As an industry professional, you're eligible to receive a printed copy of the journal.

Fill out your address below.






Please reset your password to access the new DRJ.com
Reset my password
Welcome aboard, !
You're all set. We've send you an email confirmation to
just to confirm you're you.

Welcome to DRJ

Already registered user? Please login here

Existing Users Log In
   

Create new account
(it's completely free). Subscribe

The cybercriminal group known as Orangeworm is once again targeting healthcare organizations, often acting through connected medical devices. The FBI released a Private Industry Notification (PIN) stating that the group was using Kwampirs Remote Access Trojan (RAT) to access healthcare networks. As the industry faces this threat, it’s imperative that healthcare leadership enact strong data loss prevention strategies. 

Understanding the Data Threat

Orangeworm was first discovered in 2015. The group primarily targets organizations in the healthcare industry, including medical equipment manufacturers, pharmaceutical companies, healthcare providers, and associated IT companies. The largest portion of the cybercriminal group’s targets have been in the United States, making up 17% of victims. The identity of the Orangeworm group is currently unknown. 

As the FBI’s PIN states, the malicious actors are often accessing healthcare networks through connected medical devices. The group uses software typically found on x-ray and MRI machines as an entry point. Vendor software and hardware supply chains are a common vector for cyberattacks, and these products can be vulnerable when not monitored closely. 

Cyber criminals execute this type of attack in two stages. They will typically install or update an application in the software, using it as a way to drop a dynamic link library (DLL) into the network. This process is called DLL hijacking, and it essentially allows the attacker to run script freely within the victim’s system. Through the first phase, the hacker enumerates 200 C2 server URLs, searching for one that’s active. Once that active survey is detected, they can place the malicious scripts and payloads onto the target network. That is the second phase. 

And the second phase doesn’t happen quickly. 

Orangeworm is known for timing their attacks and moving slowly, and the second phase of this process can take between 3 and 36 months. The particular cybercriminal group tends to use certain events, like acquisitions and mergers, to time their attack. So, organizations who are undergoing these types of transitions might be extra vulnerable. 

Recommendations to Engineers

Engineers working for manufacturing companies and healthcare providers need to take extra precautions to safeguard systems against this cybersecurity attack. Here are our main recommendations, which are in line with the recommendations in the FBI notification:

  • Set Backups: Engineers need to have “offline” backups of the server. This backup should show the “known good” version of the relevant server. 
  • Update: Frequently update software applications and host operating systems. 
  • Create Restrictions: Engineers should disable every unnecessary service and port, limiting the number of network access points. This process can include whitelisting or blocking any external access to admin panels. You should also enable country blocking on all perimeter firewalls.
  • Tighten Credentials: If you haven’t already, engineers should stop using default credentials within the system. Implement a user input validation process, which will restrict remote and local file inclusion. 
  • Employ Safeguards: There are several systems that can add protection to the network. Engineers should deploy a demilitarized zone (DMZ) between the corporate network and web-facing systems. This limits all interaction between the two networks and makes it easier to identify potential malicious activity. A reverse-proxy, or similar service, can also be useful in restricting all URL paths to known paths exclusively.

While engineers implement the above recommendations, it’s important to review anti-virus policies with your teams. Update these policies regularly to keep up with present threats, such as new variants of Kwampirs. These types of threats can evolve quickly, so be sure to stay updated on cybersecurity news and updated FBI notifications.

Recommendations to Leadership

Leaders in healthcare organizations should work with their IT departments to strengthen program security. Our primary recommendations include:

  • Check for Vulnerabilities: Leadership needs to prioritize threat and vulnerability management at all times, but especially when facing a specific threat like Orangeworm. IT teams should conduct regular vulnerability scans to spot risk areas. It’s also important to perform frequent risk assessments and document your risk management plan in detail. 
  • Develop Strong Policies: Organizations should implement the principle of least-privilege within their network, meaning all users have the minimum amount of access possible. It’s also important to have a change management policy that allows you to monitor for alterations in software and networks. Your organization should have a strong business associate security and lifecycle management program. 
  • Manage Software: Updating and backing up connected medical devices at risk can boost security within your organization. A strong disaster recovery policy will require critical system backups to prevent widespread data loss. Organizations should also consider running security applications on connected medical devices. An Endpoint Detection and Response program can be helpful as well. 

Even if your organization hasn’t experienced IoT device hackers firsthand, it’s important to take the threat seriously. Orangeworm is targeting the healthcare industry, so now is the time to prepare. Strengthen policies, scan for vulnerabilities, and implement necessary security software to prevent these attacks. Work with IT leadership to know the signs of the Kwampirs attack, so you can act quickly if it does occur. 

Conclusion

The potential of a network attack can be frightening which is why it’s crucial to stay a step ahead of the cybercriminals by partnering with a security service provider who is tuned in to industry threats and best practices.

ABOUT THE AUTHOR

William Crank

William Crank serves as chief operating officer for Fortified Health Security where his responsibilities include enhancing the company’s services, delivery model, and security operations center. As a member of the executive committee, Crank works to streamline operations among the sales, solution architect, account management, and customer success teams in addition to continually enhancing Fortified’s expertise by attracting, training, and retaining top security talent. Prior to his role as COO, Crank was the chief information security officer at MEDHOST, a provider of market-leading enterprise, departmental, and healthcare engagement solutions.  He has decades of information technology and security experience that include managing the information security risk management team at Hospital Corporation of America, where he led a team of information security professionals who managed compliance and information security risk and developed and implemented an operational risk management model. Crank retired after serving more than 20 years from in the U.S. Navy.  He currently holds multiple certifications in the areas of information security and information technology.  Crank has also served as sponsorship/programs director and vice president of the Middle Tennessee chapter of the Information Systems Security Association (ISSA).

We’re in the Cloud, So We’re Covered, Right?
For the past decade, conversations within the IT community have been largely dominated by talk of “the cloud” and all...
READ MORE
Three Quick Tips to a Successful Disaster Recovery Runbook
A myriad of scenarios can take a business down, risking damage to reputation, regulatory fines, and data loss. It’s key to...
READ MORE
Cloud Security Will Be Top Disaster Concern in 2020
Data Privacy Compliance, Business Continuity Management Also Will Top Agendas Since its introduction in the early years of this century,...
READ MORE
Ensuring SQL Server Availability for Business Continuity
By DAVE BERMINGHAM From an IT perspective, ensuring business continuity involves much more than building out a disaster recovery infrastructure...
READ MORE