© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
CYBERINSIGHTS
Time Flies ... and Other Lessons Learned Axel Wirth
“There’s a clear pattern here which suggests an analogy to an infectious disease process, spreading from one area to the next. … I must confess, I find it difficult to believe in a disease of machinery.” — From the movie Westworld (1973)
Viruses and Malware Not by coincidence, even in the early days of academic work on the topic of self-replicating code, it was stipulated that computer viruses would show similar behavior to biological viruses—an analogy pursued by researchers to this day.1 We've known of “in the wild” viruses since 1982, initially written with nonmalicious intent but over time leading to increasingly aggressive and malevolent behavior and eventually becoming part of malicious attack tactics.
First, and most importantly, congratulations to AAMI on its 50th anniversary and many years of thought leadership, standards development, education, advisory activities, and simply bringing people together. AAMI and its many employees, members, and volunteers have made our healthcare faciliEarly Theories and Research ties safer. The theory of self-replicating code goes as Talking about safety: 50 years ago, cybersefar back as the late 1940s (John von curity was of no concern to hospitals or the Neumann, 1949). In the early 1970s, the medical device industry. After all, broader Creeper experimental self-replicating adoption of commercial electronic record and program was spread via the ARPANET, practice management infecting DEC PDP-10 systems did not arrive computers. Experimental, Fifty years ago, until the 1970s, and a fully functional viruses cybersecurity was of no public network (i.e., the for a Siemens 4004/35 Internet) did not emerge computer system were concern to hospitals or the until the early 1980s and researched in 1980, and it medical device industry. commercially until the was postulated that ... But lo and behold, with late 80s. computer programs can computers and networks But lo and behold, with behave like biological computers and networks came mischief and crime. viruses.2 came mischief and crime. In this article, I will go 1982 through a brief history of cybersecurity, with The first computer virus released outside of a lessons learned along the way. controlled lab environment is believed to be “Elk Cloner,” a prank written by a 15-year-old
About the Author Axel Wirth, CPHIMS, CISSP, HCISPP, is distinguished technical architect at Symantec in Cambridge, MA. Email: [email protected]
Biomedical Instrumentation & Technology March/April 2017
163
© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
high school student. It was a floppy disk boot-sector virus written for the Apple II. If a machine booted from an infected disk, Elk Cloner would install itself in memory and was replicated to new, uninfected discs. Infected computers would display a short poem at every 15th boot, and even though the disk-based infection vector limited its distribution rate, it did end up infecting gamers’ computers across the country and was even found on U.S. Navy computers.3 1986 Not to be outdone, the first computer virus targeting Microsoft OS (MS-DOS, remember?) also was a floppy disk boot-sector virus and was written by two brothers in Pakistan. They reportedly wrote “Brain” to track copyright infringement of medical software (a heart Medical devices have a long, useful monitoring program) they life, and many of the targeted legacy had written. With that purpose, it was essentially operating systems are still in use and nondestructive (besides behind in patch level, leaving the slowing down disk access) underlying Windows vulnerability and actually included the exploitable to Conficker. authors’ address and phone numbers with a message to “contact us for vaccination.” The brothers were surprised by their own success when they started to receive phone calls from the United States, United Kingdom, and elsewhere, eventually overwhelming their phone line. Ironically, the brothers are still running a business in Pakistan (Brain Telecommunication Ltd.).4 Not surprisingly, virus creation has followed technology waves (e.g., Commodore Amiga [SCA, 1987], Windows v1.4 [WinVir, 1992], social networking virus targeting MSN Messenger [Win32.5-0-1, 2001]). Conficker A major milestone in malware development and something that is deserving of healthcare’s attention is Conficker (also named Downup, Downadup, or Kido), a computer worm (i.e., a type of malware that is selfreplicating and does not depend on a host file). It appeared in late 2008, targeting Microsoft Windows XP (and earlier). It could spread via Internet, LAN, shared folders, mapped drives, peer-to-peer networking, and 164
Biomedical Instrumentation & Technology March/April 2017
portable media (USB). Conficker may compromise administrator passwords, upgrade itself, install other malware, or form a botnet based on instructions received from a commandand-control server. It has the ability to hide in a system and defend itself from removal by encrypting its payload or by disabling system and update services. In that sense, Conficker was very effective in its ability to spread. It is estimated that the initial wave infected up to 15 million computers worldwide, including computers at the French Navy and the U.K. Ministry of Defence. Corporate networks have generally been upgraded and protected. However, due to the sophistication of some of the newer variants, Conficker infections continue to recur, and it has been reported to be a prevalent and ongoing problem for healthcare and medical device networks. Medical devices have a long, useful life, and many of the targeted legacy operating systems are still in use and behind in patch level, leaving the underlying Windows vulnerability exploitable to Conficker. In June 2016, Symantec reported that Conficker was the leading malware in healthcare, with an infection rate of 13%. These are just a few relevant examples. Malware production has changed drastically, evolving from individual pranksters with intellectual curiosity to criminally motivated, tool-based mass production. To express it in numbers, we saw tens of thousands of new pieces of malware a year in the early 2000s, more than 1 million per year by 2008, and since 2015 more than 1 million per day!5
