On September 18, a 78-year-old German woman died after suffering an aneurism. Her local hospital was in the throes of a cyber security incident, so she was forced to seek help in another city, but it was too late. Her death may be the first recorded case of a fatality due to a ransomware attack.
Now, a joint alert from HHS, DHS CISA, and the FBI warns that a wave of similar ransomware attacks are hitting the U.S. healthcare system.
The October 28 statement read in part, “CISA, FBI, and HHS assess malicious cyber actors are targeting the HPH Sector with TrickBot and BazarLoader malware, often leading to ransomware attacks, data theft, and the disruption of healthcare services.
These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments.”
Related: Real-Time Change In Incident Management
A week after the joint statement, the electronic health records (EHR) of at least five healthcare providers remain inaccessible. Sonoma Valley Hospital, Dickinson County Healthcare System, and Universal Health Services were the first to report a ransomware incident. Sky Lakes, the University of Vermont Health Network, and St. Lawrence Health System followed shortly after.
While some hospitals are rescheduling elective surgeries and radiology appointments, all have assured the public that their paper-based backup systems are up and running and they are able to continue to see patients safely and effectively. All affected entities are working closely with the FBI and third-party cyber security teams.
The human-operated Ryuk ransomware appears to be behind the hacks. In fact, Ryuk is credited for for one-third of all ransomware attacks in 2020. In most cases, Ryuk ransomware incidents begin as phishing schemes that utilize Emotet and TrickBot malware. If the phishing scheme works, the ransomware is distributed through a backdoor. These programs have become increasingly automated and sophisticated. Once inside, the infection spreads quickly and often without detection for weeks or months. From there, data is stolen and/or encrypted and systems are rendered useless until a ransom is paid. Such strategies affect IoT and IoMT devices as well.
In the past, several cyber crime organizations pledged to stay away from the health care sector, with assurances that it’s money they’re after, not casualties. However, as COVID-19 has moved the workforce remote, new opportunities for cyber criminals exploded. Recently, it appears that Ryuk has moved from generalists—hacking banks, government organizations, and other enterprises—to specialists with an interest in health care.
Lessons Learned
As a best practice, hospitals are encouraged to create detailed contingency plans to ensure that quality of care is not affected should they fall prey to a cyber attack. Paper-based systems should be ready to go in the case of a downed EMS system. Additionally, organizations must develop a holistic cyber security plan that includes a patching strategy and employee education programs.
Related: Threat Landscaping
While conventional wisdom leaves the decision of whether or not to pay a ransom to the enterprise affected, healthcare is the exception. Loss of revenue or reputation is one thing, but the concern is that any cash that gets paid out will embolden hackers to continue to put human lives at risk for the sake of a ransom payout. As winter hits and COVID-19 enters a new wave, any healthcare downtime could mean the difference between life and death. Downtime from ransomware last on an average of 15 days. Hospitals must ensure that their policies and procedures account for a smooth transition to paper-based systems should such an event happen.
Cybersecurity Ventures estimates that the United States healthcare system will spend $125 billion on cyber security in the next five years. Saif Abed, founding partner and director of cybersecurity advisory services of the AbedGraham Group, recently told HealthITSecurity.com, “Speaking as a physician in the cybersecurity space, it’s clear to me that attackers now understand that exploiting clinical risk and patient safety are the key factors to cause the disruption they need and achieve the outcomes they want … Policymakers and health system leaders at the boardroom level need to reevaluate their security strategies and investments across people, processes and technology otherwise we will increasingly measure ransomware attacks in morbidity and mortality.”
Read More: Incident Of The Week
