SPHINX Use Cases Part I
SPHINX project adopts five application scenarios embracing today’s growing digitisation of healthcare information and service delivery and its associated security challenges. The scenarios consist of the growing digitization of Healthcare, the eHealth services, the remote patient monitoring, the exchange of healthcare information and the cross-border healthcare delivery.
In the specific context of SPHINX Platform development and pilot testing, these application scenarios feature 17 uses cases that describe a set of cyber incidents. Through the use cases classification, the project aims to better understand how threats, risks and vulnerabilities are manifested, as well as how prevention, recovery and mitigation actions can be improved. What is more, the defined use cases facilitate the understanding of the added-value of SPHINX in relevant situations, allowing for the clarification of the benefits and positive impact brought by SPHINX.
Below the first uses cases are presented:
Attacking Obsolete Operating Systems in Hospital
Description: Within the accounting department of a hospital facility, all computers have Internet access, which includes the VM that hosts the legacy OS. An employee uses this VM on a daily basis to performs his work. Occasionally, he also uses the VM to navigate the Internet and accidentally downloads and executes an application infected with a malware, thus activating it.
Using spread propagation techniques that exploit vulnerabilities in network protocols, the malware spreads into the hospital’s network affecting several connected desktop computers and servers. Responding to the attack, the hospital’s IT department shuts down the whole IT infrastructure and proceeds with a clean installation of computers, resorting to backup systems to partially recover hospital records.
Attack Impact: Hospital’s IT infrastructure is directly impacted, causing a loss of availability of the existing information systems and services. The attack affects the healthcare organisation (the hospital), as operations need to revert to paper-based processes that are highly time consuming, thus causing significant delays in care delivery. The attack’s expected recovery time is estimated to be 2 or 3 working days, depending on the number of affected assets and on the effort required to re-install the IT infrastructure.
SPHINX Role and Added-value Benefits: SPHINX System is relevant in the identification of obsolete and vulnerable critical assets (SPHINX vulnerability assessment tool), in the early detection of the attack by identifying the compromised ports (SPHINX anomaly detection tool), in the isolation of the compromised assets, preventing the spreading of the malware throughout the network (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber-attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack and restoring the hospital’s IT infrastructure (SPHINX decision support tool).
Hijacking Access to National Healthcare Databases
Description: A primary care service provider (PCSP) located in a remote region accesses the well-controlled and protected national healthcare databases, owned by the National Healthcare Authority, to perform their care service delivery. As the PCSP is remotely located, the access to the national healthcare databases is allowed via the Internet. Hence, the PCSP uses a wireless ADSL modem/router equipment with known vulnerabilities. A hacktivist gains access to the PCSP network and identifies the ADSL equipment. The hacktivist initiates a brute force attack to crack the equipment’s password and discovers that all critical modem/router parameters (username, password, SSID, wireless key) have remained unchanged from their factory default values.
Consequently, the hacktivist takes control of ADSL modem/router equipment breaking the PCSP’s connection to the national healthcare databases. The medical staff is no longer able to access patient medical histories and to prescribe medication. Responding to the attack, the PCSP’s IT department physically accesses the compromised ADSL modem/router equipment, performs a factory reset and reconfigures it to use new network credentials.
Attack Impact: The remote care provider’s access to the national healthcare databases is directly impacted causing a loss of availability of the associated service and information. The attack affects the healthcare organisation (the PCSP), as care delivery is hampered by the inability to access relevant information. The attack’s expected recovery time is estimated to be 1 working day, depending on the time required to identify the compromised equipment and to restore complete care service delivery.
SPHINX Role and Added-value Benefits: SPHINX System is relevant in the early detection and identification of the compromised equipment (SPHINX vulnerability assessment, anomaly detection and intrusion detection tools), in the isolation of the compromised device (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber-attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack and restoring the PCSP’s access to the national healthcare databases (SPHINX decision support tool).
More information about the SPHINX use cases can be found in Deliverable 2.4 that is publicly available here.