Diagnosis: life-threatening virus detected, patient no longer mortally ill
Attacks on hospitals from cyberspace are on the rise. In the following fictional example, CYOSS uses the typical course of an illness to describe how an attack can happen, and what solutions are already available.
A hospital received several days of inpatient treatment from CYOSS, a leading European provider of cyber security solutions for critical infrastructure.
The hospital came to the CYOSS emergency room with symptoms such as warning messages from the virus scanner and error messages in the operating system. The patient complained that staff no longer had access to their computers. Numerous operation appointments had to be postponed. The IT manager switched off the office IT after the fault became known, which is why they had also not been possible to receive any phone calls for a while. Other complaints included reduced data speed and the failure of several computers since the previous day. Data transfers were otherwise inconspicuous, there were no indications of anatomical irregularities. The patient had already suffered an episode of similar complaints in the previous year. Their security provider at the time treated them locally with an anti-virus programme.
Assessment and history
The clinical symptoms included changes to configurations and new administrator accounts created in combination with laboratory references to registrations from unusual countries and at unusual times. The suspected diagnosis of attack by means of infiltrated malware seemed obvious. This is the name given to ransomware, which installs itself on computers, encrypts files and then blocks all other actions.
Dr Oliver Hanka from the IT security company CYCOSS informed the patient that the malware had infected the organism several weeks ago and since then it had spread “aggressively”. To confirm its diagnosis, CYOSS performed a security analysis, which pointed out the largest security vulnerabilities and risks. Finding: Security level 1 inadequate. In line with the initial findings, the administrator and roles concept for the office IT was found to be inadequate and the staff lacked awareness for the risks. Due to the clearly diminished general condition of the patient and the already distinct symptoms, the patient was admitted for inpatient treatment. A total of seven departments were infected. The virus had already spread and encrypted most of the data. A loss of 750,000 euro was incurred.
CYOSS removed the virus in an operation lasting several hours and restored the operating systems. Furthermore, the patient was given open heart surgery to install a cyber security cockpit including SOC services. In future, the implanted sensors will indicate the cyber security status, which is updated daily, and will draw attention to any conspicuous events and security vulnerabilities in good time. The patient was administered awareness training for its staff as additional support. This was the only way to ensure holistic therapy, which will increase the cyber security level permanently.
The patient’s condition improved rapidly under therapy. On the second day of the inpatient stay, the operation routine was normalised, so that further therapy for the patient could be provided on site. Since then, CYOSS’s experienced cyber security specialists have provided ongoing follow-up support for the patient.
5-day training course in detection & response for the IT security staff, so that future attacks can be detected more quickly and responded to efficiently and professionally. In addition, an annual preventive security audit will be conducted by CYOSS.