Despite hospitals being on the front lines during the pandemic, bad actors have continued to target them with ransomware. In addition to wreaking havoc on operational processes in medical facilities at the worst possible time, the attacks have evolved to threaten patient safety.
In September, employees at Universal Health Services (UHS), a Fortune-500 owner of a nationwide network of hospitals, reported widespread outages that resulted in delayed lab results, a fallback to pen and paper, and patients being diverted to other hospitals. The culprit turned out to be the Ryuk ransomware, which locked up hospital systems for days.
“No patients died tonight in our [emergency room] but I can surely see how this could happen in large centers due to delay in patient care,” a Reddit user identifying themselves as a nurse, wrote at the time.
The concern isn’t overblown. Earlier that month, a ransomware attack at a Dusseldorf University hospital in Germany resulted in emergency-room diversions to other hospitals. According to a report by the Ministry of Justice of the State North Rhine-Westphalia, a patient died who had to be taken to a more distant hospital in Wuppertal because of the attack on the clinic’s servers.
[Editor’s Note: This article is part of an exclusive FREE eBook, sponsored by ZeroNorth. The eBook, “Healthcare Security Woes Balloon in a Covid-Era World”, examines the pandemic’s current and lasting impact on cybersecurity. Get the whole neatly-packaged story and DOWNLOAD the eBook now – on us!]
This turn of events comes after several ransomware gangs actually pledged not to hit hospitals because of the ongoing COVID-19 scourge. The Maze and DoppelPaymer groups, for instance, said they would not target medical facilities and, if accidentally hit, would provide the decryption keys at no charge. The Netwalker operators, meanwhile, said they would not target hospitals, however if accidentally hit, the hospital would still have to pay the ransom.
Other groups have less scruples, and in fact, some (like Netwalker) have reneged on their pledges. In fact, incidents of ransomware attacks against hospitals skyrocketed in October. So much so that, the U.S. Cybersecurity
and Infrastructure Security Agency, the Federal Bureau of Investigation, and the U.S. Department of Health and Human Services issued a security bulletin warning of “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
Among those hit lately include well-known facilities like University Hospital in New Jersey, Boston’s Children’s Hospital and Children’s Hospital in Little Rock.
“The promise not to attack hospitals was always an empty one given the number of players in the ransomware game that would not restrain from it,” said Erich Kron, security awareness advocate at KnowBe4. “Spanish hospitals were targeted by Netwalker campaigns using COVID-19 related messaging in the attacks, although promising not to.”
The poor outcomes around patient diversions are a sign of the cyber-times, according to Heather Paunet, senior vice president at Untangle.
“We all trust that hospitals have the ability to address any life-threatening case or create a sense of stability before transferring patients for additional care,” she said. “It does bring to light the synergy between medical professionals and technology used to create that patient stability.”
And to that point, patient diversions may not be the most worrying aspect of ransomware’s impact on physical well-being. “Any time malware infects a hospital to the point that systems have to be taken offline, or that records are unavailable, this poses a risk to the patients’ safety,” Kron said. “From potential drug interactions to allergies, the information is vital to doctors, nurses and support staff, such as anesthesiologists, to ensure the safety of patients. The loss of access to patient data is the biggest threat to patients’ safety.”
It’s clear that cybersecurity best practices should also be medical best practices. But the ransomware epidemic has exposed plenty of unhealthy habits among hospitals nationwide. For instance, the American Hospital Association has reported a big uptick in phishing emails laden with malware and malicious links, often themed with promises of N95 masks for sale or even the availability of lifesaving ventilators. This is the initial attack vector for many ransomware attacks, likely including the UHS incident.
Also, many facilities don’t have backups, as was seen in a recent attack on a vaccine research facility.
“With each ransomware attack on a hospital or medical center, it becomes increasingly clear that back-up plans are being developed or initiated as an immediate response while networks are down,” Paunet said.
Fortunately, there are prescriptions for avoiding the worst that ransomware has to offer, starting with putting the aforementioned plans in place immediately – including remote or offline patient data backups.
Also, since ransomware is typically spread through email phishing or through attacks on remote-access methods, Kron noted that organizations can greatly benefit from focusing on email phishing defenses.
“This includes a serious assessment of current controls in place and the state of their employee awareness training, and securing and monitoring remote-access options,” he said.
Paunet also noted that medical instruments, such as ventilators, insulin pumps and other internet-of-things (IoT) devices that may be unpatched or outdated can become vulnerable network-access points.
“These devices need to be audited constantly for software updates, patches and other upgrades to ensure that outdated software isn’t leaving the network open for criminals,” she said.
And finally, like any organization, hospitals must look to build barriers against ransomware while understanding that cybercriminals continue to improve their tactics. The spate of attacks in the medical arena is unlikely to wane soon, so organizations should assume they’re being targeted – especially since paying the ransom is not uncommon.
“As healthcare pays ransoms and the large dollar amounts they pay are highlighted in the news, this becomes an indication that this is a sector that is willing to pay. Attackers set their targets and evolve their techniques where they feel they will be most successful,” Paunet said.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now.