Looking Back at 2020: Oh What a Year
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
In this episode of In Scope, the healthcare security podcast, Mike Murray hosts another internal Scope Security conversation with colleagues Jeremy Richards and John Daniele. Jeremy is the Chief Architect at Scope, and he is responsible for data ingestion and anomaly detection. John is the VP of Threat Intelligence, and he has spent more than twenty years in the cybersecurity field, focusing on cyber threat intelligence, digital forensics, and threat hunting. In today’s conversation, Mike, Jeremy, and John think through the crazy year 2020 has been, explaining what they’ve seen over the year as they’ve continued to build up Scope and interact with various health systems.
To start off the conversation, Mike, John, and Jeremy explain what they thought 2020 would look like for the healthcare security space, and what central themes have, in fact, characterized the field. While there was reason to expect focus on the transition from traditional to cloud-based EMRs, the COVID-19 pandemic has forced cyberattacks and ransomware to the fore as principal concerns. Moreover, the pandemic has produced great strides in digital transformation and a new urgency and fountain of activity with regard to phishing; intellectual property theft, especially, has been a heightened threat.
From the cyber perspective, the pandemic has brought with it several significant impacts. One of the most noteworthy of these is the redistribution of where computing and access come from; there has been a major shift to the edge—to devices that are not trustworthy. Security practitioners are trying to find the safest way to navigate the rapid computing and access changes, and have had varying levels of success in doing so. Companies that were focused on this issue prior to the onset of the pandemic tend to be those faring best now.
The pandemic has also stress-tested business continuity and incident response plans, and has demonstrated concerns surrounding how redundant our systems are, especially with cyber attacks. Hospitals are not always as redundant in certain areas as they ideally would be, and when the factors of COVID-19 and a cyber attack come together, the lack of redundancy causes a cascade of effects within the hospital network. Thus, hospitals are faced with the dual challenge of a lack of adequate resources and an increased strain on what resources they have.
On the monetary side of things, the pandemic has left a lasting mark on the cyber landscape. Because of the nature of the healthcare business and the inability to fit missed procedures of 2020 into 2021, some revenue is lost forever. This loss will, in turn, constrain security spending. The top concern for hospitals is, of course, clinical experience; security will be the second or third priority, and so will likely suffer as hospital budgets are reimagined and consolidation measures are developed to get the most out of existing hospital technology.
Switching gears, Mike, Jeremy, and John consider the kum ba yah moment earlier in 2020 when some ransomware attackers said that they wouldn’t attack hospitals during a pandemic. This moment of an apparent (and counterintuitive) moral stance did not last long at all. After all, there is always someone willing to step into space left vacant by other attackers. And given the cognitive dissonance of criminal gangs who have honed methods to attack hospitals stepping back seems to indicate that the pause in crime was a matter of PR management.
Another interesting angle of ransomware in 2020 (and in general) concerns the involvement of nation-states in the attacks. Some attacks, especially in long-term care homes, have seemed only to cause chaos during a time of crisis, rather than representing monetary gain for the attackers. Part of the reality of the world we live in is the fact that there are some elements just wanting to cause damage.
Recently, the US government actually made paying ransomware gangs a crime, and this step will impact how attacks on the healthcare space are managed. The payment restriction renders middle-person ransomware companies obsolete, but is also a little bit like punishing the victim. It will likely be an unpopular policy because of the way in which it will put hospitals between a rock and a hard place. The government’s own response, while improving, is not enough to stem the impact of cyber attacks. And hospitals, already facing plenty of pressures, may have to decide whether to follow the policy or pay ransom in order to keep patients alive. While a better system is needed to make sure listed entities like terrorist organizations don’t get paid ransom, this system needs to encompass all of society, and coming after hospitals for paying ransom will likely not prove a viable tactic.
As the conversation moves toward a close, Mike, Jeremy, and John share cybersecurity highlights of 2020. Of course, attacks are not positive events, but the UHS and Ryuk attacks were remarkable for the speed with which the threat actors iterated payloads. The Ripple20 vulnerabilities and BIOS attack were also uniquely interesting, as was Mike’s discovery that a years-old VAC bypass was still effective. The group leaves listeners with one final 2020 highlight to explore: the Project Zero paper produced by Ian Beer, which explored a vulnerability in iPhone models 13 and 14.
– Mike introduces the episode and his guests/colleagues, John and Jeremy.
