SPHINX Use Cases: Part VIII
Continue from blog entry SPHINX Use Cases: Part VII
Through the following classification of use cases, SPHINX aims to better understand how threats, risks and vulnerabilities are manifested, as well as how prevention, recovery and mitigation actions can be improved.
Theft of Hospital Equipment
Description: In a hospital’s psychiatric ward, a patient with strong IT knowledge is receiving treatment for a long period of time. During this time, the patient develops a good relationship with the ward’s nursing staff and because the patient is deemed not threatening, there is leniency on the nursing staff’s part that allow the patient to have access to the ward’s nursing post and reception. Here-in, the patient has access to the nurse’s computers, tablets and mobile phones. One day, the patient is able to steal an old mobile phone belonging to the ward that still has stored login credentials allowing anyone using the device to connect to the hospital’s information systems, including the building management system.
The patient accesses patient treatment plans and changes the prescribed medication and dietary restrictions to all psychiatric patients in the ward. Further, the patient accesses the building management system (BMS) and alters the settings of the room temperature in the psychiatric ward. The hospital’s IT department identifies the stolen equipment that has accessed and changed patient data and room temperature controls. The device is located in the patient’s room and retrieved to be factory-reset. The hospital’s patient data that has been tampered with (medication and diets of psychiatric patients) is changed back to the last valid settings. Likewise, the IT staff restores the hospital’s BMS to the last valid configuration.
Attack impact: This case affects the hospital’s operations, affecting the ward’s controlled ambient and meals and causing the violation of the integrity and confidentiality of the patients’ sensitive data. The attack affects the healthcare organisation (the hospital), as well as the patients whose personal data is breached and whose treatment plans (medication and diet) are affected, compromising health and wellbeing outcomes. The attack’s expected recovery time is estimated to be 1 working day, in order to identify the stolen asset and reset it before connecting it to the hospital’s network, as well as to restore the patient data and the BMS controls to the last valid settings.
SPHINX role and added-value benefits: SPHINX System is relevant in the identification of obsolete and vulnerable critical assets (SPHINX vulnerability assessment tool), in the cybersecurity certification of the medical equipment (SPHINX sandbox tool), in the early detection of the attack by identifying the stolen asset (SPHINX data traffic monitoring and anomaly detection tools), in the isolation of the compromised asset for further inspection (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures, including blocking the attack and restoring the hospital’s IT infrastructure (SPHINX decision support tool).
Intercepting Cross-border Healthcare Data Exchange
Descritpion: Aware of processes between healthcare and medical organisations that share healthcare data across borders, a cybercriminal sends fake emails impersonating several doctors in healthcare organisations to the clinic aiming to acquire credentials to access the PACS web server data. The clinic fails to verify that the received emails are not digitally signed by a trusted healthcare organisation and does not follow the proper validation procedure, thus replying to the sender with a web link that grants access to the PACS. In addition, because the clinic does not use encrypted email (e.g., no TLS support), the cybercriminal is able to intercept emails, becoming knowledgeable of several web links to the PACS and intercepting the associated cross-border healthcare data exchanges. Once the cross-border exchanged medical data is intercepted and the access to the PACS server is gained, the cybercriminal publishes online the details of the attack to harm the reputation of the healthcare organisations involved in the crossborder exchange and asks the Swedish clinic to pay for the return of the stolen medical data.
Attack impact: The interception of healthcare data directly impacts the clinic’s operations, causing a loss of availability of a specific healthcare service (the cross-border healthcare service) and the violation of the confidentiality of the patients’ data. The attack’s expected recovery time is estimated to be 3 working days for reinstating the affected patients’ imagery records. However, there is no estimate to reestablish the cross-border healthcare data exchange service, since the affected organisation considers it a highrisk endeavour. Moreover, there is harm to the clinic’s reputation and the undermining of the patients’ trust in modern online healthcare services.
SPHINX role and added-value benefits: SPHINX System is relevant in the cybersecurity certification of the PACS server and the cross-border healthcare data exchange service (SPHINX 3rd party APIs and sandbox tools) before being deployed in operational environments (i.e., the clinic), in the identification of system vulnerabilities, namely concerning the non-secure online access to the PACS server (SPHINX vulnerability assessment and security protocol analysis tools), in the early detection of the attack by performing analyses of digitally non-signed emails (SPHINX data traffic monitoring and data anomaly tools), in the isolation of the compromised computer, preventing the spreading of the virus throughout the network (SPHINX sandbox tool), in the prompt alerting of relevant IT staff as soon as the attack is detected (via the SPHINX interactive dashboard tool), in the presentation of a detailed report on the cyber attack (SPHINX security information and event management, forensic analysis and analytical engine tools) and in the delivery of decision support instructions to the IT department staff on how to proceed to trigger and implement the adequate recovery and mitigation procedures (SPHINX decision support tools).
More information about the SPHINX use cases can be found in Deliverable 2.4 that is publicly available here.