sphinx-project.eu / Blog  / SPHINX Use Cases: Part V

SPHINX Use Cases: Part V

Continue from blog entry SPHINX Use Cases: Part IV

Through the following classification of use cases, SPHINX aims to better understand how threats, risks and vulnerabilities are manifested, as well as how prevention, recovery and mitigation actions can be improved.

Compromised BYOD Enables Stealing of Patient Data

Description: To expedite healthcare service delivery, a clinic adopted mHealth services and provides its medical and nursing staff with mobile devices (tablets) to facilitate the execution of specific care activities. Bypassing the clinic’s security policy, a doctor uses the hotspot function in his smartphone to connect his tablet to the Internet. While navigating, he clicks on an dvertisement unaware that it runs a malicious code that installs malware in the tablet.

The malware is designed to store keylogging data, screen touch locations and screenshots in the tablet’s local file space and then to transmit the stored data to the attacker’s online server each time the doctor reconnects the tablet to the Internet using the smartphone. In the process, the attacker can collect sensitive information related with the clinic, including patients’ records and the doctor credentials.

Attack Impact: In such scenario, the attack impacts the clinic’s operations, causing the violation of confidentiality of the patients’ sensitive data. The attack affects the healthcare organisation (the clinic), as well as the clinic’s patients who have their personal data exposed. The attack’s expected recovery time is estimated to be 1 working day, in order to identify the affected assets, clean the malware in the tablet and generate new access credentials for the doctor. Still, if the attacker proceeds to sell online the patient data, several months may be required for the clinic to rebuild its reputation and recover from the financial losses due to compensating claims by affected patients.

SPHINX Role and Added-value Benefits:  SPHINX System is relevant in the identification of outdated and vulnerable critical assets (SPHINX vulnerability assessment tool), in the early detection of the attack by performing continuous monitoring of the network’s activity (SPHINX data traffic monitoring, anomaly detection and intrusion detection tools), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber-attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack and restoring the clinic’s databases (SPHINX decision support tool).

Taking Control of Connected Medical Devices

Description: A high-profile public figure is receiving treatment at a hospital and a rogue government hires a cybercriminal to to explore the hospital’s vulnerabilities, collect sensitive data about the high-profile patient and, if possible, disrupt the associated treatment plan. Analysing the technical specifications of a vulnerable blood chemistry analyser, freely available in the manufacturer’s site, the cybercriminal identifies known vulnerabilities in their network and interface protocols, used to access patient records and to remotely update the device’s configuration (e.g., change the dosage level of a substance).

The cybercriminal poses as a maintenance technician of the blood chemistry analyser manufacturer and uses social engineering techniques to persuade the hospital staff to grant remote access to the blood chemistry analyser. In possession of this access, the cybercriminal is then able to access the blood analyser’s interface protocols and through them, enter the patients’ databases, retrieving sensitive medical data, including the one pertaining to the high-profile public figure. Specifically, the analysis confirms the presence of illicit drugs in the public figure’s bloodwork, information that, if made public, could ruin the public figure’s career. Furthermore, as instructed, the cybercriminal alters the report on the blood test results, causing a disruptive change in the public figure’s treatment plan.

Because a single patient has been targeted, this attack is likely to remain undetectable by IT security resources. Days or weeks may unfold before the equipment-induced error is identified and corrected. And even when noticed, it can easily by attributed to a fault in the medical device and not to a malicious external action. Importantly, the recovery of this attack requires the collaboration between the hospital and the device manufacturer.

Attack Impact: This attack impacts the clinic’s operations, causing the violation of integrity and confidentiality of the patient’s sensitive data. The attack affects the healthcare organisation (the hospital), as well as the patient whose personal data is stolen and whose treatment plan is affected, compromising health and wellbeing outcomes. The attack’s expected recovery time is estimated to be 1 working day, in order to identify the affected asset and reconfigure the device before connecting it to the hospital’s network. Still, the harm done to the high-profile public figure is irreparable.

SPHINX Role and Added-Value Benefits: SPHINX System is relevant in the cybersecurity certification of medical devices and equipment (SPHINX 3rd party APIs and sandbox tools) before being deployed in operational environments (i.e., the hospital), in the identification of vulnerable critical assets (SPHINX vulnerability assessment tool), in the early detection of the attack by performing continuous monitoring of the network’s activity (SPHINX anomaly detection and intrusion detection tools), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack and restoring the clinic’s databases (SPHINX decision support tool).

More information about the SPHINX use cases can be found in Deliverable 2.4 that is publicly available here.