A U.S. healthcare system recently was the victim of a cyberattack that hampered patient care. The attack is believed to be the largest such attack on a U.S. healthcare organization.
• Ryuk ransomware apparently was used.
• The attack did not shut down the system’s electronic health records.
• Hackers increasingly are focused on healthcare organizations.
The recent cyberattack on a large health system shows the need for a robust security program, as well as how severely such an attack can affect healthcare operations.
Hackers breached the computer systems for the network of 400 hospitals and care centers across the United States and the United Kingdom, using ransomware that shut down nearly all of the computers, according to a statement by the health system. (The statement is available online at: https://bit.ly/2IoCLQp.)
The incident is believed to be one of the largest cyberattacks on a healthcare organization in U.S. history. Hospitals reported that clinicians were reduced to using pen and paper for some tasks as computer terminals shut down on their own, but the electronic health record (EHR) was not seized by the ransomware.
INTERPOL, the international law enforcement organization, issued a statement soon after the COVID-19 pandemic began saying there had been a significant increase in ransomware attacks against healthcare organizations. A month later, hackers infiltrated the computer systems of Fresenius, the largest private hospital operator in Europe.
The attack on the U.S. healthcare system shows that hackers are singling out hospitals as vulnerable targets, says Anthony Chadd, senior vice president of security business development with Neustar, a technology and analytics company based in Sterling, VA.
“In the early days of the pandemic, some ransomware syndicates publicly announced they would stop all activity against medical organizations until a stabilization of the coronavirus situation,” he says. “Clearly, that ceasefire has now ended.”
Over the past few years, ransomware attacks have become easier to launch, and attackers increasingly are targeting healthcare organizations where cyber defenses may be less sophisticated and employees less savvy about how to spot threats, Chadd says. While providers typically have strong cybersecurity protections in place, many lack a mature cyber response plan. Even sophisticated organizations may not have the resources and expertise needed to initiate a successful recovery process, he says.
There have been several examples of attacks against small providers and practices that caused them to permanently close their doors after attackers encrypted and destroyed servers containing vital data and backup hard drives, Chadd notes.
“Attackers rightly recognize ransomware as an easy, effective way to garner financial gain. This dynamic is exacerbated by organizations that opt to pay the ransom — which perpetuates this cycle and leads to more attacks,” he says.
Additionally, Internet-of-things (IoT) devices are increasingly finding their way into all levels of healthcare, he says. These devices, including smartphones, can link to computer systems and create vulnerabilities.
“Security and IT administrators must be aware of the risks they pose, and understand how the new threat vectors opened up by connected devices can potentially be exploited by attackers to harm the organization,” Chadd says. “The IoT has essentially been built on top of infrastructure that is fundamentally vulnerable to cyberthreats, because the internet was not initially created with security in mind. To avoid becoming a target, healthcare organizations must be proactive in their approach to cybersecurity and make it a priority to safeguard all IoT-based systems.”
The loopholes are numerous, and many healthcare organizations lack the resources and manpower required to manage the kinds of dynamic threats they might face, Chadd says. They must manage a mix of IoT devices, cloud-based apps, and legacy systems that require regular patching and updating.
This often includes connected equipment running on Windows — devices that can be easily overlooked during an IT audit, Chadd says.
“Many organizations simply don’t have the level of manpower required to oversee a robust cybersecurity program,” he says. “Healthcare organizations face an uphill battle to protect themselves from the kinds of dynamic threats they face.”
Russian Hackers Suspected
Ryuk, the ransomware allegedly used in the destructive attack on the U.S. healthcare system, typically is used by a handful of organized crime groups out of Russia, says Caleb Barlow, CEO of CynergisTek, a healthcare information security company based in Austin, TX. In many ways, it looks like this attack was a near-miss that could have been a lot worse, he says.
“It does not appear that the EHR was directly impacted in the attack but rather just their IT systems. I suspect that their EHR is outsourced to Cerner,” Barlow says. “I would view this as a failed attempt if the adversary was not able to take down the EHR, which is the primary target in healthcare.”
