February 2, 2023
This article was originally published in October of 2021. It has been updated to include additional resources.
A few months ago, the FBI issued this dire warning to healthcare providers, first responder networks and the professionals charged with protecting them from cyber attacks (bolded portions added for emphasis):
“[A]t least 16 Conti ransomware attacks targeting U.S. healthcare and first responder networks, including law enforcement agencies, emergency medical services, 9-1-1 dispatch centers, and municipalities within the last year. These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the U.S. Like most ransomware variants, Conti typically steals victims’ files and encrypts the servers and workstations in an effort to force a ransom payment from the victim. The ransom letter instructs victims to contact the actors through an online portal to complete the transaction. If the ransom is not paid, the stolen data is sold or published to a public site controlled by the Conti actors. Ransom amounts vary widely and we assess are tailored to the victim. Recent ransom demands have been as high as $25 million.”
Alarmingly, ransomware attacks on healthcare providers/organizations have doubled in the last year. These attacks are not only becoming more frequent, but also more sophisticated.
Situation Exacerbated by COVID-19
Ransomware has been around for years, but it’s become especially problematic since the COVID-19 pandemic began in early 2020. (We reported on it here in late 2020, but the situation has grown even worse since then.) As more business operations migrated online, and particularly in cases involving lax or insufficient security protocols, more low-hanging fruit became available for cybercriminals to pluck. Let’s say that fruit is apples. At this point, there are bushels and bushels ripe for the picking.
According to Check Point, attacks in 2021 increased by 102 percent compared to the start of 2020, with no slow-down in site. Equally disconcerting, the “number of organizations impacted by ransomware globally has more than doubled in the first half of 2021.”
Since the start of April, healthcare providers have found themselves dead-center in the crosshairs. “Most of them are profit-generating organizations and are willing to pay up, which is why we see cybercriminals continue to target them,” one cybersecurity expert told TechRepublic. “Not only do cybercriminals damage the infrastructure, but the attack can damage the reputation of the organization, and patients may be wary of providing sensitive data to them in fear of it being stolen.”
In late August, California-based United Health Centers was forced to shut down its entire network after a trove of sensitive data fell into the hands of a ransomware gang known as Vice Society. Noted one well-placed source, “the outrage disrupted UHC’s IT system at all locations, prompting the organization to re-image its computer and recover data from offline backups.”
But there’s even more at stake than just money and respectability: Human lives.
Findings in a new report by the Ponemon Institute think tank are stark: “Ransomware is leading to increased patient deaths. Nearly one quarter of the survey participants reported an increase in mortality rates. Ransomware is typically discussed in terms of economic (ransom and lost revenue) and operational (clinical changes) impact, but now we have the third piece: mortality.”
This potentially tragic consequence was detailed in a recent lawsuit. First reported on by the Wall Street Journal, the suit stems from a July 2019 case at Springhill Medical Center in Alabama. A woman named Teiranni Kidd gave birth to a child whose umbilical cord was wrapped around its neck, cutting off brain oxygen and causing a drop in heart rate. When that happens, fetal heart rate monitors issue a warning so the doctor can perform an emergency C-section. The suit claims that didn’t happen.
“At the nurse’s desk in the labor and delivery unit, the monitors that track fetal heartbeats in the delivery rooms were not working due to the ransomware attack,” according to a summary of the WSJ article. “The heart monitors are usually tracked on a large screen at the nurse’s station as well as in the patient rooms. The attending obstetrician texted the nurse manager that she would have delivered the baby by cesarean if she had seen the monitors.”
As Kevin Fu, acting director of cybersecurity at the FDA’s Center for Devices and Radiological Health, put it recently. “You can’t have a safe and effective medical device if it’s unavailable [due to ransomware]. Nation states and organized crime — real threat actors — are causing harm, damaging the safety and effectiveness of medical devices.”
How Can We Remediate This?
So what can be done? As usual, it all starts with prevention. Ransomware is here to stay, but there are numerous measures healthcare institutions can take to avoid being targeted — and to minimize the damage caused by successful attacks.
First and foremost, hire a knowledgeable professional — or a team of professionals — to oversee cybersecurity operations. This is one area where a jack-of-all-trades who also handles other tech tasks won’t fly. If hiring in-house security experts is too expensive, as is often the case for SMBs, a managed IT services provider can be a cost-effective, reliable, SLA-based alternative. Increasingly, virtual CISOs (vCISOs) are also being leveraged to provide strategy, planning, implementation and ongoing management of cybersecurity programs. Companies like Mindsight have extensive experience in healthcare security and are an excellent (not to mention less pricey) resource to tap.
As for mitigation methods, there are many — too many to list here. The FBI’s suggestions include regularly backing up data, implementing network segmentation, devising a recovery plan to maintain and retain data, installing updates and patches, using multi-factor authentication and requiring administrator credentials to install software. And that’s just a start. Here’s some far more technical advice from the Cybersecurity and Infrastructure Security Agency (CISA).
“To protect themselves and their patients, these organizations must adopt a true culture of security that goes beyond meeting the bare minimum compliance requirements and also takes into account the unique challenges of this industry,” Clements told TechRepublic.
“It’s crucial to implement security awareness training for personnel, system and application hardening as part of IT’s processes, continuous monitoring for evidence of compromise or suspicious insider behavior, and finally regular penetration testing to ensure that no gaps in the security life-cycle exist that can expose systems or data to compromise.”
Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.