Finnish Information Security Cluster meeting on March 21st in Helsinki. IoT in healthcare and the various current and emerging cyber security risks IoT brings into healthcare environment, especially hospitals, and their security requirements and frameworks; includes some examples of dark web activity.

1. IoT:n tietoturva terveydenhuollossa
21.3.2017

2. Copyright 2017 FUJITSU
IoT in healthcare
1
Little data… ability to react with speed + Big data… ability to act at scale
Healthcare domain embraces IoT to make its services better than ever.
For the sake of higher quality delivery.
And drive down costs from clinical and
operations inefficiencies.
Various medical devices,
sensors, and diagnostic and
imaging devices constitute
a core part of IoT-based
healthcare services.

3. Copyright 2017 FUJITSU
Prime target for malicious cyber groups
 “The health sector will continue to be pummeled by any and every script
kiddie and sophisticated cybercriminal dedicated to exfiltrating
electronic health records and PII for infinite variation of use and optimal
capitalization on dark web forums”
 Immense budgets + seasoned experts
against
minuscule resources + time + dedication
 All you need is only one cyber-hygienically apathetic employee in one of
the target organizations that opens an attachment or clicks a maliciou
2
Immense budgets + seasoned experts against minuscule resources + time + dedication
Administration
Care area
Patient room
Medical devices
“The health sector will continue to be pummeled by any and every script
kiddie and sophisticated cybercriminal dedicated to exfiltrating
electronic health records and personally identifiable information for
infinite variation of use and optimal capitalization on dark web forums.”

4. Copyright 2017 FUJITSU
Hacking incidents on the rise
3
“Wall of shame”

5. Copyright 2017 FUJITSU
Patients alerted of vulnerable “endpoints”
4
“… could then be used to modify
programming commands to the
implanted device, which could
result in rapid battery depletion
and/or administration of
inappropriate pacing or shocks.”
“…a hacker could exploit
to overdose diabetic
patients with insulin.”

6. Copyright 2017 FUJITSU
Attention on medical device security
5
EU is concerned about healthcare IoT security
New medical systems and devices need to be classified according to
their risk before they can be certified and conformity with the Medical
Devices Directive, the In Vitro Diagnostic Device Directive or the Active
Implantable Medical Device Directive can be confirmed. Conformity
with MDD is also applicable to certain ICT products used in hospitals.

7. Copyright 2017 FUJITSU
Hospital devices: frankensteined attack surface
6
Threat modelling the clinical scenario is a scary job
The attack surface for medical devices is simply
larger than the maturity of standardized
procedures to test those surface areas.
Device testing: time available,
tools available, skill level
available? Postmarket
management of cybersecurity?
Hardware physical interfaces
Physical networking ports
Debug / admin ports
WiFi / RF
Data transfer and storage
Cryptographic implementations
HL7 implementations
Hardware sensors
Input parsing / validation
Command / data authentication
Integrated clinical environment:
a platform to create a medical
‘Internet of Things’ around the
care of a single patient.
Heterogeneous medical devices
& auxiliary apps from different
vendors connected together.

8. Copyright 2017 FUJITSU
Security challenge in healthcare environment
7
Security aspects are considered in OT,
but given that most systems are not
connected it is mostly physical security.
Security concepts such as user-based access
control applies less often in OT systems than
they do in IT.
Similar to transition from Industrie 3.0 to Industrie 4.0

9. Copyright 2017 FUJITSU
Medical device hijack (zero-day attack)
8
Connected to Internet? Poor authentication? Local Admin privilege apps? Vendor remote access?
Unpatched OS? Unnecessary services enabled? Communication not secure? No encryption? No anti-
virus installed? Security patches not applied – ever? Running on end-of-life operating system?
Medical devices have become a key pivot point for attackers within healthcare networks
Devices vulnerable to MEDJACK.3 includes diagnostic equipment (PET scanners, CT scanners, MRI machines, etc.),
therapeutic equipment (infusion pumps, medical lasers, surgical machines), life support equipment (heart – lung
machines, medical ventilators, extracorporeal membrane oxygenation machines and dialysis machines) and more.

