Cybercriminals are making millions by holding the data of healthcare institutions hostage until they get paid.
Ransomware attacks on hospitals are causing increased worry in the cybersecurity industry as hackers and groups go after healthcare organizations with increasing frequency. On April 21, Parkview Medical Center in Pueblo, CO, was hit with a devastating ransomware assault that reportedly "rendered inoperable" the hospital's system for storing patient information.
The hospital was forced to revert back to using paper forms, which slowed down service at a time when healthcare enterprises are already struggling to handle huge influxes of patients due to the coronavirus pandemic.
Nnenna Nwakanma, chief web advocate of the World Wide Web Foundation, told a conference call organized by the United Nations in April that many around the globe were also concerned about the increase in cyberattacks now that more people were using the internet in general.
In March, cybercriminals attacked Brno University Hospital, one of the Czech Republic's biggest COVID-19 testing laboratories. In addition to the attack on the hospital in the Czech Republic, she cited a number of healthcare cyber incidents in France, Spain and Thailand, adding that there needs to be more collaboration worldwide on protecting critical health infrastructure in times of crisis.
SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)
Ransomware attacks on healthcare providers rose 350% in the fourth quarter of 2019, and Emsisoft research shows that more than 759 healthcare providers were hit with ransomware last year.
Interpol issued a Purple Notice in April alerting police in all its 194 member countries to the heightened ransomware threat, writing that its Cybercrime Threat Response team has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals, they wrote, are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid.
Interpol Secretary General Jürgen Stock said medical organizations around the world "have become targets for ruthless cybercriminals who are looking to make a profit at the expense of sick patients."
"Locking hospitals out of their critical systems will not only delay the swift medical response required during these unprecedented times, it could directly lead to deaths. Interpol continues to stand by its member countries and provide any assistance necessary to ensure our vital healthcare systems remain untouched and the criminals targeting them held accountable," he said.
Stateside, a bipartisan group of US Senators, including Mark Warner, Richard Blumenthal, Tom Cotton, David Perdue and Edward Markey, wrote a letter to CISA Director Christopher Krebs and Cyber Command Commander Paul Nakasone about the need to bolster defenses against "escalating foreign cyber espionage and cybercrime targeting American health institutions amid the COVID-19 pandemic."
"The cybersecurity threat to our stretched and stressed medical and public health systems should not be ignored. Prior to the pandemic, hospitals had already struggled to defend themselves against an onslaught of ransomware and data breaches. Our hospitals are dependent on electronic health records, email, and internal networks that often heavily rely on legacy equipment," the senators wrote.
"Even a minor technical issue with the email services of the Department of Health and Human Services meaningfully frustrated efforts to coordinate the federal government's service. Disinformation, disabled computers, and disrupted communications due to ransomware, denial of service attacks, and intrusions means critical lost time and diverted resources," they wrote.
While cybersecurity companies have been wary of attributing attacks to any specific group or country, the senators said that "Russia, China, Iran, North Korea, and criminal groups have launched hacking campaigns targeting the U.S. health care and medical research sectors in recent weeks."
TechRepublic spoke with healthcare cybersecurity experts about the incident at Parkview and more widespread ransomware attacks on hospitals.
Ramifications of an attack
Ransomware attacks are particularly effective, especially now, because cybercriminals know that many hospitals are beholden to digital systems that contain all of their patient information. Justin Fier, director of Cyber Intelligence & Analytics at cybersecurity company Darktrace, called ransomware attacks on hospitals "an act of terrorism" and said electronic medical record systems are "the brains of a hospital."
"Without that the medical care professionals don't have the vital information that they need to do the most basic part of their job. When these systems do go down, they have to revert back to pen and paper, and that adds time that we don't have trying to save lives," Fier said.
"The other thing a lot of people don't realize, which my wife just pointed out to me earlier today, is that a lot of this generation of healthcare professionals are trained on electronic systems. They're not used to the old days of pen and paper, so just working that into their workflow is very difficult and problematic."
Caleb Barlow, CEO of CynergisTek, said any modern hospital trying to operate without its electronic healthcare record system is left without any information about who is showing up for what treatments, what surgeries are scheduled for the day, and all patient information ranging from allergies to dosing information.
CynergisTek works with more than 1,000 hospitals on data security and compliance, and Barlow said some hospitals hit with ransomware have to divert patients to other hospitals, close down emergency rooms, and reschedule elective surgeries.
To pay or not to pay
The biggest question most hospitals face when in a ransomware situation is whether to pay the hostage takers or not. This depends on a wide variety of factors, including whether a healthcare institution has good backups or if their data can be recovered in some other way.
Barlow said that unfortunately, more often than not, hospitals end up having to pay the adversary because they can't function for long without electronic systems and the cost of a breach can be extremely damaging.
According to Comparitech, ransomware attacks have cost the healthcare sector at least $160 million since 2016. IBM reported that the cost of a breach in healthcare is significantly more expensive compared to others, with one patient's breached electronic health record costing hospitals about $429. On average, it costs some hospitals about $6.5 million to recover from an attack, Barlow said.
"How much they actually pay the bad guys can vary. I've seen things as low as a few thousand dollars all the way up to a half million or more. With a ransomware incident, that institution is down and down hard, unable to see patients," Barlow said.
