This post first appeared on Risk Management Magazine. Read the original article.
While already battling the COVID-19 pandemic, hospitals and health care facilities suffered a record number of ransomware attacks in 2020, disrupting operations, risking patient care and threatening sensitive medical data.
In just one week this October, dozens of hospitals across the United States fell prey to ransomware, while both federal authorities and private sector cybersecurity experts warned that the documented attacks were merely the tip of the iceberg.
At the end of the month, the FBI, Department of Homeland
Security’s Cybersecurity and Infrastructure Security Agency and Department of
Health and Human Services issued a joint alert warning of “credible information
of an increased and imminent cybercrime threat to U.S. hospitals and health
care providers.” The federal government cautioned that such attacks could cause
both “data theft and disruption of health care services,” and urged all in the
sector to “take timely and reasonable precautions to protect their networks.”
“We are experiencing the most significant cybersecurity
threat we’ve ever seen in the United States,” said Charles Carmakal, chief
technical officer of the cybersecurity firm Mandiant. Noting a specific dark
web threat against over 400 hospitals, Carmakal and others cautioned that, if
left unchecked, the wave of attacks could cripple hospital information systems
amid a growing spike in COVID-19 cases.
In early 2020, some cybercriminals reportedly declared a
ceasefire of sorts, citing the COVID-19 pandemic as a sufficiently critical
crisis to call health care facilities off-limits. Indeed, reports have even
surfaced that some criminals who inadvertently attacked health care facilities
with “misdirected” malware ultimately provided decryption keys when notified
about their actual victim.
Yet 2020 proved to be a record year for cyberattacks on the
health care sector. Indeed, researchers at cybersecurity firm Check Point
recently reported that health care was the industry most notably targeted by
ransomware this year, with a 71% jump in attacks on U.S.-based providers in
October alone. The firm also noted a significant rise in ransomware attacks on
hospitals in Asia, Europe and the Middle East. Specifically, Singapore has
suffered a 133% increase in attacks against the health care industry, India a
20% increase, and Belgium and Germany an almost 200% increase. Globally,
ransomware attacks increased 50% in the third quarter compared to the first
half of 2020, and the percentage of health care organizations impacted rose
from 2.3% in the second quarter to 4%.
Victim hospitals have suffered varying levels of impact from
ransomware attacks. Some reported no evidence that patient records were
compromised and said emergency and urgent care remained available throughout
the incident. Others had to reschedule appointments, postpone medical
procedures, or redirect patients to other facilities when urgent care was
needed.
In September, ransomware crippled all 250 locations of
hospital chain Universal Health Services. Doctors and nurses were forced to use
paper and pencil for recordkeeping, lab work was slowed, and employees
described scenes of long emergency room waits, chaotic patient care conditions,
and failures of the wireless equipment used to monitor vital signs.
Rather than focusing on operational systems, some criminals
have extorted payments by targeting sensitive and valuable data for encryption
and exfiltration, putting increased pressure on facilities to pay to restore
valuable research data or protect patient information from public release. For
example, officials with the medical school at the University of California, San
Francisco, confirmed they paid a $1.14 million ransom in June to obtain
decryption keys for an attack that did not impact patient care, but encrypted
data related to academic work and research. In September, University Hospital
New Jersey reportedly paid a $670,000 ransom, citing concerns about the
publication of stolen data including patient information.
“Given that they’re static data that rarely changes over
time, it’s worth noting that medical records can have a significant impact to
victims if compromised and can introduce regulatory fines to hospitals,”
said Nick Rossmann, global lead of IBM X-Force Threat Intelligence.
Evolution and Escalation
Ransomware attacks on hospitals are not new—indeed, in 2016,
Risk Management covered a ransomware case against Hollywood Presbyterian
Medical Center that resulted in a $17,000 ransom payment after malware crippled
the facility for over a week. Since then, ransomware attacks have grown far
more common and the ransom demands exponentially steeper.
In stark contrast, the recent spate of attacks has largely
used Ryuk ransomware, which has a reputation for especially lofty ransom
demands of six or seven figures. Ryuk is a malware strain that has been
deployed in more targeted attacks on enterprise environments since 2018,
netting billions of dollars for its operators, who are thought to be a Russian
cybercriminal group sometimes called UNC 1878 or Wizard Spider, according to
cybersecurity firm CrowdStrike.
“Ryuk can be difficult to detect and contain as the initial
infection usually happens via spam/phishing and can propagate and infect
IoT/IoMT [internet of medical things] devices, as we’ve seen with Universal
Health Services’ hospital phones and radiology machines,” explained Jeff Horne,
chief security officer at IoT security firm Ordr. “Once on an infected host, it
can pull passwords out of memory and then laterally moves through open shares,
infecting documents, and compromising accounts.”
