경영정보학연구 (Information Systems Review)

  • 제26권3호
  • /
  • Pages.143-161
  • /
  • 2024
  • /
  • 2982-6551(pISSN)
  • /
  • 2982-6837(eISSN)
한국경영정보학회 (The Korea Society of Management Information Systems)
권호 표지
DOI QR코드

DOI QR Code

의료기관 대상의 사이버 공격 시나리오 생성 모형

A Cyber Attack Scenario Development Model for Healthcare Institutions

  • 노성현 (충북대학교 융합보안협동과정) ;
  • 김태성 (충북대학교 경영정보학과/보안경제연구소)
  • Seong-Hyun Roh (Department of Convergence Security, Chungbuk National University) ;
  • Tae-Sung Kim (Department of MIS, Cybersecurity Economics Research Institute, Chungbuk National University)
  • 투고 : 2024.03.31
  • 심사 : 2024.06.20
  • 발행 : 2024.08.31
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

병원과 같은 의료기관의 서비스 중단은 환자를 비롯한 사람의 생명에 영향을 미치게 된다. 이런 특성 때문에 의료기관 측은 공격자의 요구에 응할 가능성이 매우 높아 사이버 공격의 주요 대상이 된다. 최근에는 병원에서 최신 정보 기술의 도입을 확대하면서 사이버 공격이 지속해서 발생하고 있다. 심지어는 사이버 공격에 의한 서비스 마비로 인해 제때 처치를 받지 못한 환자가 사망하는 사건도 일어났다. 더군다나 코로나19 팬데믹 기간에, 의료기관에 대한 사이버 공격 유형이 다변화되거나 빈도가 눈에 띄게 증가했다. 그러나 의료기관 측은 예산 부족 등의 이유로 정보보호 투자에 소극적이며 제대로 방비를 갖추지 못하고 있다. 따라서 본 연구에서는 실제 의료기관에서 발생한 침해사고 사례를 바탕으로 의료기관이 한정된 예산으로도 공격 유형에 따른 보호 조처를 할 수 있도록 공격 시나리오를 생성하는 방법을 예시와 함께 제시한다.

Service disruptions at medical institutions such as hospitals affect the lives of people, including patients. Because of these characteristics, medical institutions are highly likely to comply with attackers' demands, making them prime targets for cyber attacks. Recently, as hospitals expand their adoption of the latest information technology, cyber attacks continue to occur. There was even an incident where a patient who did not receive timely treatment died due to service paralysis caused by a cyber attack. Moreover, during the COVID-19 pandemic, the types of cyber attacks against medical institutions have diversified or their frequency has increased noticeably. However, medical institutions are passive in investing in information security and are not properly prepared for reasons such as lack of budget. Therefore, in this study, based on actual cases of breaches that occurred in medical institutions, we present examples and how to create attack scenarios so that medical institutions can take protective measures according to the type of attack even with a limited budget.

키워드

과제정보

본 과제는 2024년도 교육부의 재원으로 한국연구재단의 지원을 받아 수행된 지자체-대학 협력기반 지역혁신 사업의 결과임(2021RIS-001).

