Prescription for Disaster

Hilary Tuttle


December 1, 2020

While already battling the COVID-19 pandemic, hospitals and health care facilities suffered a record number of ransomware attacks in 2020, disrupting operations, risking patient care and threatening sensitive medical data.

In just one week this October, dozens of hospitals across the United States fell prey to ransomware, while both federal authorities and private sector cybersecurity experts warned that the documented attacks were merely the tip of the iceberg.

At the end of the month, the FBI, Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services issued a joint alert warning of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers.” The federal government cautioned that such attacks could cause both “data theft and disruption of health care services,” and urged all in the sector to “take timely and reasonable precautions to protect their networks.”

“We are experiencing the most significant cybersecurity threat we’ve ever seen in the United States,” said Charles Carmakal, chief technical officer of the cybersecurity firm Mandiant. Noting a specific dark web threat against over 400 hospitals, Carmakal and others cautioned that, if left unchecked, the wave of attacks could cripple hospital information systems amid a growing spike in COVID-19 cases.

In early 2020, some cybercriminals reportedly declared a ceasefire of sorts, citing the COVID-19 pandemic as a sufficiently critical crisis to call health care facilities off-limits. Indeed, reports have even surfaced that some criminals who inadvertently attacked health care facilities with “misdirected” malware ultimately provided decryption keys when notified about their actual victim.

Yet 2020 proved to be a record year for cyberattacks on the health care sector. Indeed, researchers at cybersecurity firm Check Point recently reported that health care was the industry most notably targeted by ransomware this year, with a 71% jump in attacks on U.S.-based providers in October alone. The firm also noted a significant rise in ransomware attacks on hospitals in Asia, Europe and the Middle East. Specifically, Singapore has suffered a 133% increase in attacks against the health care industry, India a 20% increase, and Belgium and Germany an almost 200% increase. Globally, ransomware attacks increased 50% in the third quarter compared to the first half of 2020, and the percentage of health care organizations impacted rose from 2.3% in the second quarter to 4%.

Victim hospitals have suffered varying levels of impact from ransomware attacks. Some reported no evidence that patient records were compromised and said emergency and urgent care remained available throughout the incident. Others had to reschedule appointments, postpone medical procedures, or redirect patients to other facilities when urgent care was needed.

In September, ransomware crippled all 250 locations of hospital chain Universal Health Services. Doctors and nurses were forced to use paper and pencil for recordkeeping, lab work was slowed, and employees described scenes of long emergency room waits, chaotic patient care conditions, and failures of the wireless equipment used to monitor vital signs.

Rather than focusing on operational systems, some criminals have extorted payments by targeting sensitive and valuable data for encryption and exfiltration, putting increased pressure on facilities to pay to restore valuable research data or protect patient information from public release. For example, officials with the medical school at the University of California, San Francisco, confirmed they paid a $1.14 million ransom in June to obtain decryption keys for an attack that did not impact patient care, but encrypted data related to academic work and research. In September, University Hospital New Jersey reportedly paid a $670,000 ransom, citing concerns about the publication of stolen data including patient information.

“Given that they’re static data that rarely changes over time, it’s worth noting that medical records can have a significant impact to victims if compromised and can introduce regulatory fines to hospitals,”
said Nick Rossmann, global lead of IBM X-Force Threat Intelligence.

Evolution and Escalation

Ransomware attacks on hospitals are not new—indeed, in 2016, Risk Management covered a ransomware case against Hollywood Presbyterian Medical Center that resulted in a $17,000 ransom payment after malware crippled the facility for over a week. Since then, ransomware attacks have grown far more common and the ransom demands exponentially steeper.

In stark contrast, the recent spate of attacks has largely used Ryuk ransomware, which has a reputation for especially lofty ransom demands of six or seven figures. Ryuk is a malware strain that has been deployed in more targeted attacks on enterprise environments since 2018, netting billions of dollars for its operators, who are thought to be a Russian cybercriminal group sometimes called UNC 1878 or Wizard Spider, according to cybersecurity firm CrowdStrike.

“Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT [internet of medical things] devices, as we’ve seen with Universal Health Services’ hospital phones and radiology machines,” explained Jeff Horne, chief security officer at IoT security firm Ordr. “Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromising accounts.”

While some have improved their cybersecurity posture, health care facilities have unfortunately only become more compelling targets. “Hospitals are great targets because they are ‘always on’—24 hours a day, seven days a week—and they’re likely to have not invested in building the necessary security posture and response plans, similar to local governments and school boards that don’t allocate necessary budget to security,” Rossmann said. “Hospitals are an easier target to attack because of that lack of security investment, and are more likely to pay because they need to ensure the safety and livelihood of their patients.”