– The conversation starts with expectations for and the reality of 2020.
– What was the biggest impact of the pandemic from a cyber perspective?
– Mike turns to the monetary side of things.
– The kum ba yah moment earlier in 2020 was short-lived.
– Talk of evidence of attack effects turns to talk of new government ransom policy.
– What was a favorite cybersecurity moment of the year?
– Last week, an interesting paper about iPhone vulnerabilities was published.
– The conversation wraps up, and the next will address what is to come in 2021!
0:00:02.7 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:19.6 Mike Murray: Hello and welcome to another episode of In Scope, The Healthcare Security Podcast. As always, I’m Mike Murray. And today, we’re having another one of the internal scope conversations. The one we had about ransomware with John and Jeremy. It went so well that we’ve decided to bring back my two favorite people to talk about the year that has been 2020, because, it’s been quite a year. I mean, it’s been quite a long year, I think as we were preparing for this, Jeremy actually said to me, “Who remembers January?” It’s been quite a year for healthcare, it’s been quite a year for cyber security. So with that, we wanted to get together and shoot the breeze and chat about all the things that we’ve seen as we’ve built Scope over the year, and talked to many, many, many health systems and heard about their security challenges both before COVID and during COVID and sort of after COVID as well. So with that, I’ll make a couple of quick introductions. First, maybe you guys can introduce yourselves for those who didn’t listen to the first one and don’t know who you guys are. Jeremy, do you wanna introduce yourself first?
0:01:29.0 Jeremy Richards: Hi, thanks, Mike. Yeah, Jeremy Richards, chief architect at Scope. I’m responsible for data ingestion and anomaly detection.
0:01:39.9 John Daniele: I’m John Daniele, I’ve spent 20 years of my career in cyber security, focusing on cyber threat intelligence, digital forensics and incident response, as well as a threat hunting.
0:01:52.6 MM: And so guys, maybe we can structure this conversation sort of as a before, during and after. I think regardless of how you think about the year COVID dominates, and so maybe talk about where you guys thought we were gonna be.
0:02:08.5 JR: So for me, it’s an extension of fishing, and the theme happened to be COVID-19. So you’ve got this perfect theme for leveraging these phishing attacks, right? You’ve got urgency that you don’t need to manufacture, it’s real, it speaks to a wide population, and so it’s become this fountain of activity where there’s phishing, first, it was around PPE, and now during the later stages, now we’re seeing tons of intellectual property theft and things like that, so the whole year has really been dominated by COVID-19 and COVID-19 related attacks.
0:02:50.7 JD: Before COVID, I thought that the big story in health care was going to be transitioning from traditional EMRs to cloud-based EMRs, I thought data privacy breach would be the prevailing concern. I didn’t foresee cyber attacks being the principal concern, although that’s always concerned in the background, but I thought that’s a privacy oriented breaches from accidental disclosure might have been the prevailing concern there.
0:03:22.0 MM: Yeah, I have to admit, if I rewind the clock 12 months, I was thinking that we were going to be moving on from ransomware, that ransomware, well, it was a huge concern, it was going to stop being the front page news that it had been in previous years, and that we would see APTs become a bigger story, and like you said, John, I agree with you. I thought we would see privacy, that those phishing emails that Jeremy is talking about would target getting more info out of the EMR, and then COVID happens and we go back into this world of ransomware and also into this world of crazy digital transformation at scale. We talk to a healthcare system in the early days of COVID that said they went from 300 concurrent remote users to 5000 concurrent remote users over a weekend, and that kind of change is just radical. What do you guys think the biggest beyond… Maybe that is the biggest thing, but what do you guys think the biggest impact of COVID was from a cyber perspective?
0:04:25.7 JR: Really, it’s been about the redistribution of where the computing and where the access comes from, right? It’s pushed so much of that to the edge on devices that aren’t trusted. Just so much of that has been pushed out, and really accelerated the whole idea of BYOD. And we were kind of thrust into it. It’s going to happen and it’s going to happen now, so what’s the safest way that we can do it in this timeline. I think that everyone kinda have this timeline and this deadline, we have to make things workable within a certain amount of time, so what can we do? And everyone was thrown into that, and I think there’s been varying levels of success in getting there and getting there securely, and those that were in the position where they were thinking about those things before COVID hit anyway. For whatever reason, if they were already looking at those things, then they’re the ones that are in the better position now.
