Trend Micro talked about the topic “Strengthening Cybersecurity Resilience in Malaysia's Healthcare Industry” in a media briefing held on Thursday, July 23, citing the security vulnerabilities of the healthcare industry especially now the industry is subjected to heightened operations due to the COVID-19 pandemic.
Goh Chee Hoh, Managing Director of Trend Micro Malaysia, started the seminar with an introduction about new technologies transforming the digital world right now and how this digital transformation has also introduced new risks. According to his presentation, the top two issues are organisation misalignment and the overall complexity of cybersecurity measures.
However, in light of the pandemic, additional risks are added in the industry as a consequence of the rapid shift to remote working. According to Trend Micro, COVID-19 related spams increased 220-fold and malicious URLs increased by 260 per cent, from February to March 2020. This surge of attacks exacerbates the pandemic, especially in the healthcare industry.
Discussing these attacks on the industry, Law Chee Wan, Technical Director of Trend Micro Malaysia and Singapore, presented samples, including COVID-19-themed email attacks, ransomware and malicious domains. Law cited that 42 per cent of these attacks are due to unintended disclosures, next is hacking which accounted for 41 per cent. Unawareness of some healthcare workers regarding data breach risks is one factor, along with lack of enforcement of proper data protection mechanisms.
Moreover, the seminar also talked about how some medical devices including drug-infusion pumps, x-ray services and blood refrigeration are vulnerable to life-threatening hacks. Some of these weaknesses include weak or default passwords, unpatched systems and outdated operating systems.
With this, an infrastructure change should be introduced in the system. Law discussed the shifting security mindset from incident response to continuous response and the Trend Micro’s security awareness and assessment tools.
In this technique, Trend Micro instigated “SaaS-based Security Awareness Service”, where employees are subjected to phishing attacks simulations to enhance their awareness against such attacks. According to the speakers, this test resulted to a single-digit per cent of employees clicking the mock-up malicious emails, which suggested that with the correct training, employees are far less likely to fall for this type of attack. This simulation can be customised by the companies, along with the monitoring of results in real-time.
Mayra Rosario Fuentes, Senior Threat Researcher, Forward-Looking Threat Research Team (FTR) of Trend Micro, discussed the global and local statistics of cybersecurity risks in the healthcare industry and its risk profiles. Globally, there are 72,806 exposed devices - 2,861 of which are DICOM devices, 2,920 have expired SSL certificates and two still running in Windows XP OS.
In Malaysia, there are accounted for 1,306,768 exposed assets in total, 450 of which have exposed medical devices. Some risks include:
Exposed cyber assets could get compromised by hackers who steal sensitive data.
These assets could be leaking sensitive data online without the owner’s knowledge.
Hackers use lateral movement strategies to gain entry into the corporate network.
Compromised cyber assets can be used to run illegal operations such as launching DDoS attacks, becoming part of botnets, and hosting illegal data.
Hackers can infect hospitals with operation-halting threats like ransomware.
Fuentes also cited case studies in 2017 where several medical institutions were breached. The data stolen was posted in anonymous forums and some given for free. However, this data can be analysed or mined and used against the facilities.
Healthcare industries are subjected to a massive influx of data especially in this period and with this comes security vulnerabilities. With security measures installed from testing clinics to medical facilities and training workers to be more aware of security risks, these vulnerabilities can be mitigated, or even better, prevented in the future.