The Ransomware Attacks on Hospitals Are (Cyber) Criminal

Kim BellardOne of the redeeming aspects of crises is that, amidst all the confusion, suffering, and loss, there are usually moments of grace, of humans showing their best nature. With COVID-19, we've seen health care workers working long hours in dangerous conditions. We've seen other essential workers -- including not just first responders but also grocery workers, meatpackers, trash collectors, and countless others -- putting their own safety at risk so that our lives can go on. There are heroes all around.

Unfortunately, crises also tend to bring out the worst of our natures. With the pandemic, those trillions of dollars in play have brought out not just those seeking to profit, but also those looking to profit by breaking the law. We've seen people stealing or counterfeiting stimulus payments, defrauding COVID unemployment payments, getting fraudulent PPP loans, and stealing PPE.

And then there are the cyberattacks.

Last week the federal Cybersecurity & Infrastructure Security Agency, the FBI, and HHS issued a joint alert Ransomware Activity Targeting the Healthcare and Public Health Sector, warning that they have "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." I'll spare you the technical details of the expected attack strategies or suggested mitigation efforts, but I will note that they warned: "CISA, FBI, and HHS do not recommend paying ransom."

Hospitals could ask Universal Health Services (UHS) about that. UHS took some three weeks to resume "normal services" after a ransomware attack that hit their 250 U.S. hospitals in late September. UHS claims that "While our information technology applications were offline, patient care was delivered safely and effectively at our facilities across the country utilizing established back-up processes, including offline documentation methods." E.g., paper records.

Or they could ask the family of the woman in Germany who died as the result of having to be diverted to another city for her medical emergency because the closer facility had suffered a ransomware attack. One suspects there may have been other deaths, and other adverse outcomes, due to cyberattacks, and that we can expect there to be more.

The expected attacks have already started. The Wall Street Journal reports attacks on hospitals in New York, Oregon, and Vermont, while The Washington Post cited hospitals in California, New York, and Oregon. Security firm Check Point found that October saw a 71% increase in ransomware attacks against the healthcare sector.

"I think we're at the beginning of this story, Mike Murray, CEO of Scope Security, told MIT Technology Review. Similarly, cyber strategist John Ford warned:

The seemingly crazy predictions of the past around the cost of ransomware attacks on the healthcare industry stand to be proven true in 2021. We've seen a substantial rise in ransomware since the onset of COVID, and as the space race 2.0 continues, so will the prevalence of attacks.

There's never a "good" time for a ransomware attack when it comes to hospitals, but this could possibly be one of the worst. "Right now resources are very stretched for a lot of health centers," Mitch Parker, the chief information security officer with Indiana University Health Inc, told WSJ. "With this resurgence of COVID, a lot of people's attention is focused on staying operational."

Cyber attacks include not just ransomware, where thieves try to extort money in return for return of control of impacted systems, but also theft of patient and other clinical data, and potential manipulation of data. We've already seen pharma companies in India and in Japan working on a COVID-19 vaccine get hit with cyberattacks, with other attacks impacting clinical trials. Germany's Robert Koch Institute for infectious disease control was hit with a cyberattack last week.

Charles Carmakal, CTO of cybersecurity firm Mandiant, told NPR:

We are experiencing the most significant cybersecurity threat we've ever seen in the United States…Most threat actors aren't willing to deploy ransomware and cause destruction to hospitals right now during the pandemic because they're worried about impacting lives," he said. But in this case, the attacker is deliberately targeting hospitals "and has no real fear of potential human impact, and is just looking to make money."

"We expect panic," the hackers reportedly predicted.

If we think attacks on hospitals and other healthcare organizations are the worst case scenario, think again. Rand has a new report out on the "Internet of Bodies," which includes not just wearables but also an array of implantable devices. Rand warns:

Vulnerabilities could allow unauthorized parties to leak private information, tamper with data, or lock users out of their accounts.

In the case of some implanted medical devices, hackers could potentially manipulate the devices to cause physical injury or even death.

It is, the report says, a threat to national security, and Alex Berezow Ph.D., of Geopolitical Futures, agrees. He warns that such attacks are not just a threat to public health but also to national security; "undermining a nation's ability to respond to infectious disease outbreaks or other natural disasters may allow some countries to achieve geopolitical objectives."

"We are outnumbered-the people that are doing bad things, whether it's a nation-state type of activity or cybercrime-the good guys and gals were vastly outnumbered prior to the pandemic," David Shearer, CEO of (ISC)2, lamented to CNBC. It is particularly a problem for health care, which is often viewed by security experts as not having the appropriate infrastructure or personnel to combat such attacks, despite being responsible for life-critical technology and extremely personal information. And the hackers know it.

Healthcare is still patting itself on the back for going digital, despite not doing that well (think EHRs' poor usability and interoperability). But it needs to recognize that we live in a scary digital world; there are bad actors out there looking for vulnerabilities. Cybersecurity may now be as important to our health as clinicians, and healthcare better invest accordingly.

It's bad enough that our lives are under attack by an actual virus, but it's another thing altogether if/when are lives can be put at risk due to a cybervirus. Whether we like it or not, whether we're ready for it or not, cyber-criminals are coming for healthcare.

This post was authored by Kim Bellard and first published in his blog, From a Different Perspective.... It is reprinted by Open Health News with permission from the author. The original post can be found here.