Cyber-attacks and threats for healthcare – a multi-layer thread

analysis

Emmanouil G. Spanakis, Silvia Bonomi, Stelios Sfakianakis, Giuseppe Santucci, Simone Lenti,
Mara Sorella, Florin D. Tanasache, Alessia Palleschi , Claudio Ciccotelli, Vangelis Sakkalis and
Sabina Magalini

the benefit of the patients, as well as the health business

Abstract — Due to the advent of novel technologies and entities and other stakeholders.
digital opportunities allowing to simplify user lives, healthcare
is increasingly evolving towards digitalization. This represent a
This work aims to demonstrate that security stemming
great opportunity on one side but it also exposes healthcare
from the awareness of cyber vulnerabilities, enabling
organizations to multiple threats (both digital and not) that healthcare facilities to assess the nature and severity of a
may lead an attacker to compromise the security of medial threat, and sustainably decide to adopt strategies to strengthen
processes and potentially patients’ safety. Today technical preparedness and incident response. We aim to present
cybersecurity countermeasures are used to protect the specific cyber risks in the context of the delivery of health
confidentiality, integrity and availability of data and and the identification of the domain-specific requirements,
information systems – especially in the healthcare domain. This focusing in emerging technological areas like IoMT (Internet
paper will report on the current state of the art about cyber of Medical Things) [1]. We demonstrate processes related to
security in the Healthcare domain with particular emphasis on the design and implementation of a dynamic disk
current threats and methodologies to analyze and manage management framework focusing on threat and attack
them. In addition, it will introduce a multi-layer attack model models, risk identification and mitigation methodologies,
providing a new perspective for attack and threat identification etc.). We define a multi-layer attack graph reference model
and analysis. involving context-independent attributes and a context-
dependent system reference model able collate multiple risk
I. INTRODUCTION factors into a holistic view.
Healthcare is increasingly evolving towards
digitalization: electronic health records have been developed II. CYBER SECURITY IN HEALTHCARE
(and widely adopted), teleconsultation and tele-expertise is The healthcare sector has been capitalizing on digital
thriving, and use of connected health devices is on the rise. advancements to improve overall patient experiences and
Nevertheless, many health organizations appear to lack outcomes - beginning with the adoption of electronic health
information security measures and awareness, continue to use records (EHRs) and continuing with the increased use of
legacy information systems, or for reasons intrinsic to the medical applications, online patient portals, connected
application area, such as the large number of internal actors, medical devices, and wearables [2]. While personal
processes, and interconnected systems, are incapable of information generically refers to any data that could
reducing risks, vulnerabilities and attacks. It is therefore potentially identify a specific individual, in the specific
evident that threats and potential damages to healthcare context of healthcare protected health information refers to
critical infrastructures due to cyberattacks require a demographic information, medical histories, test and
fortification of the security features in the industry. The laboratory results, mental health conditions, insurance
Health IT domain has the amounts to the “lion’s share” in information, and other data that a healthcare professional
terms of the security related incidents and the impact caused, collects to identify an individual and determine appropriate
and therefore cybersecurity solutions need to be in place for care [20], [31]. Today it is a fact that as technology use in
healthcare grows, so does the risk of cyberattacks.
* This work has been supported by PANACEA project that has received The HIPAA Security Rule [3] defined a security incident
funding from the European Union’s Horizon 2020 research and innovation as an attempted or successful unauthorized access, use,
programme under the Grant Agreement no 826293. disclosure, modification, or destruction of information or
Emmanouil G. Spanakis, Stelios Sfakianakis and Vangelis Sakkalis are interference with system operations in an information system.
with the Computational Biomedicine Laboratory, Institute of Computer Analogously it defines a breach as, an impermissible
Science, Foundation for Research and Technology – Hellas, Heraklion,
Crete, Greece; e-mail: {spanakis, sakkalis}@ics.forth.gr). (Corresponding acquisition, access, use, or disclosure [4] under the HIPAA
author: Emanouil G. Spanakis, phone: +30-2810-391446). Privacy Rule [5] that compromises the security or privacy. It
Silvia Bonomi, Giuseppe Santucci, Simone Lenti, Mara Sorella, Florin is thus evident that healthcare industry is today heavily
D. Tanasache, Alessia Palleschi and Claudio Ciccotelli are with the affected by cybercrime and that the cost for healthcare data
Università degli Studi di Roma "La Sapienza", 25, 00185, Roma (Italy) breaches rises each year [7]. The relatively bad security
(email: bonomi, santucci, lenti, sorella, tanasache, palleschi, ciccotelli}@
diag.uniroma1.it).
performance of the healthcare industry has given rise to a
Sabina Magalini is with the Fondazione Policlinico Universitario number of healthcare data breaches at an increasing rate the
Agostino Gemelli, 00168 Roma, Italy, (email: [email protected]) last couple of years [6]. It is remarkable that 2019 has
978-1-7281-1990-8/20/$31.00 ©2020 IEEE 5705

