2 More Hospitals Hit by Growing Wave of Ransomware Attacks, As Feds Issue Warning

hospital ransomware new york oregon

Hospitals in New York and Oregon were targeted on Tuesday by threat actors who crippled systems and forced ambulances with sick patients to be rerouted, in some cases.


Two more hospitals were hit with ransomware attacks this week as a growing number of criminals target healthcare facilities during the COVID-19 pandemic. The troubling trend prompted federal law enforcement and health officials, on Wednesday, to sound the alarm and issue a dire warning of more attacks to come.

On Tuesday, Klamath Falls, Ore.-based Sky Lakes Medical Center’s computer systems were compromised by a ransomware attack. On the same day, New York-based St. Lawrence Health System said computers at three of its hospitals (in Canton-Potsdam, Massena and Gouverneur) were attacked by the ransomware variant Ryuk.

Ransomware attacks have become an all-too-familiar reality for hospitals just as COVID-19 has forced many to spread themselves thin and accelerated the adoption of virtual care. This year, as hospitals have scrambled to save lives, cyberattacks targeting healthcare firms have grown 150 percent, according to a report by C5 Alliance.

Late Wednesday, a joint statement by the U.S. Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and the U.S. Department of Health and Human Services  warned of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Sky Lakes Medical Center said that its computer systems were “down” and and that scheduled procedures that require imaging services will need to be delayed. “Emergency and urgent care remain available,” it said in a statement.

The St. Lawrence Health System meanwhile said that within hours of the initial attack, its information systems department “disconnected all systems and shut down the affected network to prevent further propagation,” according to a statement.

Ryuk malware, used in the St. Lawrence attack, is a potent weapon which cybersecurity researchers describe as highly sophisticated. It’s used by threat groups such as North Korea’s Lazarus Group in targeted attacks. The active malware is responsible for a bevy of recent successful attacks, including one that recently shut down Universal Health Services, a Fortune-500 owner of a nationwide network of hospitals.

In its warning Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) said it was also tracking use of the malware Trickbot against healthcare facilities.

“In early 2019, the FBI began to observe new Trickbot modules named Anchor, which cyber actors typically used in attacks targeting high-profile victims—such as large corporations. These attacks often involved data exfiltration from networks and point-of-sale devices. As part of the new Anchor toolset, Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling,” CISA noted.

Cyberattacks in general have become a harrowing reality, threatening patient security tied to not just their data or a missed appointment. A ransomware attack against the Dusseldorf University Hospital in Germany is being blamed for a patient’s death. According to local reports, crippled computer systems forced an ambulance to be diverted to a more distant hospital – resulting in the patient’s death.

Similar to that situation, ambulances were also diverted from the Canton-Potsdam Hospital for a short period of time. And as of Wednesday, the Gouverneur Hospital said it continued to reroute ambulances away from its emergency room.

The attacks come three months after another N.Y.-based hospital, the Samaritan Medical Center, was hit with a ransomware attack on July 25. It took IT workers there 10 weeks to restore systems, the hospital confirmed in a statement. The attack “disrupted” its drug delivery, radiation therapy and medical-imaging services, and forced payroll and accounting to turn to paper records.

“Healthcare-delivery organizations, such as hospitals and clinics, are complex organizations where a broad range of information technology, internet of medical things, operational technology and internet-of-things devices are increasingly interconnected,” pointed out Forescout (PDF) in a recent report on the healthcare sector.

“The growing number and diversity of devices in [healthcare-delivery organizations] have introduced new cybersecurity risks,” according to the firm. “The ability to compromise devices and networks, and the possibility of monetizing patient data, have led to an increase in the number and sophistication of cyberattacks targeting healthcare-delivery organizations in recent years.”

The report said that attackers are attracted to hospitals because of the sheer complexity of their networks. Forescout said many struggle to manage a sprawling number of endpoints, ranging from computer systems, surgical equipment, telemedicine platforms, medical sensors and infusion pumps. All told, the report estimated that healthcare-delivery organizations contain an average of 20,000 devices.

The report urged hospitals to adopt network and device segmentation.

“Segmentation is a foundational control for risk mitigation in networks with a diversity of IT, IoT and OT devices,” according to the report’s authors. They warned, however, that over-segmentation with poorly defined zones only increases complexity with few benefits.

“However, segmentation requires well-defined trust zones based on device identity, risk profiles and compliance requirements for it to be effective in reducing the attack surface and minimizing blast radius,” according to the report.

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

(This article was updated on 10/29 at 7:00 a.m. ET with the warning from US-CERT issued just after publication of the original article.)

Suggested articles