참고문헌

  1. 개인정보보호위원회 보도자료, "개인정보위, 환자정보 유출 17개 종합병원 제재", 2023. 07.27.
  2. 국정원, "北 랜섬웨어관련 韓美 합동 사이버보안 권고", 2023. 02. 09.
  3. 뉴스픽, "상급종합병원 41곳 로그인 정보 다크웹서유통...관리자 계정도 포함", Available at https://m.newspic.kr/view.html?nid=2023051220070751582&pn=140&utm_medium=affiliate&utm_campaign=2023051220070751582&utm_source=x0vFs77h&utm_content=x0vFs77h&rssOption=NONE, 2023. 05. 12, Accessed on 2023. 12. 06.
  4. 메디칼업저버, "고려대의료원, 클라우드 기반 병원정보시스템 구축", 2022. 10. 27., Available at http://www.monews.co.kr/news/articleView.html?idxno=316568, Accessed on 2024. 01. 27.
  5. 보안뉴스, "2021년 서울대병원 해킹·개인정보 유출사건, 북한 소행으로 드러났다", 2023. 05. 10., Available at https://www.boannews.com/media/view.asp?idx=117945&page=1&kind=1, Accessed on 2023. 11. 04
  6. 보안뉴스, "의료기관 정보보호 강화 위해 선행돼야 할 것... 보안인력들의 고충 해결", 2023. 06. 30., https://www.boannews.com/media/view.asp?idx=119690, Accessed on 2023. 10. 16
  7. 삼성SDS, " 기업 내부 보안을 위협하는 랜섬웨어대응법?", Available at https://www.samsungsds.com/kr/insights/1257500_4627.html, 2021.0 8.31., Accessed on 2024.01.22.
  8. 이데일리, "[단독]상급 종합병원 45곳 중 38곳, 다크웹에 로그인 정보 떠돈다", 2021. 09. 30., Available at https://www.edaily.co.kr/news/read?newsId=03640806629185368&mediaCodeNo=257&OutLnkChk=Y, Accessed on 2023. 12. 06.
  9. 한국보건의료정보원, "2020년 보건의료정보화 실태조사 결과보고서", 2021.
  10. Alhaj, T. A., S. M. Abdulla, M. A. E. Iderss, A. A. A. Ali, F. A. Elhaj, M. A. Remli, and L. A. Gabralla, "A survey: To govern, protect, and detect security principles on internet of medical things (iomt)", IEEE Access, Vol.10, 2022, pp. 124777-124791. https://doi.org/10.1109/ACCESS.2022.3225038
  11. Almohri, H., L. Cheng, D. Yao, and H. Alemzadeh, "On threat modeling and mitigation of medical cyber-physical systems", In 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), IEEE, 2017, pp. 114-119.
  12. Barracuda Networks, "Threat Spotlight: Coronavirus-related phishing", 2020. 03. 26, https://blog.barracuda.com/2020/03/26/threat-spotlight-coronavirus-related-phishing, Accessed on 2024. 01.
  13. BBC, "Pfizer/BioNTech vaccine docs hacked from European Medicines Agency", 2020. 12. 10., Available at https://www.bbc.com/news/technology-55249353, Accessed on 2023. 10. 25.
  14. Blackfog, "The State of Ransomware in 2023", 2023. 12. 01., Available at https://www.blackfog.com/the-state-of-ransomware-in-2023/, Accessed on 2023. 11. 30.
  15. Bleeping Computer, "Emotet malware hits Lithuania's National Public Health Center, 2020. 12. 30., Available at https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center, Accessed on 2023. 10. 25.
  16. CGI, "Helping defend against a 30,000% increase in phishing attacks related to COVID-19 scams", 2020. 09. 15., Available at https://www.cgi.com/uk/en-gb/blog/cyber-security/helping-defend-against-a-30000-increase-in-phishing-attacks-related-to-covid-19-scams, Accessed on 2024. 03. 13..
  17. Chen, F., Y. Tang, C. Wang, J. Huang, C. Huang, D. Xie, ... and C. Zhao, "Medical cyber-physical systems: A solution to smart health and the state of the art", IEEE Transactions on Computational Social Systems, Vol.9, No.5, 2021, pp. 1359-1386. https://doi.org/10.1109/TCSS.2021.3122807
  18. CISA, "Best Practices for MITRE ATT&CK Mapping", 2023. 01.
  19. CISA, US-CERT, "Federal Incident Notification Guidelines", 2017.
  20. Cloudfare, "공격 벡터란?", Available at https://www.cloudflare.com/ko-kr/learning/security/glossary/attack-vector/, Accessed on 2024. 01. 22.
  21. Cloudflare, "공격 벡터란?", Available at https://www.cloudflare.com/ko-kr/learning/security/glossary/attack-vector/, Accessed on 2024. 03. 13.
  22. CNN BUSINESS, "Insurance giant Anthem hit by massive data breach", 2015. 02. 06., Available at https://money.cnn.com/2015/02/04/technology/anthem-insurance-hack-data-security/, Accesse d on 2023. 10. 24.