A key point, Barlow says, is that a foreign criminal organization knowingly targeted a major U.S. healthcare system in the middle of a pandemic with full knowledge that they may have a direct impact on patient care and people’s lives across hundreds of medical facilities.
“This is only a few weeks after the first confirmed death of a patient due to a ransomware incident in Germany. The point we have to look at here is adversarial intent,” he says. “The adversary in this case likely knew the size of the system they were targeting, the number of facilities, and the likely impact it could have if they were successful in locking out their EHR.”
Barlow says the attackers may be so insulated from the reach of law enforcement and intelligence agencies that they felt confident they could take down a target the size of the affected U.S. healthcare system without repercussions.
“Or did they first check in with their local government knowing that if they completely locked up hundreds of U.S. hospitals for an extended period of time, it could result in political pressure?” Barlow says. “Either situation is a cause for concern and a significant escalation of what we have seen historically.”
Double Layer Attack
Once the Ryuk payload has been successfully dropped and executed, it will encrypt the system’s files and then demand a ransom fee to decrypt the victim’s data, says Bindu Sundaresan, CISSP, CEH, CISM, director of AT&T Cybersecurity, based in San Mateo, CA.
“Ransomware attacks today have evolved to double extortion. Usually, the attacker would exfiltrate a copy of the data before encrypting them. This way, the attacker not only prevents the victim from accessing their data, but also keeps a copy of the data for themselves,” Sundaresan explains. “In order to claim responsibility and pressure the victim during the negotiation process, the attacker will often release small portions of the data online. If the negotiation turns out badly, the attacker then publishes all of the exfiltrated data or sells them to third parties.”
These attacks are essentially a combination of a ransomware attack and a data breach, she says. Organizations that are victims of this attack feel extremely helpless when hit by double extortion attacks because their compromised databases likely contain proprietary or secretive information they would have destroyed rather than published or sold, she says.
By releasing a small sample, it is easy for an attacker to imply they have your data, though difficult to prove forensically because most places do not have that layer of visibility, Sundaresan says. This puts on another pressure point. If the affected organization has implemented a data loss prevention (DLP) solution, it can be easily validated that hackers have also downloaded the entire database.
Delivered in Phishing Emails
Ryuk ransomware is part of the TrickBot’s malware strain, says Mike Puglia, chief strategy officer with Kaseya, a cybersecurity company based in Miami. Major efforts from both the private and public sectors were used to disrupt TrickBot operations in the lead-up to the 2020 general election. Microsoft obtained an order in the Eastern District of Virginia in October that gave the tech giant control over the TrickBot botnet, a global network it describes as the largest in the world, Puglia says. The U.S. Cyber Command also conducted operations against TrickBot to damage and disrupt the organization itself as well as the group’s cybercrime as-a-service operation.
Ryuk ransomware is often delivered through phishing emails, Publia says. The continued prevalence of ransomware attacks through phishing underscores just how critical it is for both the public and private sectors to invest in comprehensive integrated email security solutions combined with cybersecurity training to ensure that employees are adequately prepared to spot suspicious emails, he says.
“While TrickBot operations may be hampered for now, the organization — and others like it — will continue to find new ways to launch cyberattacks, taking advantage of unhardened networks and untrained employees as their way in,” Puglia says.
It appears the ransomware disabled antivirus programs and spread rapidly, says MJ Kaufmann, Cyber Security Specialist at Saviynt in El Segundo, CA. Based on prior Ryuk attacks, it likely started out distributed via a phishing email or infected software. From there, Ryuk sets up as a root kit, allowing bad actors to actively push it throughout the network, which is one reason for the attack’s massive scale, she says.
“If the health system lacked sufficient network segmentation that prevented easily shutting down the infected portions selectively, that might explain the widespread outage,” Kaufmann says. “Another possibility is they lacked the intelligence-gathering capabilities to unquestionably identify infected portions so they could be isolated; thus, a mass shutdown might have been prevented.”
