SPHINX Use Cases: Part VII
Continue from blog entry SPHINX Use Cases: Part VI
Through the following classification of use cases, SPHINX aims to better understand how threats, risks and vulnerabilities are manifested, as well as how prevention, recovery and mitigation actions can be improved.
Exploiting Remote Patient Monitoring Services
Description: A patient undergoes a cardiac intervention (coronary angioplasty) and, six hours after the surgery, the patient is discharged from the hospital and admitted to the remote patient monitoring service. The patient uses a mobile App to read the vital signs data captured by the medical devices. Via the home WiFi router, the App connects to the Internet and uploads the vital signs data to the hospital’s remote patient monitoring platform. The medical cardiology team accompanying the patient has then the actionable intelligence to timely act in case any vital signs lie outside threshold parameters. The patient monitoring platform implements secure user authentication mechanisms, but the patient vital signs data is not sent encrypted.
The patient’s home network is protected by a weak password that is easily cracked by an opportunist hacker that is able to access the Internet router equipment and infect it, using the VPNFilter malware. This malware has been instructed to monitor all web traffic, to capture any healthcare-related information and to modify its assigned data results. Hence, the patient’s vital signs data received at the hospital’s remote patient monitorin platform are different from the ones uploaded by the patient through the remote patient monitoring service.
As a result of this attack, the medical cardiology team following the patient receives an alert that the patient is in critical condition. The emergency service is notified to send immediately an ambulance for the patient, so that he may be re-admitted to the hospital and new exams be performed in order to explain the patient’s status. Only when the new exams’ results do not support the diagnosis inferred from the remote patient data received, it is rapidly detected a mismatch of the patient data and a warning is issued to the hospital’s IT department. The hospital’s IT department performs a data integrity check, identifying that the data has being tampered
Attack Impact: This exploiting case impacts the hospital’s quality of service, causing the loss of data integrity of the patient data being transferred through the mHealth and remote patient monitoring service. The attack affects the healthcare organisation (the hospital), affecting the delivery of the mHealth and remote patient monitoring service and determining the activation of costly alternative healthcare
services (unnecessary re-admission, additional exams, medical emergency transportation) to handle adequate healthcare delivery. In addition, this attack not only undermines the healthcare organisation’s trust in the supplier of the remote patient monitoring platform but also weakens the patient’s trust in the services provided by the healthcare organisation, possibly impacting negatively on the patient’s recovery and health outcomes.
SPHINX role and added-value benefits: SPHINX System is relevant in the identification of unattended and vulnerable critical assets (SPHINX vulnerability assessment, security protocol analysis and real-time cyber risk assessment tools), in the early detection of the attack by performing continuous monitoring of the web traffic activity (SPHINX data traffic monitoring and intrusion detection tools), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures (SPHINX decision support tool).
Zero Day Attack to eHealth Services
Description: A well-known chain of hospitals, clinics and medical centres announces the adoption of a new Laboratory Information System (LIS) to manage all patient lab analysis, exams and diagnostic reports, as part of the eHealth Services made available online by the Medical Group. They report that the LIS is a new software development adapted to the specific needs of the Medical Group, a significant investment that will allow the medical staff from the different medical units in the Group, as well as the patients, online access to the patient data.
Attack Impact: The Zero Day attack impacts the Medical Group’s operations, causing the violation of integrity and confidentiality of the patient’s sensitive data. The attack affects several healthcare organisations (the Group’s hospitals, clinics and medical centres), as well as the patients whose personal data is stolen and whose treatment plan is affected, compromising their health and wellbeing outcomes. In addition, there is a significant bad impact on the LIS software vendor that not only sees its reputation severely affected but also has to pay for the information on the exploited vulnerability in its new software. The attack’s expected recovery time is estimated to be 3 working days, in order to isolate the affected software from the Medical Group’s network and reconfigure the network to the old laboratory information system. Patients are scheduled for new exams and lab works but the harm done to the Medical Group’s name and reputation is irreparable.
SPHINX role and added-value benefits: SPHINX System is relevant in the identification of vulnerable critical network entities and assets (SPHINX vulnerability assessment and security protocol analysis tools), in the early detection of the attack by identifying the compromised asset (SPHINX data traffic monitoring, anomaly detection and intrusion detection tools), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack and restoring the hospital’s IT infrastructure (SPHINX decision support tool).
More information about the SPHINX use cases can be found in Deliverable 2.4 that is publicly available here.