The global and independent platform for the SAP community.
The opinion of the SAP community, IT Security Column, MAG 16-04

Cyberattacks on hospitals - real?

They have dominated the headlines in recent weeks: Attacks with malware actually forced hospitals in Germany to partially shut down operations in some departments. So far, so bad. But what really happened?
Raimund Genes, Trend Micro
March 31, 2016
Content:
Security
avatar
This text has been automatically translated from German to English.

On the one hand, it became known that a hospital in the USA paid a ransom to cybercriminals to decrypt encrypted systems. On the other hand, reports went through the press that German hospitals had also become victims of cyber attacks and had to shut down their operations.

On top of that, a new encryption Trojan called "Locky" has been running rampant for some time now, infecting systems very successfully. Mix it all together and you get lurid headlines à la "Cyber criminals attack German hospitals".

And in the public perception, hospitals have been the victims of targeted attacks - against which, as is well known, one cannot defend oneself. To speak of "attacks" here is at the very least "negligently inaccurate".

Those affected have simply become victims of "normal" encryption Trojans, as they have been around in great quantities for years. They were neither specifically infiltrated into these hospitals nor developed for this purpose. The hospitals were merely unlucky enough to have one of these Trojans running on their internal systems.

And unlike private individuals, it was not private pictures or the like that were encrypted, but much more sensitive data. But: These were neither targeted attacks nor something fundamentally new!

To put it bluntly, probability is showing its evil face: After primarily private users had to suffer in the past, hospitals have now been hit.

Strictly speaking, it is surprising that much more has not happened before. I also read about "attacks like those seen before on other industries" and about "unknown cyberweapons.

There is a discrepancy between truth and perception here: encryption Trojans have been harassing IT for a long time. A good indicator that this business model works for the criminals - and unfortunately will continue to do so for a long time.

Of course, there is no one hundred percent protection against these Trojans. Of course, you can reduce the probability with security solutions at the gateway, in the network and at the endpoint.

However, you have to be aware that you still have to expect an infestation! Even the use of breach detection systems including sandboxing can only influence the probability and provide evaluable forensic data (in retrospect).

But it's only a question of "when," not "if" something will get through. A cybercriminal can create thousands of variants with little effort and optimize them until current security solutions just can't find them.

So, on the premise that there may be an infestation, you need to plan appropriate security measures. This includes simple best practices such as network segmentation and security functions as well as a mundane "backup and restore".

This means that even if something does get through, perhaps only a few computers in the segment are affected and can be "cleaned up" again via a restore. When operating commercial IT environments, all of this corresponds to many years of recommendations and experience in operation.

It is all the more astonishing that not only individual areas (e.g., administration) were affected here, but that entire buildings were "offline," sometimes for days. To be explicit: In my opinion, these were not "attacks.

Talking about an attack here directs the focus on the alleged attacker and away from the question of operational issues - perhaps not entirely unintentionally...

The effect for the general public, however, is unfortunately a kind of panic sentiment that is not appropriate in this form. It was simply a normal Trojan, as it is circulated thousands of times every day.

On the contrary, when other critical infrastructures actually fall victim to real targeted attacks, the whole thing is dismissed as further scaremongering with the response "it wasn't so bad last time, either". And we really can't afford that.

avatar
Raimund Genes, Trend Micro

Raimund Genes was CTO at Trend Micro.


All articles of the author

Write a comment

The Hackett Group has recognized Esker in the area of C2C Receivables

Rackspace Technology launches UK Sovereign Services

August-Wilhelm Scheer Institute and BAD Gesundheitsvorsorge und Sicherheitstechnik: The future of healthcare

Working on the SAP basis is crucial for successful S/4 conversion. 

This gives the Competence Center strategic importance for existing SAP customers. Regardless of the S/4 Hana operating model, topics such as Automation, Monitoring, Security, Application Lifecycle Management and Data Management the basis for S/4 operations.

For the second time, E3 magazine is organizing a summit for the SAP community in Salzburg to provide comprehensive information on all aspects of S/4 Hana groundwork. All information about the event can be found here:

SAP Competence Center Summit 2024

Venue

Event Room, FourSide Hotel Salzburg,
At the exhibition center 2,
A-5020 Salzburg

Event date

June 5 and 6, 2024

Regular ticket:

€ 590 excl. VAT

Venue

Event Room, Hotel Hilton Heidelberg,
Kurfürstenanlage 1,
69115 Heidelberg

Event date

28 and 29 February 2024

Tickets

Regular ticket
EUR 590 excl. VAT
The organizer is the E3 magazine of the publishing house B4Bmedia.net AG. The presentations will be accompanied by an exhibition of selected SAP partners. The ticket price includes the attendance of all lectures of the Steampunk and BTP Summit 2024, the visit of the exhibition area, the participation in the evening event as well as the catering during the official program. The lecture program and the list of exhibitors and sponsors (SAP partners) will be published on this website in due time.