Why healthcare is such a juicy ransomware target
When the pandemic hit, some major cybercriminal gangs pledged not to attack healthcare organizations. Instead, attacks nearly doubled. It's at the point where patients are suffering, or even dying, as a result, and healthcare IT needs to step up to meet the challenge.
Cybercriminals are going after healthcare companies during COVID-19 for a couple of reasons. One is desperation. Medical and pharmaceutical organizations would often rather pay hefty ransoms than suffer disruptions during this crisis. The other reason: Many healthcare organizations don't enforce the bare-minimum security hygiene and protection work to keep even simple attacks at bay.
Many experts blame years of deferred cybersecurity investment. Like stubborn patients who refuse preventive health measures, healthcare organizations have failed to universally employ security basics like two-factor authentication, email scanning and filtering, malware protection, protocol hardening, and network segmentation
There's no magic pill. It will take a gradual, concerted effort for healthcare organizations of all sizes to build up defenses and beat back the ransomware infections.
The lowlights of the past year
In 2019, healthcare was already a favorite target of ransomware attacks. At the tail end of the year, such ransomware attacks had begun a marked rise, with experts reporting a 350 percent increase in the fourth quarter of 2019.
The year was punctuated by an attack that served as a prelude for what was to come in 2020. In December 2019, New Jersey's largest hospital system, Hackensack Meridian Health, acknowledged to the media that its computer systems were disabled for five days in an attack that interrupted everything from scheduling and billing to running labs and diagnostics. The attack was so bad that it had to reschedule 100 elective procedures, and the $6 billion organization ended up paying an undisclosed ransom to get its data and systems back online.
There's been no relief in sight since the attack came to light. In 2020, the ransomware attacks against the sector continue to pile on even after the jump last year. Insurance firm Corvus reported a 75 percent increase in ransomware attacks on healthcare entities year over year for the first half of 2020. Meantime, a recent report from Check Point Research shows healthcare is the most targeted industry, with attacks against healthcare organizations globally jumping twofold from the second quarter of 2020 to the third.
The attacks have been coming fast and furious, and the consequences are mounting:
- In June, the University of California San Francisco reported that it had to bail out its medical school from a ransomware attack on the organization's servers that completely locked up its medical research knowledge. UCSF paid a $1.14 million ransom to restore the data.
- Many healthcare organizations are feeling the heat of double extortion ransomware scams, where attackers not only disable systems but threaten the release of patient records on the Dark Web and beyond if victim organizations don't pay up. In September, five different organizations reported that their patient records were breached due to such ploys.
- More disconcerting is that ransomware attacks also crossed the Rubicon with regard to patient safety in 2020. This year marked the first known fatality connected to a healthcare ransomware attack. In September, an attack against Duesseldorf University Clinic in Germany disrupted systems to the point that it had to send emergency patients to other facilities. One woman who was moved to another city died due to the delays.
- Microsoft recently reported that its researchers uncovered a concerted effort by threat groups to extort money from the pharmaceutical industry as it races to find a vaccine. They are tracking "three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for COVID-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States," says Tom Burt, corporate vice president of customer security and trust for Microsoft.
- A ransomware attack against Universal Health Services, one of the nation's largest hospital chains, caused outages sufficient to force it to cancel some surgeries and divert some ambulances, but the company said the outage caused no harm to patients.
This year's healthcare ransomware attacks came to a crescendo at the end of last month, when the Cybersecurity and Infrastructure Security Agency, the FBI, and the Department of Health and Human Services released a joint advisory to warn healthcare organizations of the "increased and imminent cybercrime threat to U.S. hospitals and healthcare providers" posed by ransomware targeting the industry.
The warning came amid a new rash of successful ransomware attacks via the Ryuk malware family, which significantly disrupted a number of major U.S. medical organizations. According to one doctor's account to Reuters, the impact at one affected hospital was such that medical staff was taken back to the pre-digital, pre-electronic records era.
"We can still watch vitals and get imaging done, but all results are being communicated via paper only," the doctor said at the time, adding that the staff had no means to update electronic records.
Addressing the root causes of healthcare's ransomware epidemic
The sad truth is that so much ransomware activity is preventable. According to Microsoft's Burt, the three groups Microsoft warned about in its report were using simple methods to achieve their ends. For example, one was using "password spray and brute force login attempts to steal login credentials," while two others were gaining access through spear-phishing attempts that leveraged lures using COVID-19 themes, such as impersonating World Health Organization representatives, Burt wrote.