Other healthcare organizations and systems can learn from this example and implement security and identity protocols to prevent and combat ransomware attacks, Kaufmann suggests. The best way to combat such an attack is to start with heuristic-based anti-malware software on endpoints to detect and shut down questionable behavior early, she says.
“Combine this with a zero-standing privilege environment where there are no standing superusers or administrators to take advantage of make attacks like this much more challenging to undertake,” she advises.
Seeing Hospitals as Good Targets
Cyber thieves are attacking healthcare institutions more often and are acquiring more valuable data than in the past, says Steve Tcherchian, chief information security officer at XYPRO, a cybersecurity analytics company in Simi Valley, CA.
When the price of a stolen credit card dropped precipitously because the black market was flooded with them, hackers found a new target in the healthcare industry, he says. On the whole, the healthcare industry has an aging infrastructure that is less resistant to hacking, and industry tends to adopt security precautions more slowly than other potential targets, Tcherchian says.
He says that many medical data breaches are now as big as the largest retail breaches, and medical records can be 10 times as valuable as credit cards on the black market.
A patient’s medical history can be the key for a hacker to commit medical identity theft and submit fraudulent insurance claims, which have the potential for big payouts, Tcherchian says. According to IBM Security’s 2020 data breach cost report, the average cost of a healthcare data breach is $7.13 million. Cyber thieves also may use the information to purchase prescription drugs and resell them online, he says.
(See the story in this issue for tips on how to protect your organization from cyberattacks.)
Resistance to Blocking
Hospitals are extremely susceptible to ransomware and other types of cybercrime because they are inherently so open to exchanging files, connecting with thousands of doctors’ offices and hospitals constantly, says Jack B. Blount, president and CEO of Intrusion, a company providing cybersecurity services in Plano, TX. For this same reason, they often have been the most resistant to any kind of blocking of connections for fear that a critical piece of data — such as patient information or an X-ray — will be blocked in error, he says.
With this resistance to cybersecurity, organizations increase their exposure to cybercrime and become the target of constant breaches, Blount says. The healthcare industry needs to understand that the internet is flooded with cyberattacks 24 × 7 × 365, he says.
“It is normal for a hospital to get 10,000 to 50,000 attacks a day. Many, probably most, of those attacks get onto their network and then begin analyzing the network to determine what and when they want to attack,” he says. “The only way to stop them is by implementing a solution that uses real-time artificial intelligence to inspect every packet of data coming onto or attempting to exit a network. This can stop thousands of attacks every day.”
Hospitals often have aging infrastructure, systems that are difficult to patch, and huge attackable surface areas given the number of people who need to access sensitive data, says Satya Gupta, co-founder and chief technology officer at Virsec, in San Jose, CA.
“Ransomware and related attacks continue to be a ticking time bomb for many organizations, especially in healthcare. Unfortunately, ransom-
ware is often viewed too simply as an endpoint problem,” Gupta says. “Even with the best security on devices and user training, endpoints will always be porous. We need to focus much more on the target of ransomware — the applications, workloads, and servers that contain sensitive data that can be corrupted or stolen.”
Hospitals should strive for greater visibility into what is happening at the workload level in real time, to make them much more resilient and self-defending, Gupta says.
Perimeter security solutions inevitably fall short against increasingly sophisticated ransomware attacks, says Jon Toor, chief marketing officer with Cloudian, a data storage and security company based in San Mateo, CA. To truly safeguard themselves, organizations must instead protect data at the storage layer, he says.
“The easiest way to do this is to keep a backup data copy on immutable storage. Once written, the backup cannot be changed or deleted for a specific period. This prevents malware from being able to encrypt the data and lock the victim out,” Toor says. “If a ransomware attack occurs, organizations can restore an unencrypted copy of the data via a simple recovery process.”
Multiple backup vendors now support this feature, Toor notes.
