U.S. Hospitals on High Alert for “Imminent” Ransomware Threat

by Nov 23, 2020Security

Just as a new wave of coronavirus infections surged across the globe last month, U.S. cybersecurity agencies released a startling statement: “CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

The healthcare system has long been a target of ransomware attacks. But when the FBI, the Department of Health & Human Services (HHS) and the Cybersecurity and Infrastructure Agency (CISA) issue a joint alert about an “imminent” threat – especially amid a global pandemic – it’s important to pay attention.

Here’s what you need to know about the advisory and what it means for the healthcare industry.

What Is the Latest Ransomware Advisory?

The threat level was raised after several hospitals were attacked by a coordinated ransomware effort. The advisory reports that cybercriminals are using Ryuk ransomware, a malicious type of software that encrypts data across a network, making it inaccessible and often making devices unusable.

Ryuk ransomware is typically preceded by a TrickBot malware infection. TrickBot is a well-known modular trojan that acts as a dropper for other malware. It is typically delivered via spam email attachments or links to malicious websites, which users mistakenly click on. Once the malware is on healthcare networks, it can steal data and deploy the ransomware infection.

In its statement, U.S. cybersecurity officials explained: “TrickBot now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk and Conti.”

How Does Ransomware Get into Hospital Computer Systems?

Ransomware and other cyberattacks occur most frequently because of human error when someone clicks on a malicious link or attachment in a phishing email or spam message.

According to CSO, 80% of security incidents stem from phishing attacks. 94% of malware – the most common delivery mechanism for ransomware – is delivered by email.

Here’s a breakdown of how these vulnerabilities and others are exploited by cybercriminals:

1) Phishing and Social Engineering

Phishing and social engineering schemes often expose user credentials, giving cybercriminals access to computer networks. Once inside the hospital’s network, hackers load malware that can surreptitiously operate and send copies of the data to the hackers. When ransomware is launched, data is encrypted and can no longer be used without the decryption key. The cybercriminals hold the data hostage unless you pay the ransom to get the key to decrypt it (though paying the ransom doesn’t guarantee you’ll actually get the key). The favored method of payment is Bitcoin, which is difficult to track.2) Weak Passwords

Email isn’t the only way hospital systems are vulnerable, however. Despite HIPAA and internal compliance regulations for safeguarding information, the healthcare industry is notorious for weak passwords. Hacking tools are freely available on the dark web that can conduct brute-force password attacks.

3) Unapplied Patches

Healthcare organizations often fail to patch operating systems and software promptly when patches are released. One study of the industry reported that nearly half (47%) had unpatched vulnerabilities. This is especially troubling because these kinds of breaches are preventable. So-called zero-day exploits take advantage of lax security to attack flaws in software. In many cases, cybercriminals can use the flaws to gain access even months after a fix has been released because organizations failed to apply them.

These zero-day exploits are widely available on the dark web and even sold out in the open by foreign actors. Not only can you lose your data or expose sensitive data of patients and employees, but you could be held liable for the breach for failing to follow proper security protocols. That’s what happened to credit-reporting agency Equifax when they failed to apply patches promptly to known security flaws and exposed the data of 143 million people. Years later, Equifax is still cleaning up the mess. It’s estimated it cost the company more than $1.3 billion in losses and the settlement of lawsuits.

4) Connected Devices

Today’s advanced medical devices are increasingly connected. This makes the collection, transfer and monitoring of data easier, but it also has the potential for additional vector points for threat actors. While the network provides some protection, many individual healthcare devices can be vulnerable to attack.

5) Outdated Systems

Even with the movement to create electronic records, many healthcare groups have been slow to upgrade their data backup systems to minimize data loss. In a cyberattack, they are left unable to recover data that’s been encrypted by ransomware.

How Does Ransomware Affect Hospitals?

While encrypting data can kill a business’s productivity and rack up financial losses, it’s even more serious for hospitals and healthcare providers.

If a healthcare provider can’t access the electronic health records they need, patient care can be compromised. Ransomware can lock up patient histories, treatment plans and identifiable information needed to treat and bill patients. In many cases, hospitals are forced to revert to paper record-keeping and turn away patients (even for emergencies) until the attack is resolved.

Besides the problems caused by data loss or the inability to access patient records, system downtime takes a significant toll. The Ponemon Institute estimates the cost of downtime at $7,900 a minute. For healthcare organizations, two hours of downtime can cost millions of dollars.

Why are Hospitals Being Targeted?