Authorized licensed use limited to: UNIVERSIDADE DO VALE DO RIO DOS SINOS. Downloaded on September 07,2021 at 23:06:52 UTC from IEEE Xplore. Restrictions apply.
 outpaced the previous years by a large margin in this specific originate from social engineering, changes in society, or
category in US [6]. unexpected use of the technology, and proposes the sharing
and analysis of non-technical security knowledge (i.e. from
Poor security can impact upon patient care due to the social subsystems and the environment) to complement
potential compromise of health or eHealth equipment, technical risk intelligence tools. The identification of risks is
including Internet of Medical Things (IoMT). It is thus the first step in every successful risk management process. A
critical to develop a strong security culture for citizens and comprehensive list of cyber-attacks and risk scenarios in the
the public and private healthcare sector, by utilizing the healthcare ecosystem is presented in [18] and shown
relevant capabilities of the academic community and of other graphically as Patient cantered attack model in Figure 1 and
public and private sector stakeholders. is explained in [17]. The authors define three attack surfaces
In an attempt to identify the weakest spots, for attacks and that are shown in concentric circles around the patient.
areas of vulnerability, two studies from ENISA [8] and The primary attack surfaces are those vulnerabilities
HIMMS [9] showed that HCOs face specific threats and within a healthcare facility that, if exploited, could directly
security risks due to the use of services and devices [12], user affect the patient (i.e. active medical). The secondary attack
behaviour, unsecure networks, bring your own device surface does not harm directly the patient but can be
(BYOD) policies, lack of internal identification and security (mis)used to support primary attacks. Finally, the tertiary
systems, stolen devices with un-encrypted files and others. attack surface includes financial and administration systems,
A. Threats and cyber-attacks in healthcare inventory systems, power infrastructure, etc. that can have
ISO/IEC 27000:2018 [10] defines information security as big impact to the hospital / organization as a whole. Also,
the preservation of confidentiality, integrity and availability, recent advances in biotechnology provide new attack
but in a complex organization such as a hospital, or even the surfaces. For example, authors in [19] were able to synthesize
health ecosystem as a whole, more aspects of security need to DNA strands that, after sequencing and post-processing,
be considered. Rainer et al [11] classified threats as physical, generated a file; when used as input into a vulnerable
such as fire or power interruption, unauthorized physical or program, this file yielded an open socket for remote control.
electronic access, and authorized physical or electronic The term “cyberbiosecurity” is introduced by [20] to cover a
access. In fact, the case study of [13] reports that the most range of novel cyber-attack scenarios in life and medical
critical threat for a Hospital Information System is the power sciences, at the interface of cybersecurity, cyber-physical
failure, followed by human error (e.g. erroneous deletion or security and biosecurity.
modification of patient data by the stuff). The prominence of B. Internet of Things: security aspects
the power failure threat has been supported by other The Internet of Medical Things is a critical piece of the
publications as well, e.g. [14], and should surely be
healthcare digital transformation that aims to act as building
considered since it affects some key assets, such as the safety block in the development of cyber-physical smart pervasive
of the patients and medical stuff, the security of the software frameworks for healthcare services. Cyber security flaws in
and critical clinical applications, and the operation of the medical devices could be detrimental for the patients. The
organization in general. reasons to target IoMT devices could be summarized to the of
limited versions of general-purpose OS, operation within not
security-safe spaces, design vulnerability issues propagated
to all devices from a single manufacturer, etc. [22].