  23. Connecticut Public, "Prospect Medical cyberattack exposed 24,000 workers' private information", 2023. 10. 02., Available at https://www.ctpublic.org/news/2023-10-02/prospect-medical-cyberatta ck-exposed-24-000-workers-private-information, Accessed on 2023. 10. 26.
  24. FBI, "FBI Sees Rise in Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic", 2020. 03. 20, Available at https://www.ic3.gov/Media/Y2020/PSA200320, Accessed on 2024. 01. 03
  25. FIERCE Healthcare, "Hackers hit Broward Health network, potentially exposing data on 1.3M patients, staff", 2022. 01. 04., Available at https://www.fiercehealthcare.com/tech/hackers-hit-broward-health-network-potentially-exposing-medical-data-1-3m-patients-staff#:~:text=The%20southeast%20Florida%20health%20system%2C%20which%20operates%20more,statement%20posted%20to%20the%20health%20system%27s%20website%20Saturday, Accessed on 2023. 11. 06.
  26. Health Caredive, "2 million patients' data exposed in cyberattack on New England health services provider", 2022. 06. 09., Available at https://www.healthcaredive.com/news/cyberattack-shields2-million-patient-data-breach/625132/#:~:text=Two%20million%20patients%20in%20New%20England%20who%20received,Shields%E2%80%99%20systems%20from%20March%207%20to%20March%2021, Accessed on 2023. 11. 13.
  27. IBM, "공격 표면이란?", Available at https://www.ibm.com/kr-ko/topics/attack-surface, Accessed on 2024.03.13.
  28. IBM, "공격 표면이란?", Available at https://www.ibm.com/kr-ko/topics/attack-surface, Accessed on 2024.01.22.
  29. IBM, "Cost of a Data Breach Report 2023", 2023. 07.
  30. Ireland HSE Board, "Conti cyber attack on the HSE", 2021. 12.
  31. Kim, D. W., J. Y. Choi, and K. H. Han, "Medical device safety management using cybersecurity risk analysis", IEEE Access, Vol.8, 2020, pp. 115370-115382. https://doi.org/10.1109/ACCESS.2020.3003032
  32. KISA, "2020년 해외 개인정보보호 동향 분석 최종보고서(합본)", 2020. 12.
  33. Krombholz, K., H. Hobel, M. Huber, and E. Weippl, "Advanced social engineering attacks", Journal of Information Security and Applications, Vol.22, 2015, pp. 113-122. https://doi.org/10.1016/j.jisa.2014.09.005
  34. Lallie, H. S., L. A. Shepherd, J. R. Nurse, A. Erola, G. Epiphaniou, C. Maple, and X. Bellekens, "Cyber security in the age of COVID-19: A timeline and analysis of cyber-crime and cyber-attacks during the pandemic", Computers & Security, Vol.128, 2021, p. 102248.
  35. Microsoft, "DEV-0569 finds new ways to deliver Royal ransomware, various payloads", 2022. 11. 17., Available at https://www.microsoft.com/en-us/security/blog/2022/11/17/dev-0569-finds-newways-to-deliver-royal-ransomware-various-payloads/, Accessed on 2023. 12. 09.
  36. Microsoft, "KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks", 2023. 03. 17., Available at https://www.microsoft.com/en-us/security/blog/2023/03/17/killnet-and-affiliate-hacktivist-groups-targeting-healthcare-with-ddos-attacks/, Accessed on 2023. 10. 25.
  37. Microsoft, "마이크로소프트, 국내 의료기관· 기업과 K-헬스케어 혁신에 속도", 2021.09.14., Available at https://news.microsoft.com/ko-kr/2021/09/14/healthcare_dt_cases/, Accessed on 2024.02.04.
  38. MITRE Corporation "MITRE ATT&CK®", Available at https://attack.mitre.org/, Accessed on 2024. 05. 21.
  39. Naprash, H. T., C. C. McGlave, D. A. Cross, B. A. Virnig, M. A. Puskarich, J. D. Huling, A. Z. Rozenshtein, and S. S. Nikpay, "Trends in ransomware attacks on US hospitals, clinics, and other health care delivery organizations, 2016-2021", JAMA Health Forum, Vol.3, No.12, doi:10.1001/jamahealthforum.2022.4873.
  40. NCSC, CISA, "Advisory: COVID-19 exploited by malicious cyber actors", 2020. 04. 08.
  41. OIS, HC3, "Electronic Medical Records Still a Top Target for Cyber Threat Actors", 2023. 04. 06.
