systems, essential for the daily operations of healthcare institutions, can affect the quality of patient services and the ability to save lives. For instance, a hospital hit by a ransomware attack might face issues such as being unable to access electronic health record (EHR) systems, hindrances in ambulance dispatch, delays in medical test results, and, most alarmingly, disruptions to surgical assistive devices.

Recent threat reports indicate that ransomware attacks targeting the healthcare industry globally in 2023 nearly doubled compared to 2022, with attacks in the U.S. healthcare sector increasing by 128%. The threat landscape for 2024 seems to persist:

  • In February 2024, UnitedHealth subsidiary Change Healthcare experienced a ransomware attack that disrupted the largest medical payment system in the U.S. This incident hindered medical insurance and drug payment operations, putting severe cash flow pressure on hospitals and threatening patients’ access to care. It also put personal health and identification information at risk of being leaked.
  • In May 2024, Ascension, a major private healthcare provider in the U.S., reported a ransomware attack that interrupted its health records and ordering systems. Employees had to revert to manual paper recording processes, significantly impacting accuracy and operational efficiency.
  • In June 2024, South Africa’s National Health Laboratory Service (NHLS) suffered a ransomware attack that effectively blocked communication between its laboratory information system and other medical databases, causing delays in public health facility lab tests.

Ensuring cybersecurity in healthcare institutions is crucial for protecting patient safety. Cyber threats to the healthcare sector must be taken seriously, requiring joint efforts from HHS and HPH departments. Threat actors are targeting not only hospital IT but also OT systems, which might be a blind spot for many hospitals that are only just beginning to focus on protecting their IT and medical data. This leaves significant security vulnerabilities that could become gateways for targeted cyberattacks or even incidental malware infections. This article analyzes recent threats faced by healthcare institutions and explains why they should judiciously invest in CPS protection solutions to safeguard patients and organizations from cyberattack threats.

 

New Threat Scenarios Facing Operational Technology in Healthcare

Many hospitals’ operational technology (OT) systems are alarmingly vulnerable to such cyberattacks. Furthermore, the range of attackers is broadening—from ransomware criminals to terrorists to hostile nations—all potentially planning such attacks. The increased importance of healthcare institutions following the COVID-19 pandemic has shown how the successful paralysis of hospitals can cause societal panic. Additionally, any disruption in medical facilities imposes immense operational pressure on hospitals.

In 2015, the U.S. Congress passed the Cybersecurity Act of 2015 (CSA) to enhance cybersecurity through voluntary information sharing between the private sector and the government. Section 405(d) of this act coordinates healthcare industry security practices, encouraging the development and adoption of best practices and standards to guard against cyber threats. The Health Industry Cybersecurity Practices (HICP) outlines the five current cybersecurity threats as:

  • Social engineering attacks
  • Ransomware attacks
  • Loss or theft of equipment or data
  • Insider, accidental, or intentional data loss
  • Attacks against network-connected medical devices that may affect patient safety.

 

New Type of OT/ICS Malware Attacks

Imagine a scenario where a hospital’s air conditioning system is attacked by ransomware. Despite how dire this situation would be, many healthcare institutions’ chief information security officers are responsible only for IT assets and not OT assets such as air conditioning systems. Thus, OT systems become a weak point. Threat actors consider anything or anyone capable of causing disruption to be “valuable”; any asset can be susceptible to a cyberattack, similar to how almost anyone exposed to the flu virus can get sick. The extent of the damage caused by a virus depends on the person’s vulnerability; similarly, the impact of cyber threats depends on the system’s vulnerability, not just the IT system getting infected

Recent cybersecurity media reports have discovered a new type of destructive ICS malware named Fuxnet. Attackers use Fuxnet, similar to Stuxnet, to disable industrial sensors and disrupt multiple sectors’ operations. This malware mainly targets IoT gateway devices. Attackers first obtain the device’s root password, use SSH to connect to them, and tunnel into internal systems, eventually gaining full access. Finally, they use malware to send random data to proprietary sensor network communication protocols, overloading communication channels and effectively disabling IoT sensors.

This threat highlights the importance of protecting OT/ICS environments, as today’s air conditioning, water treatment, and even energy management systems may adopt similar architectures. If attackers exploit vulnerabilities in IoT devices, it could pose serious risks to healthcare institutions.

 

Exploitation of Older Vulnerabilities

Vulnerabilities are weaknesses that, when exposed to threats, can cause harm and ultimately lead to some form of loss. Threats exploit vulnerabilities. For example, most people consider elderly individuals more vulnerable to the flu than young athletes. This increased vulnerability is due to aging immune systems, physical frailty, or even the inability to follow prescribed treatment plans due to cognitive decline. Today’s hospital digital infrastructure (including IT and OT systems) faces management challenges due to the vast number of connected devices and end-of-life (EOL) equipment.

Outdated systems in medical settings are a recognized issue. However, the challenges are compounded by a shortage of cybersecurity staff and resources, as well as a low tolerance for equipment downtime required for testing and patching. For example, it can take medical cybersecurity teams more than a year to roll out patches on a wide scale. Additionally, legacy equipment used by elderly patients may increase vulnerability to potential harm.

 

Zero-Day Vulnerability Attack

Threat actors might target commonly used products in healthcare institutions and exploit software vulnerabilities unknown to the owner, developer, or anyone capable of fixing it. This is a particularly destructive supply chain attack. Zero-day vulnerabilities in the hands of threat actors can access target systems’ networks and deploy ransomware.