0:05:30.0 JD: I think what this whole experience has done is, it has really stress-tested our business continuity plans or incident response plans have gotten a lot of exercise. I think the concerns surrounding how redundant our systems are, I think is something that COVID has really demonstrated, especially with cyber attacks during COVID. I think that hospitals as interconnected as they are, perhaps in some respects, were not as redundant in certain areas, and so therefore, if one system goes down during a cyber attack, it causes a cascade effect throughout that hospital network, and I think that’s probably one of the unexpected consequences of having the combination of a cyber attack right in the middle of a COVID crisis with the lack of resources, the strain on resources. There was already a strain on cyber security resources in healthcare, this has just sort of exacerbated that, and in some cases, some staff, some vendors may not have been able to go on-site. They had to figure out how to resume operations through remote consults, and that’s not always an easy thing to do.
0:06:48.0 MM: Especially when you’re not used to it. When you assume that you get to go to the office every day, suddenly having to adapt your processes to nobody can go to the office anymore. If you weren’t in some way prepared for that world, I think that people struggled a lot. You both mentioned something that I think is particularly interesting, which was the monetary side of this. There’s been a ton of articles about how COVID has canceled electives and hit the economic situation of our customers and our partners out in the healthcare space. How do you guys think that that has really impacted the cyber landscape, both from the perspective of reduced cyber budgets, but also sensitivity to things like ransomware and financial attacks? What do you see is the real impact of that budgetary hit?
0:07:40.1 JD: Well, one of the things that we’ve mentioned in the previous podcast episode that we had done is some of that revenue is just lost forever. It’s never going to be recovered. Surgeries that have been rescheduled can’t be made up in the next quarter, there’s no such concept in healthcare. So once that revenue is gone, it’s off the table, and that’s going to constrain security spending considerably. There are other pieces of equipment that are far more important to a hospital network to maintain than cyber security, even though cyber security is a top concern. The top concern, however, in a hospital setting is the clinical experience and making sure that patients in the hospital get the best possible care. That’s always gonna be the number one concern. Security is going to come second or third after that.
0:08:38.1 JR: Yeah, I’m definitely kind of expecting to see budgets reimagined. I think customers are going to be going over their existing spend on security and making sure that they’re actually using the products that they’re paying for, and if they’re not, they’re going to be getting rid of those. I imagine they’ll probably also be looking to do things like consolidate and get more out of the products that they do own, so I guess that’s what I’m expecting to see change.
0:09:10.0 MM: One of the big events of 2020 that I remember in the early COVID times was it felt like there was a bit of a Kumbaya moment when there were a bunch of ransomware gangs that came out and said, “Don’t worry, in a pandemic, we won’t attack hospitals,” and I feel like that lasted about six minutes.
0:09:30.3 JR: Well, there’s always going to be someone to slide in there and fill that void. Sure, maybe there’s gonna be some ransomware gangs that are out there doing some PR, but there’s always going to be somebody that’s willing to slide in there and do that, and maybe it’s even the same or similar groups under a different name. You’ve got Maze group, they’ve supposedly retired this year, but we’re seeing a lot of new activity pop up around where they kind of exited.
0:10:01.0 JD: I think it’s interesting that you’ve got criminal gangs that are also concerned about PR. Hacking a hospital and having a hospital cancel surgery is not a good thing for a ransomware group either, so there’s a bit of cognitive dissonance when you think about a criminal gang suggesting, “Okay, we won’t go after the most juicy targets with all the financial data and private information and private health information that we can sell on a per record basis in underground markets and make a killing. We won’t go after those targets, even though we’ve built our operations to target those types of institutions.” I think it was just frankly, PR management on part of the criminal groups.
0:10:47.9 JD: The other interesting angle is the involvement of nation-state activity in ransomware attacks in general. There have been a couple of incident response engagements that have been a part of where attempts to contact the gang for a ransomware payment just completely fails. And if you take a look at the vectors of attack that are used and the activities that were used, and how they pivoted within the environment, some of these attacks, especially in long-term care homes, appeared to be motivated simply to cause chaos and destruction, and there were a couple of instances like that, that I had been involved with over the course of last year that made me really wonder if there was a criminal motivation or a financial motivation behind some of these attacks as opposed to just simply causing chaos during a time of crisis. And it’s really scary to think that there are elements out there that would seek to just simply cause damage, but it is the reality of the world that we live in today, and anything that certain nation states can do to their adversaries in order to completely cripple their response, and cause their economy to tank is something that certain nation states are willing to do.