Increasing Attacks in Healthcare
Cyberattacks are increasing in the healthcare sector due to business practices and organizational trends, says Nicole Bucala, vice president of business & corporate development, strategy, and operations at Illusive Networks, a cybersecurity firm based in Tel Aviv, Israel, with an office in New York City. Acquisitions and consolidations create security gaps as entities work to unify their IT networks and applications, she says.
Smart medical devices and electronic record systems introduce new vulnerabilities and increase the attack surface, Bucala says. Of course, the rise of remote work has also increased the attack vector.
Bucala notes that the U.S. health system was affected by the cyber-attack for several days. Treatment was difficult because the medication system for the hospital was internet-based. Reverting to pen and paper was not just arduous and inefficient; it also increased the potential for mistakes.
The recent incident in Germany illustrates how bad a ransomware attack can be in the healthcare industry, Bucala says. A ransomware attack hit the University Hospital in Dusseldorf, although it appears to have been meant for a local university. The hospital systems crashed after malicious software encrypted 30 servers, and an extortion note was left on one of them. A patient died after they were rerouted to an alternate hospital, causing possibly the first documented case of a ransomware-related death, Bucala says.
Advanced ransomware threats (ARTs) are the biggest concern of all, Bucala says. ARTs combine advanced persistent threat (APT) techniques with ransomware techniques. Like an APT, sophisticated ransomware attackers target and navigate to carefully selected strategic assets on the network that hold business-critical information, she explains.
“Attackers then take those assets hostage using advanced evasive ransomware techniques, massively disrupting hospital operations and saying they will stop only in exchange for a very high fee,” Bucala says. “Organizations without proper ART protection have no choice but to pay the fee to avoid further disruptions, loss of money, and even loss of
These threats are serious, but they are not insurmountable, she says. To beat an attacker, think like an attacker, Bucala advises. When a security team thinks like an advanced attacker, it can know what the attacker is after and can focus on those assets. Every healthcare organization needs to be able to view the attack landscape, map attack pathways, and know where the high-risk critical assets are, which will be fundamental for building a strategy for pre- and post-breach penetration, she says.
IT security teams at healthcare organizations need to focus on active detection to minimize, or even prevent, damage from a ransomware attack. This should include the ability to detect lateral movements within the network, Bucala says.
Deception technology is a category of security tools designed to detect attackers who already are in the network and prevent them from doing damage, Bucala explains. It works by distributing deceptions that mimic genuine IT assets throughout the network. Instead of relying on traditional signatures, deception technology alerts are generated by real attacker movements within a network, she says.
“The IT team will be able to see, in real time, any malicious lateral movement that is happening on the network and can mitigate the attack, protecting the computer systems that literally keep people alive,” Bucala says.
- Caleb Barlow, CEO, CynergisTek, Austin, TX. Telephone: (512) 402-8550.
- Jack B. Blount, President and CEO, Intrusion, Plano, TX. Telephone: (972) 234-6400.
- Nicole Bucala, Vice President of Business & Corporate Development, Strategy, and Operations, Illusive Networks, New York City. Telephone: (844) 455-8748.
- Anthony Chadd, Senior Vice President of Security Business Development, Neustar, Sterling, VA. Telephone: (855) 898-0036.
- John Ford, Cyber Strategist, IronNet, McLean, VA. Telephone: (443) 300-6761.
- Satya Gupta, Co-founder and Chief Technology Officer, Virsec, San Jose, CA. Telephone: (877) 213-3558.
- MJ Kaufmann, Cyber Security Specialist, Saviynt, El Segundo, CA. Telephone: (310) 641-1664.
- Mike Puglia, Chief Strategy Officer, Kaseya, Miami. Telephone: (877) 926-0001.
- Bindu Sundaresan, CISSP, CEH, CISM, Director of AT&T Cybersecurity, San Mateo, CA. Telephone: (650) 713-3333.
- Steve Tcherchian, Chief Information Security Officer at XYPRO, Simi Valley, CA. Telephone: (805) 583-2874.
- Jon Toor, Chief Marketing Officer, Cloudian, San Mateo, CA. Telephone: (650) 227-2380.