On June 28, 2024, the U.S. Department of Health and Human Services’ Cybersecurity Coordination Center issued a security alert, warning the HPH sector about a severe vulnerability in the MOVEit Transfer application. This vulnerability was a major cause of the sharp rise in cybersecurity incidents in healthcare organizations in 2023, especially ransomware and data breaches. The MOVEit Transfer application can run on servers worldwide or as a SaaS (Software as a Service) version hosted by MOVEit Cloud. The severe vulnerability CVE-2023-34362 involves an SQLi-to-RCE (Remote Code Execution SQL Injection) flaw in the MOVEit Transfer Web application, allowing unauthenticated users to gain unauthorized remote access to MOVEit server environments.

 

Supply Chain Attacks

Supply chain attacks involve threat actors targeting third-party entities to gain indirect access to the target organization. They achieve this by infiltrating various third parties, such as a hospital’s software supplier, to spread malware. For instance, attackers may send fake updates or conduct phishing attacks using the supplier’s compromised systems, leading to malware infections in healthcare institutions.

The SolarWinds hack in December 2021 caused the most extensive and profound damage to U.S. government agencies, including the Treasury Department, Department of Energy, Department of Homeland Security, Department of Justice, and the National Security Agency. The SolarWinds attack is emblematic of the severity of supply chain attacks. Hackers first analyzed the software used by target organizations, identified suppliers with weaker cybersecurity, infiltrated their software update delivery infrastructure, embedded malware into their latest software versions, and delivered it to target organizations via the software update mechanism.

Single points of vulnerability in the supply chain will continue to be exploited by threat actors, especially in large, complex systems supporting OT infrastructure. The longer the supply chain, the more difficult it is for security teams to shore up weaknesses, as third-party products often contain multiple supply chains.

 

Modernize Defenses: New Architectures and Tools

In 2017, the U.S. Department of Health and Human Services (HHS) established the 405(d) Task Force, composed of experts from cybersecurity, privacy, healthcare, IT, and other fields. This task force is responsible for developing the voluntary “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” (HICP) program. The program provides cost-effective security guidelines to help healthcare institutions of various sizes implement these guidelines. It particularly emphasizes the feasibility and practicality of cybersecurity implementations. The technical volumes discuss ten practices tailored for small, medium, and large organizations:

  • Email protection systems
  • Endpoint protection systems
  • Access management
  • Data protection and loss prevention
  • Asset management
  • Network management
  • Vulnerability management
  • Incident response
  • Medical device security
  • Cybersecurity policies

 

Enhancing OT/ICS Security in HICP

In addition to the above defensive measures, to ensure uninterrupted hospital operations and the safety and availability of medical equipment, the OT Zero Trust architecture offers a proactive, scalable, and synchronized security update defense framework. Importantly, security tools should be able to inventory and assess potential vulnerabilities and adapt to any hospital environment with common devices. These tools need to reduce hospital manpower costs, protect vulnerable OT equipment, and allow staff to focus on patient care. This defense strategy includes four key areas:

  • Verifying Third Party Cybersecurity Efficacy: It is essential to regularly conduct network risk assessments for OT/ICS assets. This should include asset inspections before deployment, scans for changes, regular risk evaluations, and require third parties to manage security risks based on supply chain contracts as a criterion for future equipment procurement.
  • Implementing IPS Systems for Secure Communication: Use proprietary OT IPS technology to manage network communication, thus filtering out unnecessary activities and ensuring only essential, secure communication between IT and OT systems. Employ Virtual Patch technology to block exploitation of vulnerabilities, maintaining robust network defenses.
  • Extending CPS Protection to Detection and Response: Deploy CPS security solutions to detect malicious activities when OT firewalls fail. Enhance CPS detection and response by disabling unnecessary functions based on behavior baselines.
  • Comprehensive Asset Visibility: Achieve complete OT asset visibility to address shadow asset challenges. Use CPS security management platforms for OT lifecycle management, leveraging data and unique rating algorithms to prioritize vulnerabilities and enable quick threat responses, ensuring all assets are monitored and managed effectively.

 

Conclusion

As cyber threats evolve, healthcare institutions must remain vigilant and proactively strengthen cybersecurity measures. Continuous collaboration, improving cybersecurity practices, and adopting up-to-date defensive tools are crucial for protecting patient safety and maintaining the integrity of medical systems. The HHS 405(d) program and the adoption of defense-in-depth strategies are essential steps toward achieving a secure and resilient healthcare environment.

However, the protection of OT assets in healthcare institutions is still in its infancy. As nation-state actors target medical OT systems, malware development advances, and OT equipment vulnerabilities are exposed, healthcare OT becomes ever more susceptible to cyberattacks. Cybersecurity is an organization-wide issue, not just an IT concern. Just as patient care requires multidisciplinary teams, ensuring the security of medical digital systems requires comprehensive and multifaceted IT and OT cybersecurity. Cybersecurity must be expanded to encompass patient health, including CPS protection technologies, OT network defense, and asset threat inspection and vulnerability management, ensuring uninterrupted and precise patient care in medical digital systems.

TXOne image
TXOne Networks

Need assistance?

TXOne’s global teams are here to help!

or
Find support