0:12:18.6 MM: We saw evidence of that in 2020 for one of the first times. There were the conversations about that patient who may or may not have died in Germany due to ransomware. We heard originally that they did die because of ransomware, and then later on in the small print, I don’t know if everyone saw that they came out and said, “Nope, that patient did not die of ransomware in the end.” It ended up being not the official cause of death. But we also saw the US government go after ransomware gangs in a really interesting way by making paying them a crime in 2020. I have my thoughts on that, but I’d love to hear what you two think. After our long conversation about ransomware last time. Is that gonna have any impact?
0:13:04.1 JR: I think it’s definitely gonna have some kind of impact. I didn’t realize that they actually went through with it, I know that it was proposed that there was a lot of talk about it, but the fact that… Yeah, that they went through with it. I mean, in a lot of these cases, these companies are getting insurance, and if the insurance is making the payment for them, that whole thing is not viable anymore, so I can see that making an impact, sure.
0:13:33.0 JD: One of the interesting things is that it makes one of the seedier sides of the ransomware response markets completely obsolete, which is the middle person ransomware companies that specialize in paying the ransoms and brokering the ransom deals, so it pretty much makes those types of organizations completely obsolete, most of those kinds of ransomware brokers don’t have the infrastructure to make sure that they’re not paying to a listed entity, so at least it eliminates that into the market, whether that’s a good thing or a bad thing. I think that there’s a little bit… The optics of punishing the victim, I think is something that we’re all gonna have to contend with. I don’t think that this is gonna be a particular popular policy in the US, because at the end of the day, some of these hospitals are being faced with some very sophisticated threat actors, the government’s response to that kind of activity has been better than before, but still not enough in order to stem the loss, the losses incurred during these cyber attacks.
0:14:47.1 JD: So this additional measure to say, “Hey, if you’re a victim of ransomware and you have no other alternative to resume operations as quickly as possible,” but to pay that ransom in hospitals or special kind of entities in the sense that they can’t take a week of downtime and recover their systems, they have to be back up because there are patients that require care, there are surgeries that still need to happen, so if they have to pay a ransom to make sure that people don’t die, then they’re going to do that, and there needs to be some better alternative in ensuring that listed entities do not get paid these ransoms and I do agree, not just simply criminal gangs, but other nation-state actors, terrorist organizations that are trying to fund North Korea, trying to fund their nuclear weapons programs through ransomware payments and hitting hospitals. Those are things we need to stop, and we need to do a better job in having a whole of society approach to deal with that, but is it possible right now to tell hospitals that if you pay to a listed entity that we’re gonna come after you. I don’t know how viable that is as a strategy.
0:16:07.4 MM: It definitely puts the hospital between a rock and a hard place, if your goal is… If your number one outcome is patient health and the safety of your patients, and you end up in a situation where your systems are down because of ransomware, forcing the hospital to choose between legality and safety, seems to be sort of the ultimate rock and hard place situation, right?
0:16:36.0 JR: I think it’s the only way that we escape this spiral into the 14 million dollar ransoms that are covered by insurance, it’s the only path, I think, to getting there. It’s like spam, right? It exists because it works, if they can make it so that it can’t work in the same way, I think it’s the only path forward.
0:17:04.6 MM: Yeah. I mean, clearly that’s the ultimate goal of treasury, setting up this whole plan is to try and disincentivize the attackers by making it harder for them to turn a cyber attack into dollars. Alright, I’m gonna take us to a totally different direction. So 2020, big, big, long year. We’ve had so many things that have happened. What was your favorite cyber security threat moment of the year? Threat actor, attack, attacker, vulnerability that you saw exploited, I’ll leave it up to you guys, but what struck you this year that if you were sitting down with the healthcare CISO, you’d say, “This was the one that if you didn’t read about it, you should have.”
0:17:48.0 JD: I think it’s a little bit strange to talk about your favorite hack in healthcare because it all just terrifies me, but the one moment that I was just left with my jaw open going, “Wow, I can’t believe that happened.” Is taking a look at the UHS attacks and some of the Ryuk attacks across hospitals in the US, and watching how quickly those threat actors were iterating their payloads. So as soon as the payload was compromised, they were iterating their payloads within eight hours, and I just thought that was a phenomenal moment. I’ve seen real threat actors in the past, iterate within three days, which I thought was pretty amazing back then, but now they’re iterating eight hours or less and going back into the environment, and I just thought that that was a moment where I thought, “Okay, things are changing and we now have to move even faster and we haven’t even caught up.”