Cybercrime Everything changed when criminals figured out that money could be made in cyberspace. Information, identities, credentials, and funds all could be stolen and monetized. Unlike with traditional crime, one does not even put themselves in harm’s way, has access to the entire world, and is protected by the complexities of international law enforcement. Early Hacking Although the term “hacking” predates computer-specific activities (e.g., phone system scams and control systems for model railroads), it became mainstream when the focus shifted to computer systems and the
© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
intent became malicious. One of the first incidents reported and investigated happened at Lawrence Berkeley National Labs. Use of a “honey pot tactic” allowed the system administrator to collect enough data to track the intrusion back to a group in West Germany that was selling military information to the KGB.6
A newer and very concerning trend has been the arrival of hacking as a cybercrime service. This essentially separates skill from motive. In other words, you don’t have to be smart and malicious anymore to do damage in cyberspace; you can buy any service you need.
Denial-of-Service Attacks A new type of attack evolved in 2000 and was “invented” by a 15-year-old Canadian teenager. The advent of denial-of-service (DoS) attacks changed the picture, making assaults on computers disruptive and destructive. DoS attacks were designed to paralyze websites and businesses by overloading them with data. They were launched against commercial sites (e.g., eBay, Amazon), news outlets (e.g., CNN, Yahoo), and entire countries (e.g., Estonia, 2001).7 In late 2016, the Internet services provider Dyn experienced a major DDoS (distributed DoS) attack that led to wide regional Internet outages. The attack was unprecedented in terms of the size of the botnet (estimates range from a few hundred thousand to a few million devices) and in the nature of the devices. Unlike previous botnets, which would string together traditional computers, this attack was launched from Internet-ofThings (IoT) devices, such as security cameras and digital video recorders, that were compromised by the Mirai malware. It exploited the homogeneity of these types of IoT devices and the fact that a limited number of manufacturers use third-party software from a few suppliers. Hence, common vulnerabilities could be exploited across a large number of network-connected devices, enabling an efficient and relatively easy way of executing a mass-scale attack.8 The impact on Dyn’s business was immediate: An estimated 14,500 web domains ceased using Dyn’s managed Domain Name System services following the attack.
cyberspace; you can buy any service you need: information, identities, credentials, intellectual property, government secrets, reconnaissance, attacks, computer resources (botnets), and malware tools (which support the creation, obfuscation, testing, training, delivery, and management of malware).
Hackers for Hire A newer and very concerning trend has been the arrival of hacking as a cybercrime service. This essentially separates skill from motive. In other words, you don’t have to be smart and malicious anymore to do damage in
Large-Scale Breaches Some recent data breaches stand out simply because of their sheer size. These include the 2015 theft of personal data (names, birth dates, Social Security numbers [SSNs], home addresses) of 79 million current and former Anthem customers and employees,9 as well as two incidents at the U.S. Office of Personnel Management (OPM), in which 21.5 and 4.2 million records of government employees were exfiltrated (including names, SSNs, addresses, etc., but also background checks and fingerprint data).10 Much has been speculated about who was behind these hacks (I will not go there) and their purpose. One theory is that large breaches allow for “big data”–type cross-correlation and provide insight about individuals’ movements and roles (e.g., by combining their government clearance [OPM] with their immunization records [health data breach]). Or, one could identify government employees that have high medical bills and may be recruitable by a foreign power. Again, these are only theories, but it’s certainly within the realm of possibility considering the amount and type of data stolen. Ransomware Although ransomware attacks are not new, they certainly surged in 2016. Individuals, city governments, police departments, and hospitals around the world were confronted with the tough decision of how to handle the loss of access to critical data. As criminals understand the value of information to Biomedical Instrumentation & Technology March/April 2017
165
© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
today’s businesses, their strategy is fairly simple: encrypt essential data in place and ask for a reasonable ransom to provide the decryption key. It is a business model driven by volume rather than price, meaning the ransom asked for is set at a level that makes it attractive to pay, as compared to restoring systems or accepting the loss of data. However, not paying is generally advised, as payment only encourages the attacker.11 The recognition that money could be made led to a surge in the number of attacks, as well as in the evolution and sophistication of ransomware. We have seen attacks on nearly every platform, including mobile devices and even Cyberattacks have become a reality infrastructure (e.g., ticket in our personal and business lives, machines of the San and we need to recognize that we Francisco train system12). are living in an era of unprecedented We now see ransomware encrypting already-rancyber-risks. somed files (Why spend the effort in finding the critical data if somebody already did it?) and even fake ransomware (just a pop-up message in hopes that somebody will pay). A great deal more could be discussed about cybercrime, but for the purpose of brevity, I leave it at these examples.
