Security: Healthcare, Computers and Ignorance/Inaction.

A year ago I wrote that with the then epidemic of "ransomware" attacks the Hackers had learned how to monetise remote attacks on Healthcare practices. That piece included detailed suggestions on minimum necessary practices and questions for suppliers and vendors.

This year started with the Pharmacy Board, the professions' registration/regulating authority, taking the unprecedented step of writing to all pharmacies, warning them of the danger to patient safety that "ransomware" now presents. I assert that for a well managed business, "ransomware" should be no more trouble than a failed disk.

This is a legal watershed moment: patients who suffer harm or loss because of a ransomware event now have cause for a negligence or malpractice action against the business, its principals, its I.T. staff/support company and the software vendor. Both Pharmacy and Medical Practice software is dominated by a single vendor, multiplying many fold the risk of compromise of clients.

This near monopoly places a high duty of care on the vendor, as the prime, even sole, source of I.T. Security advice to the businesses, to both adequately inform them of the full risks involved and confirm all their clients have adequate remediation and recovery, not prevention, processes in place.

The key to surviving any business disaster is "Prior Preparation and Planning", as our military friends would say. Computing and I.T. are just one Point of Failure: the rigorous planning and practice notionally already in place in every practice for fire, flood, equipment failure, major theft or malicious damage should cover loss of critical business data and patient records.

Remote attacks launched over the Internet have built steadily in volume and sophisticated since "the Hackers turned Pro" at the end of 2004. Coming up to the tenth anniversary of professional criminal activities over the Net, there are no grounds for any healthcare professional, owner or company director  to claim ignorance.

We've seen nation states enter the field with both Stuxnet and Mandiant's APT1 report. We must now presume every developed economy runs an active "Cyber Command" pursuing their interests over the Net as an extension of their military, intelligence and business espionage activities. "Cyber Command" and SigInt players behave identically to "Special Forces": they avoid detection, have deep resources and act with supreme patience. They also identify critical weaknesses and create highly targeted attacks against them. They will deliberately create mischief and mayhem, even widescale disruptions, to cover covert operations.

Since the Snowden revelations we, the public, know that the capabilities and actions of National Security players are much higher and broader than ever guessed. The Internet Security threat is much worse than you can imagine. If you are responsible for Healthcare records, not acting to protect against these high-level threats is no longer a legally defensible position. Ignorance and Inaction aren't an option now.

The problem with all these very sophisticated Cyberwarfare tools being released into the wild is they go into the wild. They all get picked up and reused by hackers, scammers and professional criminals. All software & network tools and techniques available to US Cyber-Command become available to hackers and criminal gangs as they are released into the wild. It only takes 12-24 months to see them in common use elsewhere because there are only a very few suppliers of malicious code and they're very good at what they do.

There are already an increasing number of business failures linked to failed I.T. systems, with some being linked directly to security breaches.

The most public business failure in Australia caused by a security breach was Distribute.IT in 2011. Nobody was ever charged over this because all evidence was removed when the disks were wiped and the backups had been turned off for an extended period beforehand.

What's your take-away from this? A criminal's would be "Wow! A blueprint to escape detection."
We know from the last 10 years of criminal hacking on the Net that they learn, adapt and overcome. This action/outcome will not have gone unnoticed.

The business directly lost $5 million, but the disruption and non recoverable losses suffered by the 4,800 clients was never tallied. There was no point in their launching any legal action, the business and its owners were wiped out financially, there was nothing avaiable to pay any compensation.

And one last "little complication": on Tuesday 8th April, 2014, the last public security updates will be released for Windows XP, the most popular Operating System from Microsoft first sold in 2001.

Already in this blog I've predicted that within 12 months no Windows XP system connected to the Internet will be free of malware. The hackers can read calendars too and will be saving their efforts and munitions, especially "Zero Day exploits" (previously unknown and unpatched backdoors), for when they can operate freely.

We know from Mandiant that in the best exploits, the victim never knows, unless the attacker wants something from them.

So there's the thing:
  • Do your backups, religiously.
  • Test your backups, frequently.
  • Don't ever think "I'm small fry, who could be interested in me?"
    • Expect to get compromised.
    • Be ready to recover from multiple worst-case scenarios.
There are many eyes watching your system(s) now and they're actively looking for ways in, if they aren't already. Indian call centres have been actively trawling phones in my area for the last 2 weeks attempting various "Social Engineering" attacks. These activities and "spear phishing" guarantee that someone in your business will open up your systems to attackers or give away the passwords. Mandiant reports these were some of the many techniques used to silently take over thousands of business computers throughout the world.

Cyber Security only ever ramps up in sophistication and intensity: you can't imagine the threat landscape in 12 months, let alone 5 years. The Internet is currently a much more dangerous place than you know, in a year that danger will increase, in 5 years it will be beyond recognition.

No comments: