Z-CERT: "Kleine zorginstellingen zijn over het algemeen kwetsbaarder dan grote zorginstellingen, zoals ziekenhuizen" / Cybercrime | Cybercrimeinfo.nl | De bibliotheek voor de bestrijding van digitale criminaliteit
Z-CERT: "Small healthcare institutions are generally more vulnerable than large healthcare institutions, such as hospitals"
Published on December 3, 2021 at 07:00
Interview with the director Wim Hafkamp and security specialist Jan Hanstede of Z-CERT by the DeCrisis manager
The best way to protect yourself against cyber criminals is to work together. Healthcare institutions, such as hospitals and a large part of the GGZ, have been doing this since 2017 in the Z-CERT partnership. What exactly does Z-CERT do? And where do they see opportunities for improvement? An interview with director Wim Hafkamp and security specialist Jan Hanstede.
I meet Wim Hafkamp and Jan Hanstede at the Z-CERT office in the heart of Amersfoort. It's pretty quiet in the office. Empty desks dominate the picture. “But appearances are deceiving” , says Jan. About 30 colleagues work for this organisation, mostly from home. “And we are still growing” , Wim adds. “More and more healthcare institutions and healthcare umbrella organizations are joining us. We are also growing because we are adding more and more products and services.”
Can you explain what exactly you do?
“Our core business is that we are continuously looking for vulnerabilities that could pose a threat to the IT systems that healthcare institutions work with. We inform our participants about all vulnerabilities that we find. This way they can take measures to prevent them from being hacked .
Sometimes a vulnerability is actively exploited by cyber criminals. Then we sound a big alarm. We contact all affiliated healthcare institutions so that they can immediately take the right measures. We also regularly approach non-participants who are at risk to warn them.
It really is a cat and mouse game, because the hackers also know that there is a vulnerability in one of the systems. They will do everything they can to penetrate organizations through that vulnerability. Healthcare institutions that do not act quickly enough run a greater risk of being hacked.”
How do healthcare institutions generally deal with such situations?
" Our participants often pick up on such signals immediately. They understand that it is important to take measures immediately and they do so.
It is more difficult to reach non-participants quickly. In that case, for example, we call a GP practice that is at risk at that time. They usually do not immediately know who we are and what it is about. As a result, they often do not act fast enough. The problems are also often complex, which means that mistakes are sometimes made. So then healthcare institutions think they have solved it. But because they have overlooked something, they run an increased risk for a longer period of time than participants who immediately took the right measures.”
Which type of healthcare institutions do you feel are the most vulnerable to such a threat?
“Small healthcare facilities are generally more vulnerable than large healthcare facilities, such as hospitals. This is because they have less feeling for IT. They have often outsourced the IT and are piggybacking on the security of their supplier. They trust that their supplier has cybersecurity in order. That is not always the case.”
How do you know that you are working with a supplier that has its cybersecurity in order?
“At least not by completely relying on a certificate. It is good if an organization is, for example, ISO 27001 or NEN-75 certified. This is a good stepping stone against which the security of an organization can be built. However, this should not be the only thing. An ISO certificate only shows that a supplier has taken cybersecurity measures. The standard does not specify how he should do this.
To give an example: the NEN 7510 standard states that a supplier must make backups. But it does not specify how often he has to do this and where those backups are located. If those backups are stored online, you as a healthcare institution still run the risk that they will be destroyed in a hack.
Therefore, when selecting a supplier, it is important to ask the right questions. For example, do they immediately take action if we pass on a vulnerability to them? Or do they handle all vulnerabilities once a month? It may be difficult as a healthcare institution to ask the right questions. You need some knowledge of IT to fully understand what a supplier actually does for you. Therefore, it may be advisable to ask an advisor to help.”
How often are healthcare facilities attacked?
“Healthcare institutions are attacked on a daily basis, for example with malicious e-mail. This is usually intercepted. However, there are also serious incidents throughout the year, such as a successful ransomware attack or a hacked driver's mailbox. Once every two or three months, very serious vulnerabilities come to light, as we have seen with Citrix and Microsoft Exchange, for example .”
How do you deal with those serious incidents?
“Then we will take measures. For example, in a phishing e- mail we remove the domain name from the air, so that others can no longer become a victim. We also help the affected healthcare institution to file a report. And we warn the other participants so that they too know that this mail is going around. That way they can be extra alert to that.”
Since last year you have also been working with a CareDetectionNetwork (ZDN). How does that work?
“That really is our showpiece. Large healthcare institutions, such as hospitals, continuously monitor their own systems. When cybercriminals access their systems, they see it happen. These cyber criminals leave a digital trail. The healthcare institutions can see, for example, which IP address they have been approached by and what characteristics that IP address has.
It is important to quickly share those digital tracks with each other. In this way, other healthcare institutions also know that they must exclude this IP address. In order to share this information as quickly as possible, about 70 large healthcare institutions have connected their monitoring system to our ZorgDetectieNetwerk . Through this application they can share their digital tracks directly with each other. We started this last year and we immediately saw that it worked. One of our participants was attacked and the trail was immediately shared. About 5 minutes later, the hacker tried it at another healthcare facility. He no longer had a chance of success, because the system of the second care institution recognized him and banned him from the system.”
That is a nice development. Are there other initiatives you are working on?
“We are in the process of setting up a red team program for our members. The aim of this program is to structurally increase the resilience of the participating healthcare institutions by testing cybersecurity against realistic threats in a daily operational (ICT) environment of the institutions. In other words, healthcare institutions are being hacked in a way that we often see in real life. The healthcare institution learns a lot from this. This has been happening in the financial sector in the Netherlands for a number of years. We would like to do this for our members as well.”
Healthcare institutions can also ask a commercial party to carry out a rescue team action for them. What is the benefit of joining a red team program coordinated by you?
“The big advantage is that we know their systems. Even a friendly hacker can cause damage to IT systems. This can have serious consequences, especially in healthcare. We know the systems in healthcare well, so that we can carefully set up a program and prevent possible damage. It is also easier to share the lessons learned from the various tests with each other if we coordinate the program.”
When do you want to start this?
“We are now investigating the feasibility. We then submit this to the Ministry of Health, Welfare and Sport and the affiliated healthcare institutions. If they show their commitment and provide sufficient financial resources, we can get it started next year.”
Do you have more ambitions?
“We want to further expand our role as a center of expertise in the field of cybersecurity for healthcare institutions. That is why we organize seminars and distribute white papers. We also manage online communities in which participants can share knowledge with each other.”
Is there anything else you are missing in the cybersecurity landscape in the Netherlands?
"Yes. A coordinated approach, as you also have with other threats. In the event of a fire, you have a good GRIP system in the Netherlands that allows you to scale up higher and higher. That is not the case for cybersecurity and that is a shortcoming. Even in the event of a major cyber attack, it is important to scale up and collaborate better. We are not the right party to set up such a coordinated approach. It would, for example, suit the security regions, the NCTV or the NCSC .”
Is there any last piece of advice you would like to give to healthcare facilities?
"Yes. Join us. Although participants pay an expense allowance, we are not a commercial party. So we don't say this because we want to make money from it. But if a healthcare institution has joined us, we have a contact person. This allows us to reach and support them faster in the event of a major threat.
And second, share as much information with us as possible. This may sound obvious, but it is important. The more information we get, the faster we can respond and the more likely we are to prevent a cyber attack.”
Published on December 3, 2021 at 07:00
Interview with the director Wim Hafkamp and security specialist Jan Hanstede of Z-CERT by the DeCrisis manager
The best way to protect yourself against cyber criminals is to work together. Healthcare institutions, such as hospitals and a large part of the GGZ, have been doing this since 2017 in the Z-CERT partnership. What exactly does Z-CERT do? And where do they see opportunities for improvement? An interview with director Wim Hafkamp and security specialist Jan Hanstede.
I meet Wim Hafkamp and Jan Hanstede at the Z-CERT office in the heart of Amersfoort. It's pretty quiet in the office. Empty desks dominate the picture. “But appearances are deceiving” , says Jan. About 30 colleagues work for this organisation, mostly from home. “And we are still growing” , Wim adds. “More and more healthcare institutions and healthcare umbrella organizations are joining us. We are also growing because we are adding more and more products and services.”
Can you explain what exactly you do?
“Our core business is that we are continuously looking for vulnerabilities that could pose a threat to the IT systems that healthcare institutions work with. We inform our participants about all vulnerabilities that we find. This way they can take measures to prevent them from being hacked .
Sometimes a vulnerability is actively exploited by cyber criminals. Then we sound a big alarm. We contact all affiliated healthcare institutions so that they can immediately take the right measures. We also regularly approach non-participants who are at risk to warn them.
It really is a cat and mouse game, because the hackers also know that there is a vulnerability in one of the systems. They will do everything they can to penetrate organizations through that vulnerability. Healthcare institutions that do not act quickly enough run a greater risk of being hacked.”
How do healthcare institutions generally deal with such situations?
" Our participants often pick up on such signals immediately. They understand that it is important to take measures immediately and they do so.
It is more difficult to reach non-participants quickly. In that case, for example, we call a GP practice that is at risk at that time. They usually do not immediately know who we are and what it is about. As a result, they often do not act fast enough. The problems are also often complex, which means that mistakes are sometimes made. So then healthcare institutions think they have solved it. But because they have overlooked something, they run an increased risk for a longer period of time than participants who immediately took the right measures.”
Which type of healthcare institutions do you feel are the most vulnerable to such a threat?
“Small healthcare facilities are generally more vulnerable than large healthcare facilities, such as hospitals. This is because they have less feeling for IT. They have often outsourced the IT and are piggybacking on the security of their supplier. They trust that their supplier has cybersecurity in order. That is not always the case.”
How do you know that you are working with a supplier that has its cybersecurity in order?
“At least not by completely relying on a certificate. It is good if an organization is, for example, ISO 27001 or NEN-75 certified. This is a good stepping stone against which the security of an organization can be built. However, this should not be the only thing. An ISO certificate only shows that a supplier has taken cybersecurity measures. The standard does not specify how he should do this.
To give an example: the NEN 7510 standard states that a supplier must make backups. But it does not specify how often he has to do this and where those backups are located. If those backups are stored online, you as a healthcare institution still run the risk that they will be destroyed in a hack.
Therefore, when selecting a supplier, it is important to ask the right questions. For example, do they immediately take action if we pass on a vulnerability to them? Or do they handle all vulnerabilities once a month? It may be difficult as a healthcare institution to ask the right questions. You need some knowledge of IT to fully understand what a supplier actually does for you. Therefore, it may be advisable to ask an advisor to help.”
How often are healthcare facilities attacked?
“Healthcare institutions are attacked on a daily basis, for example with malicious e-mail. This is usually intercepted. However, there are also serious incidents throughout the year, such as a successful ransomware attack or a hacked driver's mailbox. Once every two or three months, very serious vulnerabilities come to light, as we have seen with Citrix and Microsoft Exchange, for example .”
How do you deal with those serious incidents?
“Then we will take measures. For example, in a phishing e- mail we remove the domain name from the air, so that others can no longer become a victim. We also help the affected healthcare institution to file a report. And we warn the other participants so that they too know that this mail is going around. That way they can be extra alert to that.”
Since last year you have also been working with a CareDetectionNetwork (ZDN). How does that work?
“That really is our showpiece. Large healthcare institutions, such as hospitals, continuously monitor their own systems. When cybercriminals access their systems, they see it happen. These cyber criminals leave a digital trail. The healthcare institutions can see, for example, which IP address they have been approached by and what characteristics that IP address has.
It is important to quickly share those digital tracks with each other. In this way, other healthcare institutions also know that they must exclude this IP address. In order to share this information as quickly as possible, about 70 large healthcare institutions have connected their monitoring system to our ZorgDetectieNetwerk . Through this application they can share their digital tracks directly with each other. We started this last year and we immediately saw that it worked. One of our participants was attacked and the trail was immediately shared. About 5 minutes later, the hacker tried it at another healthcare facility. He no longer had a chance of success, because the system of the second care institution recognized him and banned him from the system.”
That is a nice development. Are there other initiatives you are working on?
“We are in the process of setting up a red team program for our members. The aim of this program is to structurally increase the resilience of the participating healthcare institutions by testing cybersecurity against realistic threats in a daily operational (ICT) environment of the institutions. In other words, healthcare institutions are being hacked in a way that we often see in real life. The healthcare institution learns a lot from this. This has been happening in the financial sector in the Netherlands for a number of years. We would like to do this for our members as well.”
Healthcare institutions can also ask a commercial party to carry out a rescue team action for them. What is the benefit of joining a red team program coordinated by you?
“The big advantage is that we know their systems. Even a friendly hacker can cause damage to IT systems. This can have serious consequences, especially in healthcare. We know the systems in healthcare well, so that we can carefully set up a program and prevent possible damage. It is also easier to share the lessons learned from the various tests with each other if we coordinate the program.”
When do you want to start this?
“We are now investigating the feasibility. We then submit this to the Ministry of Health, Welfare and Sport and the affiliated healthcare institutions. If they show their commitment and provide sufficient financial resources, we can get it started next year.”
Do you have more ambitions?
“We want to further expand our role as a center of expertise in the field of cybersecurity for healthcare institutions. That is why we organize seminars and distribute white papers. We also manage online communities in which participants can share knowledge with each other.”
Is there anything else you are missing in the cybersecurity landscape in the Netherlands?
"Yes. A coordinated approach, as you also have with other threats. In the event of a fire, you have a good GRIP system in the Netherlands that allows you to scale up higher and higher. That is not the case for cybersecurity and that is a shortcoming. Even in the event of a major cyber attack, it is important to scale up and collaborate better. We are not the right party to set up such a coordinated approach. It would, for example, suit the security regions, the NCTV or the NCSC .”
Is there any last piece of advice you would like to give to healthcare facilities?
"Yes. Join us. Although participants pay an expense allowance, we are not a commercial party. So we don't say this because we want to make money from it. But if a healthcare institution has joined us, we have a contact person. This allows us to reach and support them faster in the event of a major threat.
And second, share as much information with us as possible. This may sound obvious, but it is important. The more information we get, the faster we can respond and the more likely we are to prevent a cyber attack.”