Cyberactivism and -warfare An even more concerning development is cyberactivism and -warfare, executed by loosely knit social hacktivist groups like Anonymous or nation-sponsored cyberarmies. The goal of these groups is to assert influence to instigate social, political, or economic change. I previously wrote about the recent U.S. presidential election,13,14 but we also can look at the events of the Arab Spring, which were certainly supported and, in part, even enabled by online activism. Other examples of cyberwarfare or -activism include: • In 2007, the Israeli Air Force conducted a stealth attack on a not-further-identified facility in Syria. Although the attack itself was conventional, it has been reported that a parallel cyberinfiltration blinded the Syrian radar and air defense systems.15 • A cyberattack against Georgia’s digital infrastructure is believed to have preceded Russia’s 2008 invasion, crippling the 166
Biomedical Instrumentation & Technology March/April 2017
country’s banking system and disrupting cell phone services.16 • Another noteworthy development was the Stuxnet malware, which was discovered in 2010.17 Much has been speculated about who designed it (and I don’t want to add to that). But we do know the target of Stuxnet (Iran’s nuclear program) and its intent (to slow down the production of enriched uranium). What is noteworthy is that Stuxnet raised the bar for cyberattacks. It was highly targeted to a specific environment, was able to enter air-gapped systems via USB thumb drives, infected a Windows workstation, and then penetrated the downstream SCADA controller to run centrifuges at their mechanical resonance frequency, leading to their destruction. Additional important features were the malware’s ability to update itself, check for the configuration of the target environment, and only become active when there was a match. Lastly, it had the capability to self-destroy at a certain target date. Several relatives and derivatives have been identified since then (Duqu, Flamer, Gauss).18 • In 2014, the external web servers at Boston Children’s Hospital were subject to a DDoS attack that was believed to be the work of the hacker group Anonymous, which was taking on the cause of a teen girl who was placed in state custody.19 In addition, the group used “spear phishing” emails in an attempt to gain access to internal systems. As this attack was focused on the hospital’s external-facing web servers, the impact on internal processes was minimal but external communication had to be shut down, at times affecting email communications and electronic prescriptions.20 • Similar, it is also assumed that Anonymous was behind the 2016 attack on Hurley Medical Center in Flint, MI, to protest the ongoing local water crisis.21
What Lies Ahead? The above examples are far from complete, but I selected them to support my larger story: Cyberattacks have become a reality in our personal and business lives, and we need to recognize that we are living in an era of unprecedented cyber-risks. We went from individual pranksters to organized
© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
cybercrime and a flourishing underground economy for cybergoods and -services, and as of recently, we have to include concerns about adversaries with political objectives. As attacks and attackers have changed, so have the targets. We moved from specific devices (desktops or servers), to information, then to infrastructure, and now to our larger society and economy; we went from intrusion to the risk of destruction and subversion. I still believe that a targeted attack with the goal to harm a specific patient is unlikely (but understand, we are talking probabilities here); however, a general and distributed attack on healthcare infrastructure that could shut down care delivery is, unfortunately, certainly within the realm of the possible, whether the motivation is financial or political. Looping back to the beginning of this article: The next 50 years of patient safety will be different from what we have seen in the past. Although the old problems won’t go away, we still need to design medical devices and health software that are safe, reliable, and effective. But as software has increasingly infiltrated medial devices (and healthcare as a whole), and as medical devices move out of the traditional hospital space—all while cyber-risks have become more complex—we need to recognize that this problem is not limited to the individual device. This is a true “system-of-systems” problem, with all its challenges and complexities. n
8. The Guardian. DDoS attack that disrupted internet was largest of its kind in history, experts say. Available at: www.theguardian.com/ technology/2016/oct/26/ddos-attack-dyn-mirai-botnet. Accessed Feb. 9, 2017.
References
16. Markoff J. Before the Gunfire, Cyberattacks. Available at: www.nytimes.com/2008/08/13/technology/13cyber.html. Accessed Feb. 9, 2017.
1. Ortiz E. Epidigitalogy: Surveying for Digital Diseases Like an Epidemiologist. Available at: www.forbes.com/sites/symantec/2014/11/06/ epidigitalogy-surveying-for-digital-diseases-like-an-epidemiologist/#47adb39534a0. Accessed Feb. 9, 2017. 2. Wikipedia. Computer virus. Available at: https://en.wikipedia.org/ wiki/Computer_virus. Accessed Feb. 9, 2017. 3. Leyden J. The 30-year-old prank that became the first computer virus. Available at: www.theregister.co.uk/2012/12/14/first_virus_elk_ cloner_creator_interviewed. Accessed Feb. 9, 2017. 4. Wikipedia. Brain (computer virus). Available at: https://en.wikipedia. org/wiki/Brain_(computer_virus). Accessed Feb. 9, 2017. 5. Symantec. 2016 Internet Security Threat Report. Available at: www. symantec.com/security-center/threat-report. Accessed Feb. 9, 2017. 6. Florida Tech. A Brief History of Cyber Crime. Available at: www. floridatechonline.com/blog/information-technology/a-brief-history-of-cyber-crime. Accessed Feb. 9, 2017.
9. Herman B. Details of Anthem’s massive cyberattack remain in the dark a year later. Available at: www.modernhealthcare.com/article/20160330/NEWS/160339997. Accessed Feb. 9, 2017. 10. Koerner BI. Inside the Cyberattack that Shocked the US Government. Available at: www.wired.com/2016/10/inside-cyberattack-shocked-us-government. Accessed Feb. 9, 2017. 11. Federal Bureau of Investigation. Ransomware Prevention and Response for CISOs. Available at: www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view. Accessed Feb. 9, 2017. 12. Weise E. Ransomware attack hit San Francisco train system. Available at: www.usatoday.com/story/tech/news/2016/11/28/san-francisco-metro-hack-meant-free-rides-saturday/94545998. Accessed Feb. 9, 2017. 13. Wirth A. ‘The Cyber Arms Race Is On’: Lessons from the U.S. Presidential Election. Biomed Instrum Technol. 2016;50(6):463–5. 14. Wirth A. For Want of a Nail. Biomed Instrum Technol. 2017;51(1):76–8. 15. Clark RA, Knake R. Cyber War: The Next Threat to National Security and What to Do About It. New York: Harper Collins; 2010.
17. Vanity Fair. A Declaration of Cyber-War. Available at: www.vanityfair. com/news/2011/03/stuxnet-201104. Accessed Feb. 9, 2017. 18. Wueest C. Targeted Attacks Against the Energy Sector. Available at: www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector. pdf. Accessed Feb. 9, 2017. 19. Farrell MB, Wen P. Hacker group Anonymous targets Children’s Hospital. Available at: www.bostonglobe.com/business/2014/04/24/ hacker-group-anonymous-targets-children-hospital-over-justina-pelletier-case/jSd3EE5VVHbSGTJdS5YrfM/story.html. Accessed Feb. 9, 2017. 20. Nigrin DJ. When ‘Hacktivists’ Target Your Hospital. Available at: www. nejm.org/doi/pdf/10.1056/NEJMp1407326. Accessed Feb. 9, 2017. 21. Miliard M. Flint hospital hit with cyber attack after hacker group Anonymous promises action on water crisis. Available at: www.healthcareitnews.com/news/flint-hospital-hit-cyber-attack-after-hacker-group-anonymous-promises-action-water-crisis. Accessed Feb. 9, 2017.
7. James R. A Brief History of Cybercrime. Available at: http://content. time.com/time/nation/article/0,8599,1902073,00.html. Accessed Feb. 9, 2017.
Biomedical Instrumentation & Technology March/April 2017
167
Columns and Departments
CYBERINSIGHTS
Time Flies ... and Other Lessons Learned Axel Wirth
“There’s a clear pattern here which suggests an analogy to an infectious disease process, spreading from one area to the next. … I must confess, I find it difficult to believe in a disease of machinery.” — From the movie Westworld (1973)
Viruses and Malware Not by coincidence, even in the early days of academic work on the topic of self-replicating code, it was stipulated that computer viruses would show similar behavior to biological viruses—an analogy pursued by researchers to this day.1 We've known of “in the wild” viruses since 1982, initially written with nonmalicious intent but over time leading to increasingly aggressive and malevolent behavior and eventually becoming part of malicious attack tactics.
First, and most importantly, congratulations to AAMI on its 50th anniversary and many years of thought leadership, standards development, education, advisory activities, and simply bringing people together. AAMI and its many employees, members, and volunteers have made our healthcare faciliEarly Theories and Research ties safer. The theory of self-replicating code goes as Talking about safety: 50 years ago, cybersefar back as the late 1940s (John von curity was of no concern to hospitals or the Neumann, 1949). In the early 1970s, the medical device industry. After all, broader Creeper experimental self-replicating adoption of commercial electronic record and program was spread via the ARPANET, practice management infecting DEC PDP-10 systems did not arrive computers. Experimental, Fifty years ago, until the 1970s, and a fully functional viruses cybersecurity was of no public network (i.e., the for a Siemens 4004/35 Internet) did not emerge computer system were concern to hospitals or the until the early 1980s and researched in 1980, and it medical device industry. commercially until the was postulated that ... But lo and behold, with late 80s. computer programs can computers and networks But lo and behold, with behave like biological computers and networks came mischief and crime. viruses.2 came mischief and crime. In this article, I will go 1982 through a brief history of cybersecurity, with The first computer virus released outside of a lessons learned along the way. controlled lab environment is believed to be “Elk Cloner,” a prank written by a 15-year-old
About the Author Axel Wirth, CPHIMS, CISSP, HCISPP, is distinguished technical architect at Symantec in Cambridge, MA. Email: [email protected]
Biomedical Instrumentation & Technology March/April 2017
163
© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
high school student. It was a floppy disk boot-sector virus written for the Apple II. If a machine booted from an infected disk, Elk Cloner would install itself in memory and was replicated to new, uninfected discs. Infected computers would display a short poem at every 15th boot, and even though the disk-based infection vector limited its distribution rate, it did end up infecting gamers’ computers across the country and was even found on U.S. Navy computers.3 1986 Not to be outdone, the first computer virus targeting Microsoft OS (MS-DOS, remember?) also was a floppy disk boot-sector virus and was written by two brothers in Pakistan. They reportedly wrote “Brain” to track copyright infringement of medical software (a heart Medical devices have a long, useful monitoring program) they life, and many of the targeted legacy had written. With that purpose, it was essentially operating systems are still in use and nondestructive (besides behind in patch level, leaving the slowing down disk access) underlying Windows vulnerability and actually included the exploitable to Conficker. authors’ address and phone numbers with a message to “contact us for vaccination.” The brothers were surprised by their own success when they started to receive phone calls from the United States, United Kingdom, and elsewhere, eventually overwhelming their phone line. Ironically, the brothers are still running a business in Pakistan (Brain Telecommunication Ltd.).4 Not surprisingly, virus creation has followed technology waves (e.g., Commodore Amiga [SCA, 1987], Windows v1.4 [WinVir, 1992], social networking virus targeting MSN Messenger [Win32.5-0-1, 2001]). Conficker A major milestone in malware development and something that is deserving of healthcare’s attention is Conficker (also named Downup, Downadup, or Kido), a computer worm (i.e., a type of malware that is selfreplicating and does not depend on a host file). It appeared in late 2008, targeting Microsoft Windows XP (and earlier). It could spread via Internet, LAN, shared folders, mapped drives, peer-to-peer networking, and 164
Biomedical Instrumentation & Technology March/April 2017
portable media (USB). Conficker may compromise administrator passwords, upgrade itself, install other malware, or form a botnet based on instructions received from a commandand-control server. It has the ability to hide in a system and defend itself from removal by encrypting its payload or by disabling system and update services. In that sense, Conficker was very effective in its ability to spread. It is estimated that the initial wave infected up to 15 million computers worldwide, including computers at the French Navy and the U.K. Ministry of Defence. Corporate networks have generally been upgraded and protected. However, due to the sophistication of some of the newer variants, Conficker infections continue to recur, and it has been reported to be a prevalent and ongoing problem for healthcare and medical device networks. Medical devices have a long, useful life, and many of the targeted legacy operating systems are still in use and behind in patch level, leaving the underlying Windows vulnerability exploitable to Conficker. In June 2016, Symantec reported that Conficker was the leading malware in healthcare, with an infection rate of 13%. These are just a few relevant examples. Malware production has changed drastically, evolving from individual pranksters with intellectual curiosity to criminally motivated, tool-based mass production. To express it in numbers, we saw tens of thousands of new pieces of malware a year in the early 2000s, more than 1 million per year by 2008, and since 2015 more than 1 million per day!5