  42. OIS, HC3, "Types of Cyber Threat Actors That Threaten Healthcare", 2023. 06. 08.
  43. PR Newswire, "Trinity Health's Response to the Blackbaud Philanthropy Database Security Incident", 2020. 09. 14., Available at https://www.prnewswi re.com/news-releases/trinity-healths-response-to -the-blackbaud-philanthropy-database-security-i ncident-301130466.html#:~:text=On%20July% 2016%2C%202020%2C%20Blackbaud%20notified%20Trinity%20Health,between%20April%2018%2C%202020%20-%20May%2016%2C%202020, Accessed on 2023. 11. 06.
  44. The Connexion, "Health insurance: Data of more than 500,000 people stolen in France", 2022. 03. 18., Available at https://www.connexionfrance.com/article/French-news/Health/Health-insuranceData-of-more-than-500-000-people-stolen-in-France, Accessed on 2023. 11. 06.
  45. The Daily Swig, "Data breach at US healthcare provider ARcare impacts 345,000 individuals", 2022. 05. 04., Available at https://portswigger.net/daily-swig/data-breach-at-us-healthcare-provider-arcare-impacts-345-000-individuals, Accessed on 2023. 11. 13.
  46. The HIPAA Journal, "Atlantic General Hospital Increases Ransomware Victim Count to Almost 140,000 Individuals", 2023. 06. 27., Available at https://www.hipaajournal.com/atlantic-general -hospital-increases-ransomware-victim-count-to-almost-140000-individuals/, Accessed on 2023. 10. 26.
  47. The HIPAA Journal, "Class Action Data Breach Lawsuit Settled by Morley Companies", 2022. 12. 27., Available at https://www.hipaajournal.co m/class-action-data-breach-lawsuit-settled-by-morley-companies/, Accessed on 2023. 11. 06.
  48. The HIPAA Journal, "Healthcare data breach statstics", 2023. 12., Available at https://www.hipaajournal.com/healthcare-data-breach-statistics/, Accessed on 2024. 01. 03.
  49. The HIPAA Journal, "OneTouchPoint Ransomwa re Victim Count Increases to 2.65 Million", 2022. 09. 01., Available at https://www.hipaajournal.com/onetouchpoint-ransomware-victim-count-incr eases-to-2-65-million/, Accessed on 2023. 11. 13.
  50. The Indian EXPRESS, "Dr Reddy's isolates data centre services after cyber attack", 2020. 10. 23., Available at https://indianexpress.com/article/business/companies/dr-reddys-isolates-data-centre-s ervices-after-cyber-attack-6846787/, Accessed on 2023. 10. 24.
  51. The New York Times, "Cyber Attack Suspected in German Woman's Death", 2020. 09. 18., Available at https://www.nytimes.com/2020/09/18/world/europe/cyber-attack-germany-ransomeware-death.html, Accessed on 2023. 11. 30.
  52. The TENNESSEAN, "Community Health Systems data breach affects 4.5M", 2014. 08. 18., Available at https://www.tennessean.com/story/money/ind ustries/health-care/2014/08/18/community-healt h-systems-data-breach-affects-m/14228457/, Accessed on 2023. 11. 06.
  53. Unit42, "Threat Assessment: Black Basta Ransom ware", 2022. 08. 25, Available at https://unit42.paloaltonetworks.com/threat-assessment-black-bast a-ransomware, Accessed on 2023. 12. 09.
  54. Wazid, M., A. K. Das, N. Mohd, and Y. Park, "Healthcare 5.0 security framework: Application s, issues and future research directions", IEEE Access, Vol.10, 2022, pp. 129429-129442.
  55. WiNS, "북한 해커, 데이터 훔치기 위해 서울 주요 병원 침입", 2023. 05. 11., Available at https://wins21.co.kr/kor/promotion/information.html?bmain=view&uid=3884&search=%26find_field%3Dtitle%26find_word%3D%25EB%25B3%2591%25EC%259B%2590%26language%3DKOR%26page%3D1, Accessed on 2023. 11. 04.
  56. World Economic Forum, "COVID-19 risks outlook: A preliminary mapping and its implications", 2020. 05. 19.
  57. Yassine, I., T. Halabi, and M. Bellaiche, "Security risk assessment methodologies in the internet of things: Survey and taxonomy", In 2021 IEEE 21st International Conference on Software Quality, Reliability and Security Companion (QRS-C), IEEE, 2021, pp. 668-675.