sphinx-project.eu / Blog  / SPHINX Use Cases: Part IV

SPHINX Use Cases: Part IV

Continue from blog entry SPHINX Use Cases: Part III

Through the following classification of use cases, SPHINX aims to better understand how threats, risks and vulnerabilities are manifested, as well as how prevention, recovery and mitigation actions can be improved.

Distributed Denial-of-Service Attack in Regional Hospital

Description: A regional hospital decides to deploy an online accessible webserver that not only provides medical treatment guidelines to remote patients, but also enables the remote monitoring of patients using medical devices that connect via a virtual private network (VPN) server to the hospital’s IT systems. An attacker with intention to extort money from the hospital, purchases a botnet capability in a dark web marketplace and uses it to initiate a distributed denial-of-service (DDoS) attack against the hospital’s online portal and VPN server. The attack lasts for several days and, as a result, both mHealth and remote patient monitoring services are render non-operational during this period.

The incident is only acknowledged a few days later as a result of several complaints raised by patients. The hospital is overflown with the contact attempts from remote patients that use the telephone and emails to contact their physicians and to reschedule telehealth appointments, thus disrupting the normal treatment process and the hospital’s daily operations. What is more,  due to the lack of availability of the VPN, the data coming from the medical devices was not uploaded to the patients’ records, which may have compromised the patients’ health and wellbeing outcomes.

Attack Impact: Such attack directly impacts the hospital’s operations, causing a loss of availability of the online portal and the mHealth and remote patient monitoring service. The attack affects the healthcare organisation (the regional hospital) and its patients, as they no longer are able to receive specific mHealth services. The attack’s expected recovery time is estimated to be 5 working days, depending on the effort to re-establish the online portal and the mHealth and remote patient monitoring services. In the meantime, the hospital’s staff is overwhelmed with the additional appointments to follow-up external patients.

SPHINX Role and Added-value Benefits: The SPHINX System is relevant in the identification of vulnerable critical assets, including the online services (SPHINX vulnerabilityassessment and sandbox tools), in the early detection of attacks by identifying the compromised assets (SPHINXdata traffic monitoring, honeypot, anomaly detection and intrusion detection tools), in the prompt alerting of
relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in thepresentation of a detailed report on the cyber attack (SPHINX security information and event management,forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the ITdepartment staff on how to proceed to trigger and implement the adequate recovery and mitigation
procedures, including blocking the attack (SPHINX decision support tool).

Compromising Health Services through Cryptocurrency Mining

Description: An IT employee of a medical laboratory has started to invest in cryptocurrency and is looking to generate revenues by mining it. Thus, the IT employee decides to surreptitiously install the mining software in the laboratory’s highperforming computers used by the technicians to perform the exams and diagnoses.

Not being IT specialists, the laboratory team is disappointed at the slow response time of the state-of-the-art high-performance computers to process the exams and prepare the reports, causing a large delay in the completion of the reports and the issue of results. On its turn, this affects the laboratory’s clients, including local hospitals and clinics, but also the patients that have their treatment plans affected by the delays in receiving their exam results, with significant impact in their health and quality of life.

Attack Impact: In this case, cryptocurrency mining  impacts the medical laboratory’s operations, causing a loss of availability of the laboratory exams and diagnoses reports in a timely manner. The attack affects the healthcare organisation (the medical laboratory) and its clients, including other hospitals, clinics and patients, as they no longer receive timely lab results and reports. The attack’s expected recovery time is estimated to be 1 to 2 working days, depending on the time to identify the compromised assets and to uninstall the cryptocurrency mining software.

SPHINX Role and Added-value Benefits: The SPHINX System is relevant in the early detection of attacks by identifying the compromised assets (SPHINX data traffic monitoring, anomaly detection and intrusion detection tools), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack (SPHINX decision support tool).

More information about the SPHINX use cases can be found in Deliverable 2.4 that is publicly available here.