III. VULNERABILITY AND THREAT MODELLING FOR

HEALTHCARE
To prevent and mitigate a system, it is important to
understand how different threats could damage a network
system [23]. Therefore, before developing a secure network,
it is important to analyze the risk a network could be exposed
to, including the level of damage an attack could cause to a
system. The possible threats must be identified and be
determined as which aspect of security would be violated by
a certain attack, prior to establishing a network.
A. Threat modelling
Threat intelligence is evidence-based knowledge,
Figure 1: A Patient Attack Model [167] including context, mechanisms, indicators, implications and
Leaving behind physical security, [15] provided a actionable advice, about an existing or emerging menace or
classification of threats as follows: unauthorized disclosure, hazard to assets that can be used to inform decisions
loss or destruction, and undesired use or modification. regarding the subject's response to that menace or hazard
Specializing even further, [16] categorized network security [24]. Numerous threat modelling methodologies and threat
threats as follows: Interruption, Interception, Modification, classification models are available for implementation,
and Fabrication. Finally, van Deursen [17] argues that cyber- among those, it is worth to mention the following ones:
security is a multidisciplinary problem and many threats STIX, OCTAVE, STRIDE, PASTA, Trike, and VAST [25].

5706

Authorized licensed use limited to: UNIVERSIDADE DO VALE DO RIO DOS SINOS. Downloaded on September 07,2021 at 23:06:52 UTC from IEEE Xplore. Restrictions apply.
 A cross risk assessment methods and threat models, C. A multi-layer attack graph model
threats are often over simplified to a generalized qualitative NIST defines cyber threat as “Any circumstance or event
value range (e.g., very low to very high) assigned to specific with the potential to adversely impact organizational
threat categories based on subjective analysis of a threat operations, organizational assets, individuals, other
analyst having limited access to real contexts or specific organizations, or the Nation through a system via
information or data. In some cases, threats may be unauthorized access, destruction, disclosure, modification of
characterized in slightly more complex ways based on, for information, and/or denial of service” [30].
example, capability or motivation of the threat agent and
frequency of occurrence. Here, the capability or motivation As a consequence, it is necessary, when eliciting and
of the threat agent remains a subjective analysis of a threat analyzing threats, to consider multiple perspectives that may
analyst, while frequency of occurrence is dependent on have an impact on their identification. Our proposed model
statistical evidence of past events that simply does not exist. will be able to collate multiple risk factors as: i) business
processes that support the organization mission and that
Meanwhile, objective methods for threat modelling have could be impacted by an incident if existing threats
been dependent on analysis of specific aspects of the system materialize; ii) cyber ICT spaces that support the business
(e.g., presence of specific vulnerabilities) matched to specific processes providing communication, computation and
aspects of the threat (e.g., availability of an exploit for that storage services; iii) individuals that have an active role in the
vulnerability) but still evaluated using a subjective rating of business processes and interact with the cyber spaces; and iv)
probability or likelihood of attack. These approaches are all relevant connections between these factors.
further limited because they do not address unknowns about
the system (e.g., zero-day vulnerabilities) or unknowns about In our model a threat is strictly related to the notions of
threat agent capabilities (e.g., development of new exploits). risk, asset and vulnerability. We focus on representing
Likewise, these approaches are unable to consider the more vulnerabilities and how they can be exploited in order to
subjective aspects of the threat (e.g., threat motivation). In materialize a possible threat. To achieve this, we use an
this work we focused the analysis on threat modelling by attack graph model including multiple dimensions (shaped
relying on the knowledge and expertise of security operators into layers) to capture all the relevant factors for an
and people from within the organization (OCTAVE organization. This technique allows us to focus on the
principle). vulnerabilities, on their exploits and on the sequence in which
possible exploits can be launched by the attacker. Any threat
B. Attack modelling is inferred from the possible attack paths.
Attack Graphs are graphical models that represent the To further explain our rationale, this model was selected
knowledge of network vulnerabilities and their interactions, for the following reasons: i) focuses upon the factors that are
showing the different paths that an attacker may follow to enabling for a potential attack (i.e., the vulnerabilities); ii)
reach a given goal, typically by exploiting a set of considers that attacks can be performed on different layers
vulnerabilities. Depending on the way information are (e.g., attacks starting on the human factors layer and then
represented, we may have two main categories of graphs: progressing onto the ICT network layer); iii) supports risk
• State-based representations [26] depict the whole state of evaluation and analysis associated to paths representing
the network for each node in the graph. The main threats; and iv) supports the definition of response plans to
advantage of this representation is its completeness (given reduce or mitigate risk(s).
the set of vulnerabilities in the network, the Attack Graph
is able to represent all the possible attack scenarios).
However, this is also its main limitation as it brings to an
exponential cost (computation, size of the graph) with
respect to the size of network and the number of
vulnerabilities.
• Logical Attack Graphs [27] are bipartite graphs
representing the dependencies between vulnerabilities and
security conditions. In this representation, duplicate paths
are eliminated and a more compact representation is Figure 2: Sketch of a multilayer attack graph
provided that scales polynomially with the number of
vulnerabilities. Our goal is to extend the notion of attack graphs and paths
to multiple layers to provide a more complete view. The
There are a number of attack graph generating tools and created model supports the definition of attack paths through
techniques, i.e., TVA (Topological Analysis of Network four different layers: human, access, business and network.
Attack Vulnerability) [28] NETSPA (A Network Security Error! Reference source not found. Figure 2 show an
Planning Architecture) and MULVAL (Multi-host, overview of these four layers in order to represent and
multistage, Vulnerability Analysis) [29], that starting from a analyze complex attack scenarios arising from the exploit of
description of the environment are able to generate the both technical and human vulnerabilities.
resulting attack graph. Our effort is to extent these techniques
considering threats and vulnerabilities not only at the network For example, one case depicts how an insider obtains an
layer but also through the representation of human, process or employee’s personal login credentials from the employees
policy related issues. written notes. Subsequently, he can access his computer by

