Threat Management, Threat Hunting, Risk Assessments/Management

Not another NotPetya: Ukraine conflict renews calls from CISOs for healthcare threat sharing

H-ISAC and other healthcare security leaders are again calling on the sector’s CISOs to participate in threat sharing activities in light of heighted cyberattacks brought on by the Ukraine conflict. (Photo source: Getty and Artem Kniaz).

Healthcare chief information security officers are raising red flags to threat sharing groups about an alarming increase in cyberattacks amid the ongoing conflict in Ukraine – most notably by way of phishing incidents.

Like many organizations across critical verticals, healthcare leaders recognize the threat posed by geopolitical tensions in Eastern Europe against the healthcare sector, notifying peers and communicating with sector specific information sharing centers about increased targeting of executives.

For healthcare CISOs, what’s top of mind is obviously anything that's happening in Ukraine and Russia,” Dan L. Dodson, CEO of Fortified Health Security, told SC Media during ViVE health information technology event last week. “We've seen a significant increase in phishing lately, with a pretty intense laser focus on the C-Suite.”

And these phishing attacks are highly tailored, with hackers “obviously trying to figure out how to compromise the executives,” he added. CISOs “need to put the shields up and make sure they're looking at their IOC geoblocking, blocking and tackling, and other related security measures."

H-ISAC Chief Security Officer Errol Weiss called the situation an “up to the minute kind of issue.” On March 9, H-ISAC held a meeting with current and former leaders from the Cybersecurity and Infrastructure Security Agency and Facebook, as well as analysts, to support H-ISAC members with ongoing threats tied to the Ukraine conflict.

The discussion outlined the pressing issues facing organizations, as well as H-ISAC members, their employees, clients, and related entities – including those that reside in Ukraine. The leading concerns include supply chain issues, manufacturing, and distribution.

During the call, security leaders fleshed out potential scenarios surrounding the ongoing conflict, such as what happens if Russia or martial law wins, or if the EU attempts to maintain a peacekeeping force, explained Weiss. For each potential scenario, the leaders gave key recommendations for what needs to be done now.

As the Russian attacks continue, threat sharing activities, even behind closed doors, will remain a key tool healthcare leaders should employ to better understand the anatomy of these attacks and where to prioritize security measures to keep the U.S. healthcare system safe from nefarious activities.

Healthcare is no stranger to being on the receiving end of disruptions brought on by attacks directed at other organizations. The NotPetya incident in 2017 is the largest example, where an attack on a global entity resulted in at least 10 U.S. healthcare organizations facing long periods of downtime.

The role of threat sharing cannot be overstated in getting actionable insights and threat intel to the entities that need it the most.

“Our viewpoint is: we have a responsibility to create a platform for organizations to share information because the bad guys are sharing information,” Dodson added. “We're going to continue to iterate on that, on the service provider side and technology side.”

Learning from each other

Fortunately, the stigma surrounding threat sharing has drastically reduced in recent years, with a growing number of healthcare entities joining threat sharing groups like H-ISAC and for-profit groups convened by vendors. However, progress is slow going.

Even within organizations, the needed level of cooperation, collaboration, and information sharing within the organization itself is “sometimes hampered, for whatever reason,” explained Weiss. What’s needed is a better understanding of the value of being able to collaborate and work together. 

For Weiss, the goal is simple: get organizations to see the benefits and demonstrate what’s possible for healthcare cybersecurity within an organization and in tandem with the overall benefits for the sector.

“One of the neat things about the whole information sharing capability and outcomes from there is the learning opportunity that many people have,” said Weiss. “You can observe, you can learn to watch what's going on, but you can also jump in and collaborate, adding to the conversation.” 

“Whether you're right or wrong, I always say you will have an opportunity to learn by the feedback from others that are participating in that network as well,” he added. Most consider threat sharing to focus solely on situational awareness, understanding current attacks models and vulnerabilities like a "virtual neighborhood watch." But it’s more than that.

To Weiss, the groups can also provide a “crowdsourced group of analysts or cybersecurity expertise” to leverage for their own environment. For example, CISOs can field questions around best practices, ongoing concerns with the Russia-Ukraine conflict, and how to address issues that are top of mind.

The threat landscape is evolving “up to the minute” with the ongoing Ukraine-Russia, Weiss explained. Without threat sharing measures, health systems previously struggling to keep pace are going to fall even further behind the curve.

Healthcare “has a very good memory of what happened during the NotPetya attacks and all the unintended infections that happened as a result of that,” said Weiss. “What we're seeing here today is a lot of focused attacks happening in Ukraine. There are definitely infrastructure problems and challenges that are happening there.”

“We're concerned about it," he continued. "We also are thinking, 'could any of these things, like NotPetya, erupt and have more of a global impact across the rest of the world?' So we're certainly concerned.”

Dodson has seen a greater collaboration between the technology companies and the services companies in recent years, with growing recognition that in order to unlock the value of the tools, vendors need to create services and opportunities to help health systems keep pace with the changing threat landscape.

In terms of information sharing, third-party companies should be bridging the connections between CISOs. Fortified Health launched its monthly open-sourced meetings last August, which connects at least 55 CISOs each month, on average. These conversations review the threat landscape as it’s evolved since the previous meeting, while opening up a dialogue about what’s top of mind for these security leaders.

Top topics include vendor assessments, techniques for patching, and better education for clinicians on security. Dodson's group, for one, is focused on C-Suite cybersecurity issues as it relates to the help desk and increased targeting of executives amid the Ukraine conflict.

Tapping into threat information workflows

From a non-profit perspective, H-ISAC has been steadily working to drive membership to its threat sharing community for the last two years. There was a 30% increase in membership during the pandemic Weiss said, and the group is actively seeking methods to fuel these conversations.

H-ISAC is currently working to improve the automated information flows for the community and making them more widely available to members, including simple things like nefarious IP addresses, indicators of compromise, and malicious file attachments or a website in use by bad actors, as “those are things that are easily shared through automation.”

Granted, “they're also the easiest things for the bad guys to change,” said Weiss. But "many people still find a lot of value in sharing that kind of information because they can use it to see if any of those elements have been in their own environment.”

The information can also be used to block potential attacks in the future. H-ISAC is working to improve public-private sharing, particularly getting insights from global governments and security researchers to better inform the healthcare sector.

In short, information sharing best practices distill current security insights in a methodical fashion, using collaboration to gain a more complete picture of the current threat landscape. Weiss added that it’s “not that tough to come up with a list of the kinds of things that you probably would want to share.”

The challenge comes with determining who within the organization owns the information, then mapping out who has the permission to release this information and whether it can be shared with infosec groups or the government, as well as how to effectively share the data.

To Weiss, the hope is healthcare leaders will view threat sharing communities as a learning opportunity and a way to grow technical, management, and collaboration skills.

“Some of these very tight circles of information have security professionals sharing some really sensitive information,” said Weiss. “They're dealing with incidents at that particular moment, and they need help. You see people under enormous pressure, dealing with these incidents and responding to them, yet able to handle and maintain their composure.”

The information is pivotal from a cybersecurity standpoint, to gauge what people are doing from the cyber side, to protect their networks from another event like NotPetya.

“Again, up to the hour, minute, in terms of what's happening with Russia and Ukraine, we have members who have operations in the region, between R&D facilities, manufacturing, logistics, and other supply chain operations," he added. "They are today actively sharing situational awareness about what's happening on the ground, what cities are having logistics problems."

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.