"The majority of these attacks were blocked by security protections built into our products," he explained.
Unfortunately, healthcare organizations are notorious for putting off security investments and updates to products that would make it possible to enable such modern security protections.
"Many healthcare organizations suffer from the continued use of legacy and end-of-life systems that are highly susceptible to compromise," says Mat Newfield, CISO of Unisys.
This is frequently a function of the financial nature of the healthcare business, where all the investment chips are placed on patient care and clinical technology, giving short shrift to IT investments of all types, says Steven Shim, executive healthcare strategist for Hewlett Packard Enterprise's GreenLake and formerly a CTO in the healthcare industry.
"This is a high-volume, low-margin business. Everyone is very conscious and very focused on where they put the money because if you're investing in health IT, then you're not building another patient care center that can serve the community and drive revenue," explains Shim.
What's left of the money for healthcare IT innovation investment tends to go toward technology that improves the physician or patient experience. This has led to a lot of innovation and great technology available for improving patient care but little to improve security.
At the same time, the vulnerabilities have increased. "Hospitals and other healthcare facilities are increasingly relying on connected devices, patient records are becoming more digitized, and people are depending on telehealth services for medical help during the pandemic," says Kelvin Coleman, executive director at the National Cyber Security Alliance. "Each of these healthcare components is vulnerable, making the need for increased cybersecurity awareness and education among consumers and healthcare practitioners paramount for safety and prevention."
Shim explains that the general tendency is that cybersecurity investments are limited so that organizations "follow the middle of the herd" in terms of capabilities. However, that approach is no longer working as the ransomware attackers scale and automate their efforts to attack vulnerabilities prevalent across most organizations.
Code blue: Security
This includes weaknesses in endpoint devices, a lack of email scanning and phishing awareness, flat networks that don't segment critical systems or data based on sensitivity, and weak configuration of network and device protocols. Organizations must get a handle on this kind of basic security blocking and tackling—not to mention shoring up backup best practices—if they're going to get control of the ransomware problem, says Coleman.
"It's essential for facilities to regularly create backups of critical systems and files and to house those offline from the network," he says. "Simultaneously, healthcare and public health facilities should also be vigilant about upgrading and updating their legacy hardware and software; ensuring that all connected devices and applications have multifactor authentication enabled; and that employees know how to identify and avoid malicious email links and attachments from possible phishing scams targeting their workforce."
This will not only take commitments to prioritize cybersecurity finances but also some internal sales and marketing to pave the way for potential changes to processes and procedures that may rub some medical professionals the wrong way. One of the obstacles to fighting cybersecurity is the issue of security friction—both real and perceived. Take, for instance, the use of two-factor authentication, which is seen as table stakes by most security pros today. While healthcare organizations have improved their use of it, they still struggle with physicians and hospital administrators who buck against the idea that it could make their daily work more difficult or aggravating.
"It's not as far along as we would hope it to be because medical staff are key stakeholders served by health IT teams and if it is left up to them to make the decision, they'll often fight against it," Shim says.
With the latest generation of security technology that makes two-factor authentication dead simple, and with ransomware threatening the health of patients, IT and cybersecurity pros should be in the best position they're ever going to be in to sell additional authentication controls as a crucial part of the patient care continuum.
Part of that education is going to be almost a sales and marketing pitch to physicians and hospital administrators who have historically fought against controls like two-factor authentication that may have made daily work more difficult for medical workers in the past. After all, if doctors are quick to prescribe exercise to bolster a patient's ability to fight disease, then they should be ready on the flip side to adhere to IT's cybersecurity prescription for improved security controls to make it easier to fight ransomware.
In an environment where nurses are talking about going on strike in the middle of a pandemic, money for IT security may be a tough sell politically. The fate of the Dusseldorf patient and the hospital reduced to using paper and pen should be enough to dispose of this attitude. The modern healthcare system can't function without secure, working IT systems—even when we're not fighting a global pandemic.
Lessons for leaders
- There is no substitute for best practices in IT security.
- The money spent on healthcare services is wasted if you can't deliver the services.
- Weak IT security is harmful to a healthcare organization's reputation.
Many healthcare organizations suffer from the continued use of legacy and end-of-life systems that are highly susceptible to compromise.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.