Life Sciences and Healthcare

Recent observations
& trends

Global Threat Assessment by Deloitte Global Cyber Threat Intelligence.

Issue date: June 5, 2020 | Industry: LSHC | Region: All
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Threat Landscape | Life Sciences and Healthcare

The Life Sciences and Healthcare (LSHC) industry is highly data dependent and
continuous technological transformations across subsectors is resulting in a growing and
vulnerable attack surface. Due to the industry often storing data such as electronic
health records (EHR), protected health information (PHI), and intellectual property (IP),
it is inherently a valuable target to cyber criminals and Advanced Persistent Threats
(APTs). Deloitte has observed two primary motives behind threat actor targeting and
will explore five core industry threats we have observed targeting the LSHC Industry.

Threat actors Motives Core threats

Financial gain: The EHR & PHI theft

APT underground criminal
ecosystem allows for easier
monetization, incentivizing
IP theft
threat actor targeting of
the LSHC industry for EHR,
PHI, & IP.
Cyber criminals Vulnerable medical
devices & applications
Cyber espionage: Nation-
state adversaries seek
economic, political, and
military advantages by stealing Attacks on
proprietary information and manufacturing
exploitation of PHI/EHR to operations
identify and target vulnerable
individuals.
Cross-industry
threats

2
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Threat Landscape | Life Sciences and Healthcare

Threat actors strategically target LSHC organizations to steal valuable EHR/PHI data and patient portal
credentials that they can then sell, trade, and monetize on underground criminal forums.

Cyber criminals: The criminal market ecosystem incentivizes financially-motivated cyber criminal targeting of the LSHC
industry.

Financial Gain: EHR/PHI is more valuable on cyber criminals’ marketplaces than most types of personally identifiable
information (PII) due to the in-depth information available in medical records, which can be used to commit identity theft and
other fraudulent activities such as insurance fraud. Credentials for patient portals provide a means to obtaining unauthorized
access to EHR and enabling threat actors to carry out additional fraudulent activities

LSHC companies continue to be highly targeted by threat actors seeking to conduct data breaches, due to the high market
demand of EHR/PHI and the broad attack surface of many LSHC organizations.

Phishing attacks and targeted spear-phishing attacks with carefully crafted social engineering email lures are often used to
compromise LSHC organizations. The phishing emails may have malicious attachments such as Remote Access Trojans (RATs)
and spyware with capabilities for threat actors to maintain persistent unauthorized access and conduct data exfiltration to a
Command & Control (C2) server.
3
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Threat Landscape | Life Sciences and Healthcare

APT actors target the LSHC industry in cyber espionage operations that aim to steal valuable (IP) such as
pharmaceutical or biomedical data, proprietary medical device data, or individuals’ sensitive PII and PHI
information.

APTs: Nation-state backed APTs actors seek to steal IP to support their domestic businesses and give them a competitive
advantage.

Cyber Espionage: The theft of proprietary business processes, innovative technologies, customer data, and other IP from LSHC
organizations is used to provide a competitive advantage to other nation state’s in competing markets. Information such as an
organization’s supply chain logistics, manufacturing processes, and programmatic business details may all be used by foreign
competitors to replicate these processes or identify vulnerabilities.

The broad attack surface and the vast amounts of sensitive data stored by LSHC organizations make them ideal targets for
APTs, which are often capable of maintaining undetected persistence on victim networks.

APT actors use a variety of open-source penetration testing tools and commodity malware, often only expending their unique
zero-day vulnerability exploits when absolutely necessary. Most APTs prioritize defense evasion, in part to complicate
attribution or at least provide themselves plausible deniability. Living off the land techniques abusing software native to victim
operating systems such as PowerShell can enable malicious code execution and obfuscate their activity.

4
Copyright © 2019 Deloitte Development LLC. All rights reserved.
Threat Landscape | Life Sciences and Healthcare

Threat actors target vulnerable medical devices and misconfigured applications running on outdated
operating systems as entry points into hospitals’ networks, possibly stealing vast amounts of patient data.

Cyber criminals: Target vulnerable medical devices to pivot into LSHC networks, maintaining persistence and exfiltrating
sensitive data.

Financial Gain: EHR/PHI is more valuable on cyber criminals marketplaces than most types of Personally Identifiable
Information (PII) , which can be used to commit identity theft and other fraudulent activities such as insurance fraud.

The targeting of medical devices and applications often poses a serious risk to the availability of health care organizations’
mission critical applications and the confidentiality and integrity of patient data. The difficulty in responding to medical device
breaches—as well as the often-direct relationship between medical device security, patient safety and LSHC organization
network security—requires a proactive response.

Cyber criminals often gain initial access via “soft targets” such as internet connected systems and software using unsupported
or unpatched operating systems. After gaining initial access, threat actors can abuse the often trusted relationships between
medical devices and LSHC networks, enabling lateral movement and providing opportunity for further malicious actions such as
persistence, establishing C2 communications, loading malicious payloads, and escalating privileges.

Copyright © 2019 Deloitte Development LLC. All rights reserved. 5

Threat Landscape | Life Sciences and Healthcare

Cyber-attacks on manufacturing environments can have wide ranging impacts, such as information theft, sabotage to
equipment, and workplace safety. Observed attacks on LSHC manufacturing have successfully disrupted operations,
sometimes halting production of medicine and vaccines.

Cyber criminals / APT: Opportunistically attack LSHC manufacturing environments, often holding operations hostage for
ransom payments. APTs are sophisticated, capable of adapting to and circumventing their target’s security tools and controls.

Financial Gain / Cyber Espionage: Opportunistic cyber criminals halt manufacturing operations, costing immediate financial
damage and providing them leverage to demand ransom payments in exchange for possible return to normal operations.
Nation-state APTs target LSHC manufacturing and supply chain environments to exfiltrate proprietary data on medical
innovations, benefitting their domestic businesses, or supporting a foreign national intelligence collection requirement.

LSHC manufacturers have complex global networks, office business applications, generations of different industrial control
systems (ICS) for high-risk manufacturing processes, and are increasingly reliant on internet-connected devices directly
embedded into current and emerging products.

Cyber criminals have used spear-phishing emails with malicious attachments and compromised remote services to deliver RATs or
ransomware to steal or encrypt data, holding the information and production operations hostage unless ransom payments are
received. In contrast, APT operations can persist over several months or longer, at times requiring adaptive stealthy techniques
and/or use of unique zero-day vulnerability exploits to avoid detection and account for enterprise network security monitoring and
controls. Majority of nation-state APT groups prioritize defense evasion, in part to complicate attribution or at least provide
themselves plausible deniability.

Copyright © 2019 Deloitte Development LLC. All rights reserved. 6

Threat Landscape | Life Sciences and Healthcare

LSHC organizations continue to face cross-industry threats such as supply chain attacks, threats to enterprise resource
planning systems, threats to mergers & acquisitions, threat of compromised third parties’ networks, threats to enterprise
mobile devices, ransomware, point of sale malware, RATs, and information stealing malware.

Cyber criminals & APTs: Both of these threat actors seek to obtain access to LSHC networks and data to fulfill their individual
agendas.

Financial Gain & Cyber Espionage: LSHC organization process data valued by common cyber criminals for purposes of
personal financial gain via fraud or quick monetization by selling the compromised data to cyber criminals on the dark web or
underground forums. The same sensitive data is also targeted by nation-state APT groups to support national intelligence
collection requirements or gain competitive market advantages.

New developments and innovations in the LSHC industry enhance clinical decision making, offer new opportunities, and also
expose the industry to additional and unique security challenges. LSHC organizations are often supported by numerous third-
party vendors, increasing potential threat actor exploitations of trusted relationships and abusing unrestricted access.

The majority of observed attacks on LSHC organizations involved traditional yet effective means such as spear-phishing emails
using themed document lures with embedded malicious code or redirections to login pages designed to steal user credentials. For
example, APTs target organizations during the Mergers & Acquisitions to extract non-public, confidential, and/or proprietary
information for competitive advantages in negotiations.

Copyright © 2019 Deloitte Development LLC. All rights reserved.

 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering
accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation
is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or
action that may affect your business. Before making any decision or taking any action that may affect your
business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed
description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

Copyright © 2019 Deloitte Development LLC. All rights reserved.