The attack seems to have affected access to telemetry, not device performance, and the motivation appears to be extortion.
CardioComm services downed by cyberattack.
Heart-monitoring technology and medical electrocardiogram provider CardioComm Solutions has sustained a cyberattack that brought down its business operations, TechCrunch reports. The company stated, “CardioComm's business operations will be impacted for several days and potentially longer depending how quickly the Company is able to restore its data and re-establishes its production server environments. There is no evidence that customers' health information was compromised as a result of this attack since CardioComm's software is designed to run on each client's own server environments. Further, CardioComm does not collect patient health information from its clients. The Company has initiated identity theft precautions should any employee personal information have been compromised to minimize the impact on its staff.”
Industry comments on the scope of the threat.
Avishai Avivi, CISO at SafeBreach, thinks the incident, while disturbing with respect to disruption and personal information compromise, has broader implications.
"The CardioComm attack is alarming for several reasons, not just for the potential compromise of customers’ health information or employee personal information. CardioComm provides services that can be critical to consumer lives. Specifically – if this attack impacts the ability of a consumer to transmit electrocardiogram (ECG) results, or even fails to alert on an abnormal ECG through the SMART monitoring service, lives may be at risk. As we are not fully aware of the extent of the breach, we can only imagine a worst-case scenario. If the malicious actors manage to gain access to the development environment at CardioComm Solutions, they may be able to find a way to tamper with the ECG test results or even disrupt the services using specific attacks against them, rather than leveraging normal security controls.
"The reason this is important is that it demonstrates how a determined attacker can take a typical/common attack vector to then pivot and turn it into a customized attack specific to the environment they breached. This is similar, in effect, to how an attack on an information technology (IT) environment can translate to a very real impact on the operational technology (OT) environment. The most recent and memorable example of this was when a compromised user account back in May 2021 resulted in a severe impact to the entire East Coast. This is why, even for companies that are not focused on IT or services, it is critical that they have a strong and validated defensive security posture.”
Dror Liwer, co-founder of cybersecurity company Coro, notes that access to data, not device performance, seems to have been affected.
“While I am sure this reminds us of the scene in Homeland, it doesn’t seem like the device performance was impacted, but rather, access to its telemetry. As more medical devices become connected, with telemetry from them becoming critical for patient care, redundancy in the system must be implemented to prevent outages such as this.”
Erich Kron, security awareness advocate at KnowBe4, thinks the attack looks like an extortion play.
“This certainly appears to be the result of a ransomware attack, which impacted customer-facing services. Given that the typical modern ransomware attack also includes the theft of data, I would be not be surprised to find out that the data had been compromised as well as encrypted. This could be why the organization is not sharing the details of the attack. While this is inconvenient for the organization, for those relying on its services, which include ECG monitors and other heart related medical services, this could be very concerning.
The fact that this deals with medical monitors, especially those related to the heart, makes the outage more concerning than for other more mundane types of services offered by organizations. This can provide additional leverage for bad actors to use when demanding ransom payments in exchange for a potentially more rapid return to operation.
Since ransomware attacks are most often spread through social engineering and e-mail phishing attacks, organizations that deal with sensitive information or provide sensitive services should ensure their employees are trained and educated on spotting and reporting social engineering attacks as soon as they occur.”