Attack vectors in Healthcare and impacts caused by cybersecurity incidents
In cybersecurity context, an attack vector can be defined as a path or a means, through which a threat actor is able to access a computer and/or network server and take advantage of weaknesses and vulnerabilities on assets (including human) in order to achieve specific outcomes.
SPHINX toolkit establishes its development and pilot testing considering four main types of attack vectors that can result to various cybersecurity incidents.
Physical interaction with IT assets: Attackers that are physically present within the healthcare facilities and are able to directly interact with the existing equipment, devices and systems that they have access to, including networked medical devices or interconnected clinical information systems (smart pharmacy storing booth);
Wired communication with IT assets: Attackers that are physically present within the healthcare facilities and gain access to the healthcare service provider’s IT assets through the use of wired network communications (including access to the Internet), including cloud services, connected medical devices and online healthcare information systems (drug inventory, patient health database);
Wireless communication with IT assets: Attackers that may either be physically present within the healthcare facilities or remotely located and gain access to the healthcare service provider’s IT assets through the use of wireless technologies, including identification systems or mobile devices;
Interaction with users: Attackers that privilege social engineering attacks (focus on users with privileged access) to gain access to the healthcare service provider’s IT assets. These attacks may either involve directly fooling or convincing the users to relinquish such access (share login credentials or passwords, provide keys) or reflected attacks, such as Cross-site scripting (XSS) or Cross-Site Request Forgery (CSRF), by which the attacker sends a link via email or chat, leading the user to click on it and thus activate malicious code capable of hijacking the user’s access and intentionally harm the healthcare service provider’s critical assets.
The above pathways towards the abuse of healthcare infrastructures can result to certain negatively impactful outcomes. In Healthcare, the systems’ availability, interoperability, access control and authentication, as well as the high privacy and confidentiality requirements of data represent key security challenges. In case of failure to deliver adequate security for these features, the overall healthcare service delivery to the general population can be disrupted.
SPHINX emphasises in three major impacts, from which the Healthcare Sector needs to be protected. Namely, these are the following:
Loss of availability: the absence of access to (classified) healthcare information or to application services or to information exchange between point of care sites;
Data integrity violation: the absence of quality, accuracy and consistency of the data stored and exchanged for clinical and administrative purposes;
Data confidentiality violation: the unmonitored or illegal access to or misuse of sensitive healthcare information.
These service outages affect significantly the healthcare service delivery, the trust in the healthcare industry and the safety of patients, leading to unnecessary duplication of tests and investigations and the increase of healthcare service delivery costs, as well as to serious distress to the society.
More information about attack vector and the impact cybersecurity incidents in Healthcare can be found in Deliverable 2.4 that is publicly available here.