10. Copyright 2017 FUJITSU
From hacks to hospitals being ransomed
9
Medical space is extremely vulnerable to these issues
“34% of Health Trusts in the
U.K., and 60% of Scottish trusts,
hit with ransomware within the
last 18 months. One NHS area
had to transfer patients
because they were shut down.
Other countries affected as well,
including Germany.”
When ransomware happens the payment is usually in bitcoin.
Companies getting hacked often don’t know anything about bitcoin, and are
hiring law firms to acquire and hold bitcoin for them in case they get hacked.

11. Copyright 2017 FUJITSU
Shift to ransomware
10
Attackers are shifting their attention to
ransomware attacks because of the glut of stolen
health information hitting the black market.
88 out of the 260 NHS trusts
across England, Scotland,
and Wales were the victim
of ransomware attacks over
the last 18-month period.
Dark Web examples:
Ransomware-as-a-Service listed on Alphabay and
Ransomware Kit on DreamMarket, both fully
undetectable by traditional security technologies.
Victims' need to access the infected system is greater than the fiscal demands of the attacker

12. Copyright 2017 FUJITSU
SAMAS RansomWorm
 Domain Credential Theft
 Exploit front-facing servers for a known
vulnerability (CVE-2010-0738)
 Once inside, use Mimikatz/Bladabindi/Derusbi
to steal domain admin credentials
 Active Directory Reconnaissance
 Query AD with Windows Utility (CSVDE)
 Verify a target is alive using PING command
 Lateral Movement
 Install infection using Windows Utility (PSEXEC)
 Infect the endpoint
 Self-propagate through the network, until each
and every endpoint and server is locked down
11
Spreads inside throughout entire network to encrypt every server & computer — and backups
Time will tell
might not be a
good security
approach.

13. Copyright 2017 FUJITSU
EU Agency for Network and Information Security
12
Most critical are interconnected clinical information systems and networked medical devices
Due to the great number of significant assets at stake (patient life, sensitive personal
information and financial resources) information security is a key issue for smart hospitals.
The notion of smart hospitals is introduced when IoT
components are supporting core functions of a hospital:
Establish effective enterprise governance for cyber security
Implement state-of-the-art security measures
Provide specific IT security requirements for IoT components
Invest in Network Information Service products
Establish an information security sharing mechanism
Conduct risk assessment and vulnerability assessment
Perform penetration testing and auditing
Support multi-stakeholder communication platforms (ISACs)

14. Copyright 2017 FUJITSU
IoT healthcare services and applications
Focus on the following security requirements:
Confidentiality Integrity Availability
Data freshness Non-repudiation Authorization
Resiliency Fault tolerance Self-healing
13
Source:
The Internet of Things for Health Care:
A Comprehensive Survey, IEEE, 2015
Data-in-motion protection
interruption, interception, modification, fabrication, replay
Host properties
user compromise, hardware compromise, software compromise
Network properties
standard protocol compromise, network protocol stack attack

15. Copyright 2017 FUJITSU
Industrial IoT security framework
14
Security model & policy:
ensure confidentiality, integrity and availability of the system
Data protection
Security configuration & management
Security monitoring & analysis:
preserving system state throughout the operational lifecycle
Communications & connectivity protection:
cryptographic techniques for integrity and confidentiality, information flow control techniques
Endpoint protection (egde & cloud):
physical security functions, cyber security techniques and an authoritative identity
Source: Industrial Internet Consortium Security Working Group

16. Copyright 2017 FUJITSU
Fujitsu’s security offerings
15
PalmSecure
SURIENT
Content –
Web, Email
and DLP
Endpoint
protection
Firewalls,
NGFW and
IDS/IPS
Managed Security Services
Security
Assessments
incl. GDPR
Continuity and
Resilience
Consultancy
Technical
Design and
Integration
Cyber Threat
Response
Security
Consultancy
IDaaS Advanced
Threat
Protection
SIEM and
SIEMaaS
Vulnerability
Management
Identity &
Access Mgmt
Consultancy and Advisory
Cyber Threat
Intelligence
Products

17. Copyright 2017 FUJITSU
Intelligence led security
16

18. Copyright 2017 FUJITSU