Many hospitals have upgraded their computer systems and have focused on fortifying their networks against increasing cyberthreats in recent years. As with many other public entities, however, legacy systems can be more common in these settings and increase baseline vulnerability. Connected devices in health care facilities, such as wireless monitors for patients’ vital signs or connected CT scanners, can also act as the weak links in a network. Security researchers and advocacy groups like I Am the Cavalry have drawn attention to these vulnerabilities in recent years, sounding the alarm on the critical risks to the health care sector. At cybersecurity conventions like DEF CON, hackers have gathered to specifically test connected medical devices and work with vendors to improve products ranging from internet-connected heart monitors to insulin pumps.

As more devices have been introduced in clinical settings, cybersecurity experts have long speculated about the rapid escalation of risk when cyberattacks are launched against health care facilities, including both indirect and direct fatalities. This summer, many believed those fears may finally have been realized.

In September, the University Clinic in Dusseldorf, Germany, suffered a ransomware attack that drew headlines after the death of an emergency patient who could not be admitted while systems were incapacitated. According to reports, the female patient was suffering a life-threatening illness, but anyone brought in via ambulance could not be admitted because the IT systems were knocked out, so her ambulance was diverted to another town approximately 20 miles away. German authorities opened a homicide investigation, and top cybersecurity officials around the world noted this could be the first confirmed case directly linking a human death to a cyberattack. In November, German prosecutors concluded there was insufficient evidence that the delay in care was the ultimate cause of the patient’s death, but it remains a sobering example of what many consider the most likely tragedy scenario in such cases.

Fortifying for the Future

While health care organizations are attacked two to three times more than financial services organizations, data from Gartner indicates they invest a smaller percentage of their annual IT budgets on cybersecurity (5% in health care vs. 7.3% in financial services). Especially amid the pandemic, cash-strapped organizations in every industry face difficult financial circumstances, but experts advise it is critical to continue prioritizing investments in cyber infrastructure.

Beyond the financial, there are critical steps health care organizations can take to fortify against cyberrisks. Around the time of the October industry alert, Reuters reported the FBI and Department of Homeland Security held a teleconference for hospital administrators and cyber experts, urging them “to ensure their backups were in order, to disconnect from the internet where possible and avoid using personal email.”

Enterprises should also ensure they have robust disaster and incident response plans in place and should test and refine them in light of the recent cases. “Health care providers and hospitals need to prioritize incident response plans—not only to help them prepare for cyber incidents and familiarize themselves with the most effective ways to handle an attack should it occur, but to also prepare for how to handle the broader crisis (e.g., reputation, disclosures) once the incident is made public,” Rossmann advised.

Ransomware attacks most often start with hackers getting a foot in the door via social engineering, such as sending phishing emails to employees. The increasing number of remote workers and stressed, overworked staff can lead to lapses in cyber hygiene, so it is also critical to remind all employees of the risks of phishing and teach them to spot scams.

Experts at security vendor NordVPN Teams shared the following seven key steps all medical institutions should take to protect their data and preserve the functionality of their operations:

1. Updates. Applying security patches as soon as possible helps prevent hackers from exploiting known vulnerabilities to gain entry into the network.

2. Multi-factor authentication. Multi-factor authentication across the ecosystem can prevent hackers from moving across the network and gaining additional controls.

3. Regular backups. Organizations should regularly back up their systems, and test those backups on a regular basis as part of a recovery plan. If the worst happens and ransomware does infiltrate the network, there is a known method of restoring it without the need to pay ransom to cybercriminals.

4. Audits. Hospitals should conduct regular audits of their machines and segment their networks, so if one piece of the network is compromised, it does not spread throughout the entire system.

5. Remote access. Only secure virtual private network (VPN) connectivity should be allowed for remote access. In addition, only whitelisted IP addresses or device IDs should be allowed to access systems, as this will allow access to authorized users only.

6. Treat every email with zero trust. Because of the remote work environment, the amount of information exchanged over the internet through virtual conferences and emails has skyrocketed. Establish a process that enables employees to report anything suspicious, and share regular updates and information about phishing emails.

7. Security training. Security policies need to be drawn up and implemented, and staff must be appropriately trained, whether remotely or in person.

Hilary Tuttle is managing editor of Risk Management.