Hospitals across the US are bracing for aggressive cyberattacks that could threaten patient care amid the national rise in COVID-19 hospitalizations, after security companies and the federal government warned that Russian cybercriminals had already hobbled operations at several hospitals over the past week.
On Wednesday, the FBI, together with the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA), warned that there is an imminent threat of ransomware attacks on American hospitals and health care providers.
The attackers have disrupted hospital systems in Vermont, New York, Oregon, and elsewhere within the past few days, deploying a type of malware called ransomware.
Ransomware is a type of malicious software that spreads across computer networks, encrypting files and demanding payment for a key to decrypt them. It has become a common tactic for hackers, although attacks of this scale against medical facilities aren’t common.
“Ryuk”: a new wave of ransomware attack
The threat identified by the FBI, CISA, and HHS comes from the “Ryuk” ransomware. It’s a relatively young ransomware family that was discovered in August 2018 and has gained significant popularity in 2020.
While multiple ransomware attacks against health care providers each week have become common, this is the first time we have seen six hospitals targeted in the same day by the same ransomware actor.
Ryuk is also believed to be behind the recent ransomware attack on Universal Health Services (UHS), running approximately 400 hospitals and care centers across the United States and the United Kingdom, making it one of the largest medical cyberattacks in US history.
“Not only has the number of ransomware attacks increased, but ransomware itself has evolved, with some of the most popular forms disappearing and new forms emerging. In some cases, these are even more disruptive and damaging,” says Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams.
Putting patients’ safety at risk
A computer virus could put people in serious danger if the target is a healthcare facility. Experts say old machines and outdated software at hospitals have contributed to the spread of ransomware. If the situation doesn’t improve, it could put patients’ safety into further jeopardy.
“The consequences can be grave. If an attack happens in the middle of a surgery, whatever machines are being used could go down, forcing medical staff to fall back on manual methods,” comments the NordVPN Teams expert. “MRI machines, ventilators, and some types of microscopes are computers too. Just like our laptops, those computers come with software that the developers have to support. When the machines become old and outdated, the people who made them might stop supporting them. That means that old software can become vulnerable to attacks.”
In many cases, hackers threaten to leak the data they’ve stolen if the victim doesn’t pay a ransom — something that might strike fear and pressure victims into giving in to the extortion demands.
Patient records cab sell for up to $1,000 on the black market due to the amount of information found in the documents, including date of birth, credit card information, social security number, address, and email. Social security numbers can be purchased for as little as $1, and credit card information sells for up to $110.
“Bad actors have also taken advantage of the coronavirus pandemic by sending COVID-19 themed phishing emails to health organizations,” adds Ms. Gurinaviciute.
There should be a two-pronged approach — one that allows the organization to protect everything and also achieve HIPAA compliance. Attacks don’t just expose data, but also open the organization up to HIPAA and GDPR violations and fines, according to a global research and advisory firm Gartner.
As governments around the world attempt to address the public health crisis and contain the spread of COVID-19, there is a big chance criminals will continue to exploit this chaos, triggering subsequent spikes in cyberattacks against healthcare institutions. According to Ms. Gurinaviciute, healthcare organizations, especially those that run outdated technology, should expect these kinds of attacks to continue happening around the globe”.
7 steps to protect data of medical institutions
Cybersecurity doesn’t concern large hospitals or medical institutions exclusively, and general precautions should be taken in the medical industry regardless of the of the institution. Our NordVPN Teams experts suggest starting with the following:
1. Updates. Ensuring security patches are applied as soon as possible helps prevent hackers from exploiting known vulnerabilities that help them gain a foothold in the network.
2. Multi-factor authentication. Multi-factor authentication across the ecosystem can prevent hackers from moving across the network and gaining additional controls.
3. Regular backups. Organizations should also regularly back up their systems, as well as test those backups on a regular basis as part of a recovery plan. If the worst happens and ransomware does infiltrate the network, there’s a known method of restoring it without the need to pay ransom to cybercriminals.
4. Audits. Hospitals should conduct regular audits of their machines and segment their networks, so if one piece of the network is compromised, it doesn’t spread throughout the entire system.
5. Remote access. Only secure virtual private network (VPN) connectivity should be allowed for remote access. In addition, only whitelisted IP addresses or device IDs should be allowed to access systems, as this will allow access to authorized users only.
6. Treat every email with zero trust. Because of the remote work environment, the amount of information exchanged over the internet through virtual conferences and emails has skyrocketed. Establish a process that enables employees to report anything suspicious, and share regular updates and information about phishing emails.
7. Security training. General security policies need to be drawn up and implemented, and staff have to be appropriately trained ad-hoc, whether remotely or in person.