This year for the 13th year in a row, the healthcare industry continues to experience the most expensive data breaches worldwide, at an average cost of nearly $11 million – double the cost for the next-highest industry, finance. That’s not surprising; ransomware attacks on hospitals and health systems are constantly in the news. Add to that the cybersecurity talent shortage, which is especially acute (pardon the pun) in the healthcare industry. Providing hands-on, specialized training for a new generation of skilled cybersecurity practitioners who understand the unique challenges of healthcare couldn’t be more timely.
Recently the Cybersecurity and Infrastructure Security Agency (CISA), U.S. Cyber Command and National Centers of Academic Excellence in Cybersecurity (NCAE-C) sponsored the Hack the Building 2.0 Hospital Edition competition at the Maryland Innovation and Security Institute (MISI) DreamPort facility in Columbia, MD, which operates as an incubator for U.S. Cyber Command. The NCAE-C program is managed by the National Security Agency (NSA) in partnership with CISA and the FBI. This was the second year the event was held, with the intent “to increase and strengthen the talent pool of future cybersecurity workers in the healthcare sector.”
This year, a dozen teams from NCAE-C designated universities squared off with government and industry teams responsible for conducting some of the nation’s most advanced cyber operations. The collegiate teams took part in either offensive or defensive capacity to understand both sides. Attackers were given a set of tasks or missions to complete, earning points throughout the competition. Defenders were charged with detecting and defending against advanced threats targeting critical infrastructure.
For the hackathon, MISI created an environment that simulated a real-world hospital, including simulated patient and billing systems, medical equipment, HVAC systems and other connected devices including operational technology (OT), Internet of Things (IoT) and Internet of Medical Things (IoMT). Students were introduced to the environment, given time to familiarize themselves with the assets and technology they needed to defend (or attack) and provided with the tools for detecting, denying and deterring threats.
Automated discovery, assessment and control at Hack the Building 2.0
Forescout was one of many vendors that supplied cybersecurity tools for simulating a realistic healthcare information security department. Several Forescout engineers attended the event to deploy the Forescout Platform, which continuously identifies, protects and ensures the compliance of all managed and unmanaged cyber assets. Following a brief training session, the students gained complete visibility into all connected assets – IT, IoT, OT and IoMT – communicating with the network.
With rich, contextual information from continuous, automated assessments of all connected assets, defenders quickly identified potential avenues of attack, including vulnerabilities. The Forescout Platform proved invaluable as a full-spectrum toolset, complementing traditional security measures while simplifying automation and orchestration, enriching the defenders’ experience, and educating them through intuitive processes and visualizations. Students praised its simplicity and its ability to provide clear insights into the environment and attackers’ tactics.
Defenders quickly identified the use of BACnet, a communication protocol for building automation and control, in the environment. Using the Forescout Platform, they were able to delve deep into the technicalities of the protocol and understand how to prevent its vulnerabilities from being exploited. They swiftly deployed virtual firewalls and switch ACLs, preventing attackers from compromising programmable logic controllers (PLCs) and potentially infiltrating the network.
Mixed threats: Where healthcare cybersecurity is headed
Student participants in Hack the Building 2.0 Hospital Edition got a healthy dose (sorry) of the threats health system InfoSec teams face. What’s difficult to simulate, however, is how it feels to be on the cybersecurity front lines every day defending the doctors and medical workers who are on the clinical front lines delivering patient care. In August, an agency within the U.S. Department of Health and Human Services solicited proposals for a new project, DIGIHEALS, aimed at using proven national security technologies to ensure patients can continue to access care after a cyberattack at a healthcare facility. Healthcare facilities are critical infrastructure and require the same level of defense. They also need events like this one to attract the brightest talent.
To see a more complex hospital-based scenario play out, watch the video of R4IoT, a proof-of-concept cross-device attack created by Forescout Research – Vedere Labs.