Cybercrime Everything changed when criminals figured out that money could be made in cyberspace. Information, identities, credentials, and funds all could be stolen and monetized. Unlike with traditional crime, one does not even put themselves in harm’s way, has access to the entire world, and is protected by the complexities of international law enforcement. Early Hacking Although the term “hacking” predates computer-specific activities (e.g., phone system scams and control systems for model railroads), it became mainstream when the focus shifted to computer systems and the
© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
intent became malicious. One of the first incidents reported and investigated happened at Lawrence Berkeley National Labs. Use of a “honey pot tactic” allowed the system administrator to collect enough data to track the intrusion back to a group in West Germany that was selling military information to the KGB.6
A newer and very concerning trend has been the arrival of hacking as a cybercrime service. This essentially separates skill from motive. In other words, you don’t have to be smart and malicious anymore to do damage in cyberspace; you can buy any service you need.
Denial-of-Service Attacks A new type of attack evolved in 2000 and was “invented” by a 15-year-old Canadian teenager. The advent of denial-of-service (DoS) attacks changed the picture, making assaults on computers disruptive and destructive. DoS attacks were designed to paralyze websites and businesses by overloading them with data. They were launched against commercial sites (e.g., eBay, Amazon), news outlets (e.g., CNN, Yahoo), and entire countries (e.g., Estonia, 2001).7 In late 2016, the Internet services provider Dyn experienced a major DDoS (distributed DoS) attack that led to wide regional Internet outages. The attack was unprecedented in terms of the size of the botnet (estimates range from a few hundred thousand to a few million devices) and in the nature of the devices. Unlike previous botnets, which would string together traditional computers, this attack was launched from Internet-ofThings (IoT) devices, such as security cameras and digital video recorders, that were compromised by the Mirai malware. It exploited the homogeneity of these types of IoT devices and the fact that a limited number of manufacturers use third-party software from a few suppliers. Hence, common vulnerabilities could be exploited across a large number of network-connected devices, enabling an efficient and relatively easy way of executing a mass-scale attack.8 The impact on Dyn’s business was immediate: An estimated 14,500 web domains ceased using Dyn’s managed Domain Name System services following the attack.
cyberspace; you can buy any service you need: information, identities, credentials, intellectual property, government secrets, reconnaissance, attacks, computer resources (botnets), and malware tools (which support the creation, obfuscation, testing, training, delivery, and management of malware).
Hackers for Hire A newer and very concerning trend has been the arrival of hacking as a cybercrime service. This essentially separates skill from motive. In other words, you don’t have to be smart and malicious anymore to do damage in
Large-Scale Breaches Some recent data breaches stand out simply because of their sheer size. These include the 2015 theft of personal data (names, birth dates, Social Security numbers [SSNs], home addresses) of 79 million current and former Anthem customers and employees,9 as well as two incidents at the U.S. Office of Personnel Management (OPM), in which 21.5 and 4.2 million records of government employees were exfiltrated (including names, SSNs, addresses, etc., but also background checks and fingerprint data).10 Much has been speculated about who was behind these hacks (I will not go there) and their purpose. One theory is that large breaches allow for “big data”–type cross-correlation and provide insight about individuals’ movements and roles (e.g., by combining their government clearance [OPM] with their immunization records [health data breach]). Or, one could identify government employees that have high medical bills and may be recruitable by a foreign power. Again, these are only theories, but it’s certainly within the realm of possibility considering the amount and type of data stolen. Ransomware Although ransomware attacks are not new, they certainly surged in 2016. Individuals, city governments, police departments, and hospitals around the world were confronted with the tough decision of how to handle the loss of access to critical data. As criminals understand the value of information to Biomedical Instrumentation & Technology March/April 2017
165
© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
today’s businesses, their strategy is fairly simple: encrypt essential data in place and ask for a reasonable ransom to provide the decryption key. It is a business model driven by volume rather than price, meaning the ransom asked for is set at a level that makes it attractive to pay, as compared to restoring systems or accepting the loss of data. However, not paying is generally advised, as payment only encourages the attacker.11 The recognition that money could be made led to a surge in the number of attacks, as well as in the evolution and sophistication of ransomware. We have seen attacks on nearly every platform, including mobile devices and even Cyberattacks have become a reality infrastructure (e.g., ticket in our personal and business lives, machines of the San and we need to recognize that we Francisco train system12). are living in an era of unprecedented We now see ransomware encrypting already-rancyber-risks. somed files (Why spend the effort in finding the critical data if somebody already did it?) and even fake ransomware (just a pop-up message in hopes that somebody will pay). A great deal more could be discussed about cybercrime, but for the purpose of brevity, I leave it at these examples.
