Dive Brief:
- Almost 40% of the hacker group Orangeworm's victims are organizations operating in healthcare, and 17% of victims are based in the U.S., according to a new analysis by Symantec. In contrast, 15% of the attacks were to the manufacturing industry.
- The malware, identified as Trojan.Kwampirs, was found on "software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines," according to a post on the cybersecrutiy company's website.
- While the group's motive remains unknown, Symantec believes attacks on healthcare providers have been especially effective due to organizations' tendency to still run legacy systems on older platforms.
Dive Insight:
Although most data breaches happen because of internal employees and poor security practices such as sharing passwords, Orangeworm victims have largely been organizations using outdated software.
Symantec reports that Orangeworm has breached nearly 100 large, international corporations operating within the healthcare sector in the U.S., Europe, and Asia, with as many as 36 breaches in 2018. Orangeworm infiltrates a victim's network and installs Kwampirs malware, allowing it remote access and the ability to steal information, though Symantec is not sure what kind of information has been compromised.
Symantec first identified the previously unknown malware in 2016, according to senior threat intelligence analyst Jon DiMaggio. "We started looking into that malware, trying to determine what its functionality was, what it did, anything unique about it, and we found it was a backdoor we had not seen before," DiMaggio told Healthcare Dive. Using a custom signature, DiMaggio and his team were able to track the malware and its history dating back to 2015.
Giovanni Vigna, co-founder and CTO of malware protection platform Lastline and director of University of California at Santa Barbara’s Center for Cyber Security, warned against the use of healthcare devices that are not upgraded and monitored as aggressively as consumer-facing devices such as computers.
"Since the operating system of these devices possibly controls life-critical systems, it is finely tuned and not automatically updated," Vigna told Healthcare Dive. "This situation makes it easy to break into outdated versions of the [operating system] and remain permanently entrenched into the platform.”
A recent Ponemon Institute survey found that cybersecurity has continued to be a problem for healthcare organizations, with 62% of executives reporting a cyberattack in the past year and more than half of those losing patient data. As of September, 89% of healthcare organizations have experienced a data breach in the past two years, with 45% experiencing more than five breaches.
Cybersecurity threats have persisted through 2018. A ransomware attack compromised computers at Greenfield, IN-based Hancock Health in January, followed by an attack on West Virginia-based Coplin Health Systems, which reported that the personal information of 43,000 patients may have been breached after an encrypted laptop was stolen from an employee’s car.
Vigna had advice for how healthcare organizations can avoid an Orangeworm data breach.
"It’s important to create logic compartments within the organization using internal firewalls and other network access control mechanisms so that devices that are prone to compromise due to outdated operating systems can be isolated from general access," he said.
Additionally, Vigna said it's important for organizations to adopt anti-malware tools that can block zero-day attacks, as traditional anti-malware tools "may not be able to deal with these types of attack campaigns."