5707

Authorized licensed use limited to: UNIVERSIDADE DO VALE DO RIO DOS SINOS. Downloaded on September 07,2021 at 23:06:52 UTC from IEEE Xplore. Restrictions apply.
 impersonating the employee and then start a cyber-attack on [7] How much would a data breach cost your business?
the network. www.ibm.com/security/data-breach
[8] ENISA, Security and Resilience in eHealth Infrastructures and
This example highlights the importance of representing Services. https://www.enisa.europa.eu/publications/security-and-
the interface that can be accessed by the login credentials, resilience-in-ehealth-infrastructures-and-services
mediating the interactions between humans and assets. An [9] HIMSS Analytics; Study eHealth trend barometer“; Survey period
attack might instead have origin from an external attacker, July to August 2016; only employed in a health facility;
[10] ISO/IEC 27000:2018: https://webstore.ansi.org/Standards/DS/
who violates some IT device exposed on the Internet. From a DSISOIEC270002018
risk assessment perspective, all three layers (human, access, [11] R. K. Rainer Jr., C.A. Snyder & H.H. Carr (1991) Risk Analysis for
and network) can be subject of hardening decisions to various Information Technology, Journal of Management Information
extents (i.e., mitigation actions can be both technical and Systems, 8:1, 129-147, DOI: 10.1080/07421222.1991.11517914
non-technical and can be applied to any layer). When attacks [12] A. J. Burns, M Eric Johnson, Peter Honeyman, A brief chronology of
lead to failure of the organization mission, they have a medical device security, Communications of the ACMSeptember
2016 https://doi.org/10.1145/2890488
disruptive impact on business processes (business layer).
[13] Narayana Samy, G., Ahmad, R., & Ismail, Z. (2010). Security threats
Understanding the dependencies of assets (and their categories in healthcare information systems. Health Informatics
applications) is key to be able to correctly estimate the impact Journal, 16(3), 201–209. https://doi.org/10.1177/1460458210377468
of attacks. [14] I. Maglogiannis and E. Zafiropoulos, "Modeling Risk in Distributed
Healthcare Information Systems," 2006 International Conference of
IV. CONCLUSION the IEEE Engineering in Medicine and Biology Society, New York,
NY, 2006, pp. 5447-5450.
It is evident from the previous analysis that there’s an [15] G. Pernul, Information systems security: Scope, state-of-the-art, and
emergent need to secure healthcare organizations and evaluation of techniques, International Journal of Information
especially the most critical asset which is the patients’ Management 15 (3), June 1995, Pages 165-180
themselves and their health-related information. The data [16] B. Jung, I. Han, and S. Lee, Security threats to Internet: a Korean
multi-industry investigation, Information & Management Volume 38,
shown above underlines the fact that Health has a large Issue 8, October 2001, Pages 487-498
impact and therefore cybersecurity solutions need to be in [17] N. E. van Deurse, Ph.D 2014 thesis www.napier.ac.uk/~/media/work
place for the benefit of the patients, as well as the health tribe/output-181044/vandeursenpdf.pdf, Napier Uni of Edinburgh.
business entities and other stakeholders. [18] ISE 2016, Securing Hospitals, www.securityevaluators.com
[19] Peter Ney, Karl Koscher, Lee Organick, Luis Ceze, and Tadayoshi
This work presents the effort within the context of Kohno, Computer Security, Privacy, and DNA Sequencing:
PANACEA project (www.panacearesearch.eu) that aims to Compromising Computers with Synthesized DNA, Privacy Leaks, and
deliver a people-centric cybersecurity solution for healthcare. More, 26th Usenix Security symposium, Canada, 2017.
PANACEA aims to design and implement two toolkits for [20] Murch RS, So WK, Buchholz WG, Raman S and Peccoud J (2018)