In the early days of COVID-19, hackers seemed to pause the attacks on hospitals while the world dealt with a health crisis. But it didn’t last. Even as the healthcare industry is dealing with the pandemic, cyberattacks on hospitals have increased rapidly.

Cybercriminals using ransomware are playing a numbers game. The more computer systems they can infect, the more likely it is that someone will pay the ransom. For hospitals, data loss is high stakes. It can put lives at risk. Hackers know that hospitals and medical providers are often more willing to pay the ransom and pay larger amounts to restore their critical data. They also know that healthcare organizations tend to have more IT vulnerabilities.

Hospital executives know they’re under attack. In an interview with WWNY-TV, Richard Duvall, CEO of NY state’s Claxton-Hepburn Medical Center, said: “One thing that I think healthcare has realized, it’s not about ‘if,’ it’s about ‘when.'”

What Do Experts Say About the Ransomware Threat?

Among cybersecurity experts, there is a near universal agreement that the situation is bleak and it may only get worse.

Security expert Charles Carmakal told NPR, “We are experiencing the most significant cybersecurity threat we’ve ever seen in the United States.”

In an interview with CNN, CISA Director Chris Krebs delivered this sober warning to healthcare organizations: “No matter what, you’re going to deal with situations where the ability for the healthcare practitioners to give care to patients — it’s going to get delayed, which could certainly impact people’s lives.”

With respect to overall readiness, he added: “Assume Ryuk (ransomware) is inside the house. Executives – be ready to activate business continuity and disaster recovery plans. IT sec teams – patch, MFA, check logs, make sure you have a good backup point.”

Which Hospitals Have Been Targeted Already?

Hospitals have been hit hard over the last few years, and attacks have only gotten worse since the start of the COVID-19 pandemic.

In September, Universal Health Services (UHS), one of the country’s largest health systems, experienced the worst-ever ransomware attack on a U.S. healthcare group. The infection spread to all of UHS’s hospitals and healthcare locations, prompting a two-day blackout and leading to the enactment of EHR downtime procedures.

For others, the recovery may take weeks or months. Without a robust business continuity and disaster recovery solution in place, systems have to be inspected, cleaned, restored and tested before being brought back online. In many ransomware cases, the data is never recovered.

In October, three hospitals in New York state’s St. Lawrence Health System were hit with ransomware. Sky Lakes Medical Center in Oregon was infected along with Sonoma Valley Hospital in California and Dickinson County Healthcare System in Michigan.

The University of Vermont Health Network managed to stop a threat, but might spend weeks cleaning up the damage and restoring its system to full operational status.

Should Hospitals Pay the Ransom?

Some hospitals do pay the ransom in a last-ditch effort to recover data when no other options are viable. But it’s a big gamble. You send the Bitcoin off to an unnamed individual with no way of tracking the payment. You may or may not ever get a decryption key to get the data back.

Hancock Hospital in Indiana paid $55,000 in Bitcoin. Three Alabama hospitals also paid. They did get the encryption key.

The FBI strongly discourages paying the ransom. Even if you are one of the lucky ones that gets the key and can restore the data, doing so only encourages cybercriminals to continue their attacks. Money raised in ransomware attacks is also used to fuel other criminal enterprises.

How Can Hospitals Protect Themselves from Ransomware?

System administrators should be actively monitoring network traffic for any unusual activity. Since many ransomware threats start as email phishing threats, employee education should commence immediately. The FBI, CISA and HHS also recommends taking immediate steps to backup and secure any sensitive or proprietary data.

While immediate action is needed now amid this cyber threat, the FBI, CISA and HHS say that healthcare agencies should routinely follow these steps to mitigate potential damage:

  • Back up data, air gap and password-protect backup copies offline
  • Implement a disaster recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, secure location

Trickbot is being used as the delivery mechanism for the current ransomware attacks. If there’s any sign of a TrickBot infection, it may be a key indicator of an imminent ransomware attack.

Most importantly: a robust data backup system is the single best defense against an infection, because it allows businesses to rollback to clean data, eliminating the infection and removing the question of paying a ransom.

Learn More About Protecting Your Healthcare Organization from Ransomware

Learn more about protecting your healthcare organization from a ransomware attack with Business Continuity and Data Recovery solutions from Datto. Request a free demo or speak to our experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.

New call-to-action

Tracy Rock is the Director of Marketing at Invenio IT. Tracy is responsible for all media-related initiatives as well as external communications—including, branding, public relations, promotions, advertising and social media. She is one busy lady and we are lucky to have her!