How hackers used ransomware to undermine healthcare everywhere

As COVID-19 ravaged hospitals’ patient care units last year, opportunistic criminals saw an opportunity to pluck low-hanging fruit: Hacking groups decided to breach and ransom healthcare institutions during a time of global crisis.

The problem wasn’t merely an onslaught of attacks on hospitals, but also that the level of attack sophistication also increased. Healthcare companies now have larger concerns than data exfiltration and leaking patient records; hackers now seek to totally disrupt hospitals by paralyzing services and critical care unless administrators pay up. Using ransomware, cybercriminals are now locking up electronic health records (EHRs) and the IT infrastructure, denying hospitals access to patient histories, medication needs, and appointment information – all the fundamental data they need for daily operations.

While there have been multiple attacks on the healthcare sector over the past year, these are several of the most chilling:

Universal Health Services (UHS): Before the UHS attack, healthcare breaches were generally limited to one hospital, clinic, or office at a time. UHS suffered a large magnitude breach that took 250 of 400 total locations offline in the middle of the pandemic, freezing the organization’s entire IT system and causing $67 million in losses. Hackers notably targeted UHS fully understanding the breach would create a ripple effect, crippling patient care across the entire system.
University of Dusseldorf Clinic: A ransomware attack in Germany forced a patient to be diverted to an emergency room at a facility 20 miles away from a nearby point of care, and he later died. The Dusseldorf attack illustrates how ransomware can make the difference between life or death when critical care services are interrupted or frozen.
University of Vermont Health Network: The FBI, CISA, and HHS warned against a significant attack on the healthcare sector, targeting more than 400 institutions. Roughly a dozen hospitals were successfully hit by hackers, but the University of Vermont Health Network was hit the hardest. Beyond corrupting 5,000 computers and 1,300 servers, hackers forced the furloughing or reassignment of more than 300 employees who could not do their work without access to IT systems or electronic health records. This attack was so devastating that Vermont's Governor deployed the National Guard to help with remediation; damages are estimated at over $64 million.

Unfortunately, research suggests that the healthcare industry is lagging at making security a priority. A recent study revealed that 66% of hospitals, healthcare systems, and providers across the continuum failed to conform to protocols outlined by the National Institute of Standards and Technology's Cybersecurity Framework. The magnitude and damages of the aforementioned breaches should be a wake-up call for health systems, as they can no longer ignore the need to invest in security.

Instead of belatedly remediating threats after it’s too late, forward-thinking CIOs should view attack prevention and deterrence to be the correct routes forward. Investing in a robust security platform certainly costs far less than paying a ransom, while providing both practitioners and patients the data security they deserve. Healthcare systems that don’t learn lessons from UHS, Dusseldorf, and Vermont – in other words, preserving the cybersecurity status quo despite ample warnings to the contrary – can expect to see incidents that directly impact patient care.

Healthcare executives aren’t the only ones responsible for addressing these issues; regulators also must do their part to curb these dangerous practices. First, the government must take a strong stance and ban ransomware payments. Every digital briefcase full of ransomed cash funds another round of attacks. Second, the U.S. needs to reclassify ransomware operators as something more insidious than classical organized crime. Authorities must have the power to more aggressively pursue these multi-national criminal enterprises, chasing down all of the individuals who might be involved and deliver a proportional response.

Although COVID-19’s death toll guarantees 2020 will live in infamy, the year was also a watershed moment for the healthcare industry in other regards, including cybersecurity. Now that healthcare systems know the next steps they must take to protect themselves, it's time for the U.S. government to get tough on ransomware operators, who have faced too few consequences despite successfully extorting billions of dollars from the private sector every year.

Caleb Barlow is the President and Chief Executive Officer of CynergisTek, a top-ranked information security and privacy consulting firm focused on the healthcare IT industry. Prior to joining CynergisTek, Caleb led the IBM X-Force Threat Intelligence organization. In 2016, he built X-Force Command which is part of a $200M investment in a global incident response services, updated watch floors, the industry’s first immersive cyber range, and an incident command system for responding to major cyber incidents. In 2018, Caleb invented the Cyber Tactical Operations Center which is a first-of-its-kind training, simulation, and security operations center on wheels. Caleb has a broad background having led technical teams in product development, product management, strategy, marketing, and cloud service delivery. He has also led the integration efforts of on multiple IBM acquisitions. External to IBM, Caleb has been in leadership roles at two successful startups, including Syncra Systems, which is now part of Oracle, and Ascendant Technology, which was acquired by Avent. Caleb also holds multiple patents in the field of Unified Communication. Caleb Barlow LinkedIn. Caleb Barlow Twitter.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.