cyber security assessment and preparedness of Healthcare Cyberbiosecurity: An Emerging New Discipline to Help Safeguard the
Bioeconomy. Front. Bioeng. Biotechnol. 6:39. doi:
ICT infrastructures and connected devices: the Solution
10.3389/fbioe.2018.00039
Toolkit (made up of 4 technological tools and 3 [21] E. G. Spanakis, et. al, "Secure access to patient's health records using
organizational tools) and the Delivery Toolkit (made up of 2 SpeechXRays a mutli-channel biometrics platform for user
support tools). This paper presents our effort in terms of authentication," 2016 38th Annual International Conference of the
creating a model that would allow us to represent in the form IEEE Engineering in Medicine and Biology Society (EMBC),
of a multilayer attack graph cyber risk, threats and Orlando, FL, 2016, pp. 2541-2544, doi:
10.1109/EMBC.2016.7591248.
vulnerabilities within the health sector. The purpose of
[22] Allaert FA, Mazen NJ, Legrand L, Quantin C. The tidal waves of
PANACEA is not only to identify current threats and connected health devices with healthcare applications: consequences
methodologies but also to model means for analyzing and on privacy and care management in European healthcare systems.
managing them in order to provide proper current BMC Med Inform Decis Mak. 2017;17(1):10. Published 2017 Jan 17.
countermeasures. [23] A. Shostack, Threat Modeling: Designing for Security, Wiley, 2014.
[24] Definition: Thread Intelligence, Gartner,
www.gartner.com/en/documents/2487216
REFERENCES
[25] SekerE. 2019). CyberThreat Intelligence Understanding
[1] Spanakis, E.G.; Sakkalis, V.; Marias, K.; Traganitis, A. Cross Layer Fundamentals.
Interference Management in Wireless Biomedical Networks. Entropy [26] O. Sheyner and J. Wing. Tools for Generating and Analysing Attack
2014, 16, 2085-2104. Graphs, pages 344–371. Springer Berlin Heidelberg, Berlin, 2004
[2] E. Maniadi et al., "Designing a digital patient avatar in the context of [27] X. Ou, W. F. Boyer, and M. A. McQueen. A scalable approach to
the MyHealthAvatar project initiative," 13th IEEE International attack graph generation. In Proceedings of the 13th ACM Conference
Conference on BioInformatics and BioEngineering, Chania, 2013, pp. on Computer and Communications Security, CCS ’06, NY, USA.
1-4, doi: 10.1109/BIBE.2013.6701560. [28] S. Noel, L. Wang, A. Singhal, and S. Jajodia. Measuring security risk
[3] Security Rule. www.hhs.gov/ocr/privacy/hipaa/administrative/ of networks using attack graphs. IJNGC, 1(1), 2010.
securityrule/ index.html [29] X. Ou, S. Govindavajhala, and A. W. Appel. Mulval: A logic-based
[4] Breach Notification. www.hhs.gov/hipaa/for-professionals/breach- network security analyzer. In Proceedings of the 14th Conference on
notification/index. html USENIX Security Symposium - Volume 14, SSYM’05, pages 8–8,
[5] HIPAA privacy rule. www.hhs.gov/hipaa/for- Berkeley, CA, USA, 2005. USENIX Association.
professionals/privacy/index.html [30] NIST SP 800-53 Rev. 5, https://csrc.nist.gov/CSRC/media//
[6] No of security incidents in US Health organizations per incident type Publications/sp/800-53/rev-5/draft/documents/sp800-53r5-draft.pdf
and year (July 2019) Office of Civil Rights, US Department of Health [31] K. Marias, V. Sakkalis, et al., "Clinically Oriented Translational
and Human Services Cancer Multilevel Modeling: The ContraCancrum project", IUPESM,
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf World Congress 2009, Medical Physics and Biomedical engineering,
(WC 2009), Munich, Germany, September 7-12, 2009.

5708

Authorized licensed use limited to: UNIVERSIDADE DO VALE DO RIO DOS SINOS. Downloaded on September 07,2021 at 23:06:52 UTC from IEEE Xplore. Restrictions apply.