Cyberactivism and -warfare An even more concerning development is cyberactivism and -warfare, executed by loosely knit social hacktivist groups like Anonymous or nation-sponsored cyberarmies. The goal of these groups is to assert influence to instigate social, political, or economic change. I previously wrote about the recent U.S. presidential election,13,14 but we also can look at the events of the Arab Spring, which were certainly supported and, in part, even enabled by online activism. Other examples of cyberwarfare or -activism include: • In 2007, the Israeli Air Force conducted a stealth attack on a not-further-identified facility in Syria. Although the attack itself was conventional, it has been reported that a parallel cyberinfiltration blinded the Syrian radar and air defense systems.15 • A cyberattack against Georgia’s digital infrastructure is believed to have preceded Russia’s 2008 invasion, crippling the 166
Biomedical Instrumentation & Technology March/April 2017
country’s banking system and disrupting cell phone services.16 • Another noteworthy development was the Stuxnet malware, which was discovered in 2010.17 Much has been speculated about who designed it (and I don’t want to add to that). But we do know the target of Stuxnet (Iran’s nuclear program) and its intent (to slow down the production of enriched uranium). What is noteworthy is that Stuxnet raised the bar for cyberattacks. It was highly targeted to a specific environment, was able to enter air-gapped systems via USB thumb drives, infected a Windows workstation, and then penetrated the downstream SCADA controller to run centrifuges at their mechanical resonance frequency, leading to their destruction. Additional important features were the malware’s ability to update itself, check for the configuration of the target environment, and only become active when there was a match. Lastly, it had the capability to self-destroy at a certain target date. Several relatives and derivatives have been identified since then (Duqu, Flamer, Gauss).18 • In 2014, the external web servers at Boston Children’s Hospital were subject to a DDoS attack that was believed to be the work of the hacker group Anonymous, which was taking on the cause of a teen girl who was placed in state custody.19 In addition, the group used “spear phishing” emails in an attempt to gain access to internal systems. As this attack was focused on the hospital’s external-facing web servers, the impact on internal processes was minimal but external communication had to be shut down, at times affecting email communications and electronic prescriptions.20 • Similar, it is also assumed that Anonymous was behind the 2016 attack on Hurley Medical Center in Flint, MI, to protest the ongoing local water crisis.21
What Lies Ahead? The above examples are far from complete, but I selected them to support my larger story: Cyberattacks have become a reality in our personal and business lives, and we need to recognize that we are living in an era of unprecedented cyber-risks. We went from individual pranksters to organized
© Copyright AAMI 2017. Single user license only. Copying, networking, and distribution prohibited.
Columns and Departments
cybercrime and a flourishing underground economy for cybergoods and -services, and as of recently, we have to include concerns about adversaries with political objectives. As attacks and attackers have changed, so have the targets. We moved from specific devices (desktops or servers), to information, then to infrastructure, and now to our larger society and economy; we went from intrusion to the risk of destruction and subversion. I still believe that a targeted attack with the goal to harm a specific patient is unlikely (but understand, we are talking probabilities here); however, a general and distributed attack on healthcare infrastructure that could shut down care delivery is, unfortunately, certainly within the realm of the possible, whether the motivation is financial or political. Looping back to the beginning of this article: The next 50 years of patient safety will be different from what we have seen in the past. Although the old problems won’t go away, we still need to design medical devices and health software that are safe, reliable, and effective. But as software has increasingly infiltrated medial devices (and healthcare as a whole), and as medical devices move out of the traditional hospital space—all while cyber-risks have become more complex—we need to recognize that this problem is not limited to the individual device. This is a true “system-of-systems” problem, with all its challenges and complexities. n
8. The Guardian. DDoS attack that disrupted internet was largest of its kind in history, experts say. Available at: www.theguardian.com/ technology/2016/oct/26/ddos-attack-dyn-mirai-botnet. Accessed Feb. 9, 2017.