0:18:50.2 JR: Yeah, and just to add to that, they’ve just recently continued to add expansion and now that they’ve got the BIOS-attack where they’re compromising the BIOS of infected systems as well, for persistence. I guess my favorite vulnerability of 2020, has to be the Ripple20 vulnerability. So it’s a vuln TCP/IP that affects billions of IoT devices that have this embedded library, it’s really, really low level and it impacts billions of devices. So I think I found that the most interesting.
0:19:26.8 JD: As far as favorite vulnerabilities and actually, here at Scope Security, we were designing the end-to-end malware demo, and so I ended up creating my own functional malware for this demo, and the funniest moment was when I discovered a three-year-old UAC bypass, still worked on the latest patched version of Windows 10. And watching to see how many old privilege escalation vulnerabilities still work is just something that I’m just left scratching my head because the first time that this particular technique that we used was discovered was about three years ago, and it’s still valid today. So that was another moment in 2020 where I thought, “This is just bad.”
0:20:14.3 MM: We write real exploit code for our demos, that’s how we roll over here. I’m throwing one in too, ’cause I had so much fun last week when… There’s a really great paper by Project X researcher at Google named Ian Beer, who wrote about a vulnerability in the iPhone in iOS 13 and 14. And the paper is incredible. It’s one of the most incredibly detailed and transparent views into how vulnerabilities are found that I’ve seen in the last 20 years. And ultimately the vulnerability was such that being in radio proximity to a phone allowed with this vulnerability, complete compromise of an iPhone. And you might think that an iPhone is not necessarily really an issue for most healthcare organizations, but more and more, we are pulling the mobile platforms into medical devices. Look around the modern hospital and look around the modern medical device space, whether from Phillips where they have ultrasound probes that can be plugged into phones to some new start-ups that I’ve seen that are using mobile devices in interesting ways in patient care, suddenly things like Ian Beer’s exploit against the iPhone starts to be something that healthcare CISOs have to consider as part of their threat model. Before, phones were really just, “Oh, well, I have MDM and I can wipe my user’s phone if I need to,” but as soon as those phones start to become medical devices, then you have a whole other new and interesting set of ways that this can go.
0:21:52.8 MM: So guys, with that, I’m gonna cut this short and not because we couldn’t talk for another hour about what happened in 2020, but because we have to move on and record another episode. We didn’t wanna overload one episode. So today, we talked about 2020. Our next episode is gonna talk about what we all think is gonna happen in 2021, ’cause I think 2021 is going to be a very wild year from all the things that have been set up in 2020 and all the interesting things that will happen next year, so with that, thank you both again, we’ll be back next episode to chat about next year, and so I’m looking forward to that.
0:22:32.3 JR: Thanks for having me Mike.
0:22:33.8 JD: Take care.
0:22:35.3 MM: Thanks guys.
0:22:37.6 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up, or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUESTS
Jeremy Richards has spent the last two decades becoming an expert in both exploitation and detection and AI technologies. Most recently, he was a Principal Security Intelligence Engineer at Lookout, where he created the machine learning models behind Lookout’s PhishingAI and assisted in discovering APT threats on mobile globally.
Previously, he was a senior security research engineer at Saint, Digital Defense, and nCircle. Jeremy is passionate about AI and machine learning, feature engineering for anti-malware and anomaly detection.
John Daniele has over 20 years’ experience working in the security and defense community in Canada and abroad. He has extensive experience developing threat hunting and detection, digital forensics analysis capabilities, and investigating cybercrime.
John has also led offensive red team assessments, engaged in vulnerability research and exploit development activities, and has provided related training to the Department of National Defense and other security agencies across Canada.
He is an alumnus of both KPMG and EY, where he served as a national practice leader in cyber forensics and most recently as vice president of cybersecurity operations for CGI. John has previously served as a civilian forensics analyst at Ontario Provincial Police (Anti-Rackets), the Ontario Ministry of Finance, and as an investigator with Ontario’s Correctional Investigation and Security Unit.
Today, John serves as head of Threat Intelligence for Scope Security, a cybersecurity start-up co-founded by Thrive Capital, that is developing a healthcare native SIEM that provides holistic visibility into threats targeting clinical technology environments and electronic medical records systems.