Hackers are leveling up and catching healthcare off-guard

Remember when ransomware operators promised last year not to attack hospitals under siege from COVID-19? Unfortunately, that didn’t happen: hospitality, entertainment, and retail locations were all shut down as COVID-19 spread, leaving ne’er-do-wells to look at industries that were still open for business.

When attacking the healthcare industry, hackers are going beyond focusing on data exfiltration or leaking patient records. The focus is to totally disrupt health systems operations with ransomware that locks up electronic health records (EHRs) and the IT infrastructure. Without access to these records, hospitals struggle to provide critical care, schedule appointments, bill patients, and process test results.

Past attacks have been devastating. A hospital undergoing a ransomware-induced lockdown can expect their EHR access to shut down, phone lines go dead and anything that relies on their IT infrastructure to be disrupted. Administrators cannot perform basic accounting functions, and data recovery is either backlogged or completely unavailable.

Several marquee attacks on the healthcare sector over the past 18 months include:

• VPCI: Hackers hit a major nursing home operator, responsible for 2,400 nursing homes in 45 states. The operator declined to pay the reported $14 million ransom., and the initial result was the loss of electronic health records, e-mail, and phone service. When the operator refused the ransom, hackers started releasing sensitive data, a tactic known as double extortion.
• UHS: Until the incident at UHS, healthcare attacks were generally limited to one hospital, clinic, or office at a time. UHS made for an attractive target since many of their facilities could be taken offline with one hit. The breach ended up affecting 250 of 400 total locations in the middle of the pandemic, taking out UHS’s entire IT system and creating $67 million in losses. Note that the hackers knowingly targeted this healthcare system with the full understanding that their actions would have a catastrophic impact on system-wide patient care.
• University of Dusseldorf Clinic: In Germany, a ransomware incident allegedly caused a patient to be unnecessarily diverted to an emergency room at a facility 20 miles away, leading to his death. While some reports question the hackers’ guilt, there is no doubt that ransomware impacts patient care when an incident occurs.
• University of Vermont Health Network: On October 29, 2020, the FBI, CISA, and the Department of Health and Human Services warned of a significant attack on the healthcare sector focused on more than 400 healthcare institutions, including the University of Vermont Health Network. When the dust settled, roughly a dozen hospitals were hit, but the impact at the University of Vermont Health Network was the most devastating. The health system had 5,000 computers and 1,300 servers corrupted and more than 300 employees were furloughed or reassigned as they could not do their work without access to IT systems and the EHR. This attack was so devastating that Vermont’s Governor deployed the National Guard to help with remediation, and the anticipated cost is over $64 million.

These breaches have forced health systems to rethink their security posture, and smart CIOs now realize that prevention is much less expensive than paying a random. Yet, the evidence suggests that the healthcare industry is practicing poor hygiene when it comes to data protection and security. 66% of providers across the continuum, including hospitals and health systems, failed to conform to protocols outlined by the NIST Cybersecurity Framework.

Suppose we don’t clean up this situation with proactive solutions. In this case, hackers won’t be pausing attacks but rather duplicating the scary scenarios that happened in Dusseldorf and Vermont.

Two things need to happen on the regulatory front. First, there needs to be a ban on ransomware payments. Every time an insurance company pays a ransom, the cash only encourages and funds the next attack. Second, the U.S. government needs to reclassify ransomware operators as something other than organized crime. We need to enable authorities to more aggressively pursue their criminal enterprises and all the individuals who might be involved.

While espionage dominates the headlines, Verizon found that a whopping 86% of breaches were financially motivated, coming from organized crime. By contrast, nation-state attacks accounted for only 10% of breaches. While we’re spending time and energy pursuing Russian, Iranian, North Korean, and Chinese meddlers, we’re being distracted from a much larger group of cybercriminals who are causing tangible harm, robbing organizations blind while threatening to take down critical services such as healthcare.

COVID-19 wasn’t the only reason 2020 will be historically infamous, but it was certainly a wake-up call for the healthcare system in many regards, including cybersecurity. Now it’s time for the U.S. government to act against ransomware by getting tough on these hackers. Too little has been done to pursue and disrupt ransomware operators that have successfully extorted billions from the private sector every year.