References
16. Markoff J. Before the Gunfire, Cyberattacks. Available at: www.nytimes.com/2008/08/13/technology/13cyber.html. Accessed Feb. 9, 2017.
1. Ortiz E. Epidigitalogy: Surveying for Digital Diseases Like an Epidemiologist. Available at: www.forbes.com/sites/symantec/2014/11/06/ epidigitalogy-surveying-for-digital-diseases-like-an-epidemiologist/#47adb39534a0. Accessed Feb. 9, 2017. 2. Wikipedia. Computer virus. Available at: https://en.wikipedia.org/ wiki/Computer_virus. Accessed Feb. 9, 2017. 3. Leyden J. The 30-year-old prank that became the first computer virus. Available at: www.theregister.co.uk/2012/12/14/first_virus_elk_ cloner_creator_interviewed. Accessed Feb. 9, 2017. 4. Wikipedia. Brain (computer virus). Available at: https://en.wikipedia. org/wiki/Brain_(computer_virus). Accessed Feb. 9, 2017. 5. Symantec. 2016 Internet Security Threat Report. Available at: www. symantec.com/security-center/threat-report. Accessed Feb. 9, 2017. 6. Florida Tech. A Brief History of Cyber Crime. Available at: www. floridatechonline.com/blog/information-technology/a-brief-history-of-cyber-crime. Accessed Feb. 9, 2017.
9. Herman B. Details of Anthem’s massive cyberattack remain in the dark a year later. Available at: www.modernhealthcare.com/article/20160330/NEWS/160339997. Accessed Feb. 9, 2017. 10. Koerner BI. Inside the Cyberattack that Shocked the US Government. Available at: www.wired.com/2016/10/inside-cyberattack-shocked-us-government. Accessed Feb. 9, 2017. 11. Federal Bureau of Investigation. Ransomware Prevention and Response for CISOs. Available at: www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view. Accessed Feb. 9, 2017. 12. Weise E. Ransomware attack hit San Francisco train system. Available at: www.usatoday.com/story/tech/news/2016/11/28/san-francisco-metro-hack-meant-free-rides-saturday/94545998. Accessed Feb. 9, 2017. 13. Wirth A. ‘The Cyber Arms Race Is On’: Lessons from the U.S. Presidential Election. Biomed Instrum Technol. 2016;50(6):463–5. 14. Wirth A. For Want of a Nail. Biomed Instrum Technol. 2017;51(1):76–8. 15. Clark RA, Knake R. Cyber War: The Next Threat to National Security and What to Do About It. New York: Harper Collins; 2010.
17. Vanity Fair. A Declaration of Cyber-War. Available at: www.vanityfair. com/news/2011/03/stuxnet-201104. Accessed Feb. 9, 2017. 18. Wueest C. Targeted Attacks Against the Energy Sector. Available at: www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/targeted_attacks_against_the_energy_sector. pdf. Accessed Feb. 9, 2017. 19. Farrell MB, Wen P. Hacker group Anonymous targets Children’s Hospital. Available at: www.bostonglobe.com/business/2014/04/24/ hacker-group-anonymous-targets-children-hospital-over-justina-pelletier-case/jSd3EE5VVHbSGTJdS5YrfM/story.html. Accessed Feb. 9, 2017. 20. Nigrin DJ. When ‘Hacktivists’ Target Your Hospital. Available at: www. nejm.org/doi/pdf/10.1056/NEJMp1407326. Accessed Feb. 9, 2017. 21. Miliard M. Flint hospital hit with cyber attack after hacker group Anonymous promises action on water crisis. Available at: www.healthcareitnews.com/news/flint-hospital-hit-cyber-attack-after-hacker-group-anonymous-promises-action-water-crisis. Accessed Feb. 9, 2017.
7. James R. A Brief History of Cybercrime. Available at: http://content. time.com/time/nation/article/0,8599,1902073,00.html. Accessed Feb. 9, 2017.
Biomedical Instrumentation & Technology March/April 2017
167