While some have improved their cybersecurity posture, health
care facilities have unfortunately only become more compelling targets. “Hospitals
are great targets because they are ‘always on’—24 hours a day, seven days a
week—and they’re likely to have not invested in building the necessary security
posture and response plans, similar to local governments and school boards that
don’t allocate necessary budget to security,” Rossmann said. “Hospitals are an
easier target to attack because of that lack of security investment, and are
more likely to pay because they need to ensure the safety and livelihood of
their patients.”
Many hospitals have upgraded their computer systems and have
focused on fortifying their networks against increasing cyberthreats in recent
years. As with many other public entities, however, legacy systems can be more
common in these settings and increase baseline vulnerability. Connected devices
in health care facilities, such as wireless monitors for patients’ vital signs
or connected CT scanners, can also act as the weak links in a network. Security
researchers and advocacy groups like I Am the Cavalry have drawn attention to
these vulnerabilities in recent years, sounding the alarm on the critical risks
to the health care sector. At cybersecurity conventions like DEF CON, hackers
have gathered to specifically test connected medical devices and work with
vendors to improve products ranging from internet-connected heart monitors to
insulin pumps.
As more devices have been introduced in clinical settings,
cybersecurity experts have long speculated about the rapid escalation of risk
when cyberattacks are launched against health care facilities, including both
indirect and direct fatalities. This summer, many believed those fears may finally
have been realized.
In September, the University Clinic in Dusseldorf, Germany,
suffered a ransomware attack that drew headlines after the death of an
emergency patient who could not be admitted while systems were incapacitated.
According to reports, the female patient was suffering a life-threatening
illness, but anyone brought in via ambulance could not be admitted because the
IT systems were knocked out, so her ambulance was diverted to another town
approximately 20 miles away. German authorities opened a homicide
investigation, and top cybersecurity officials around the world noted this
could be the first confirmed case directly linking a human death to a
cyberattack. In November, German prosecutors concluded there was insufficient
evidence that the delay in care was the ultimate cause of the patient’s death,
but it remains a sobering example of what many consider the most likely tragedy
scenario in such cases.
Fortifying for the Future
While health care organizations are attacked two to three times
more than financial services organizations, data from Gartner indicates they
invest a smaller percentage of their annual IT budgets on cybersecurity (5% in
health care vs. 7.3% in financial services). Especially amid the pandemic,
cash-strapped organizations in every industry face difficult financial
circumstances, but experts advise it is critical to continue prioritizing
investments in cyber infrastructure.
Beyond the financial, there are critical steps health care
organizations can take to fortify against cyberrisks. Around the time of the
October industry alert, Reuters reported the FBI and Department of Homeland
Security held a teleconference for hospital administrators and cyber experts,
urging them “to ensure their backups were in order, to disconnect from the
internet where possible and avoid using personal email.”
Enterprises should also ensure they have robust disaster and
incident response plans in place and should test and refine them in light of
the recent cases. “Health care providers and hospitals need to prioritize
incident response plans—not only to help them prepare for cyber incidents and
familiarize themselves with the most effective ways to handle an attack should
it occur, but to also prepare for how to handle the broader crisis (e.g.,
reputation, disclosures) once the incident is made public,” Rossmann advised.
Ransomware attacks most often start with hackers getting a
foot in the door via social engineering, such as sending phishing emails to
employees. The increasing number of remote workers and stressed, overworked
staff can lead to lapses in cyber hygiene, so it is also critical to remind all
employees of the risks of phishing and teach them to spot scams.
Experts at security vendor NordVPN Teams shared the
following seven key steps all medical institutions should take to protect their
data and preserve the functionality of their operations:
1. Updates. Applying security patches as soon as
possible helps prevent hackers from exploiting known vulnerabilities to gain
entry into the network.
2. Multi-factor authentication. Multi-factor
authentication across the ecosystem can prevent hackers from moving across the
network and gaining additional controls.
3. Regular backups. Organizations should regularly
back up their systems, and test those backups on a regular basis as part of a
recovery plan. If the worst happens and ransomware does infiltrate the network,
there is a known method of restoring it without the need to pay ransom to
cybercriminals.
4. Audits. Hospitals should conduct regular audits of
their machines and segment their networks, so if one piece of the network is
compromised, it does not spread throughout the entire system.
5. Remote access. Only secure virtual private network (VPN) connectivity should be allowed for remote access. In addition, only whitelisted IP addresses or device IDs should be allowed to access systems, as this will allow access to authorized users only.
6. Treat every email with zero trust. Because of the
remote work environment, the amount of information exchanged over the internet
through virtual conferences and emails has skyrocketed. Establish a process
that enables employees to report anything suspicious, and share regular updates
and information about phishing emails.
7. Security training. Security policies need to be
drawn up and implemented, and staff must be appropriately trained, whether
remotely or in person.