"You not only have the same reputational issues of having someone get on your system, but you now have a technical crisis and financial crisis. If you can't see patients, you can't make money."
Dustin Hutchison, COO and president of security company Pondurance, said leaders often work on this issue with the FBI and its response is always not to pay the ransom because it incentivizes more attacks and there is no guarantee that after paying, your data will truly be restored or usable.
But Hutchinson said they have worked with hospitals that had no choice but to pay the ransom because their backups weren't viable and they could not treat patients without having electronic records or schedules.
The issue is exacerbated by the emergence of cybersecurity insurance, which can help cover the cost of paying a ransom. Decrypting data after a ransomware attack is not easy either, making both options difficult for healthcare organizations.
"It's not just 'flip a light switch' and you're back to business. There is still a cycle of recovery that is there and so from that risk management or business decision standpoint, does it make more sense from a lost revenue perspective to go down that path of restoring from backup or understanding the actual time-spend to decrypt?" Hutchinson said.
"A lot of times that's not going to be something that's viable for a smaller healthcare entity to do on their own so even then, they're going to need a third party to help them through that."
Fier, who spent years working alongside others involved in counterterrorism efforts within the U.S. government, said the decision to pay or not is difficult because any time spent on recovery can literally cost lives.
But there is now so much risk that even when you pay a ransom you may not get your data back. While it may be tough to swallow, Fier said healthcare should invest in efforts to stop these attacks before they happen.
"Every time we pay these ransoms, we entitle them and give them incentive to just carry on these attacks and just keep doing it," he said. "Making sure that you can recover within a matter of minutes or hours when this happens as opposed to taking that money and just giving it to the bad actors is better."
The main thing each expert reiterated was the need for hospitals to invest heavily in backups to their system as well as efforts to educate employees about business email compromise or phishing attacks, which often preempt ransomware incidents.
Microsoft released a detailed analysis of ransomware campaigns and some best practices for how organizations can handle an attack.
"Multiple ransomware groups that have been accumulating access and maintaining persistence on target networks for several months activated dozens of ransomware deployments in the first two weeks of April 2020. So far the attacks have affected aid organizations, medical billing companies, manufacturing, transport, government institutions, and educational software providers, showing that these ransomware groups give little regard to the critical services they impact, global crisis notwithstanding," Microsoft wrote.
"Many of these attacks started with the exploitation of vulnerable internet-facing network devices; others used brute force to compromise RDP servers. The attacks delivered a wide range of payloads, but they all used the same techniques observed in human-operated ransomware campaigns: credential theft and lateral movement, culminating in the deployment of a ransomware payload of the attacker's choice. Because the ransomware infections are at the tail end of protracted attacks, defenders should focus on hunting for signs of adversaries performing credential theft and lateral movement activities to prevent the deployment of ransomware."
Barlow said network segmentation is also key to frustrating cybercriminal efforts to move laterally within a system. Most hackers need access to administrative accounts but know they can get in easier through other endpoints first.
He said they try to first get "a beachhead" in the system before slowly elevating their access to credentials over a matter of weeks or even months. For a ransomware attack to be effective, criminals need to have access to potentially every machine to fully lock systems up. It's relatively easy for attackers to gain access to one machine or one account, but by limiting networks, hospitals can make it more difficult to expand beyond that.
Fier, Barlow and Hutchison all suggested every hospital needs to have two-factor authentication over everything. This is still not widespread in the healthcare industry because budgets are generally stretched too thin to afford investments in cybersecurity.
But cybercriminals have moved far beyond just data exfiltration and extortion, which was costly but did not stop a hospital from continuing to function.
With ransomware attacks becoming more common, all healthcare institutions need to gather intelligence on where their weaknesses and vulnerabilities are so they can be tested and addressed.
Since the outbreak of COVID-19, there has been a massive increase in phishing attempts leveraging the virus as a way to get people to open emails or download attachments. Barlow said his company has seen a 167% increase in phishing attacks and the most attacked industry is healthcare.
If you have not prepared for a ransomware attack but discover you've been hit, it is important to bring in technical experts, legal teams, and law enforcement. It's good to know who is behind the attack and what their propensity is for unlocking data after being paid."
"The reality is that you are up against a human adversary that can see what you're doing. If you pay them, all you're doing is fueling their coffers to go attack more people. On the other hand, if you don't pay them, even if you can restore from backup, they likely had access to the data in your system," Barlow said.
"They may now extort you in other ways. For companies that decide not to pay, the bad guys start posting the data."
Fier added that healthcare organizations need to have visibility across their entire network of computers, laptops and IoT devices. Hospitals are full of non-traditional devices that are on the network, from infusion pumps to CT scanners and other devices.
"If they don't know which of the 20,000 non-traditional devices they can't use traditional security tools against, then they're just sitting ducks," Fier said.
"If I was leading one of these institutions that got hit, one of the first and foremost things is being honest and transparent with the community while having backups in place. A lot of our clients are spending time working on disaster recovery plans, war games, and running scenarios to make sure these things don't happen and that they're prepared to handle it."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)
- Windows 10 security: A guide for business leaders (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- All the VPN terms you need to know (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)