Ransomware Threats Show Hospitals Aren't Prepared

A recent ransomware threat against hospitals highlights the fact that many medical institutions aren’t prepared to handle cyberattacks.

Last week, the FBI warned that hackers could be targeting the healthcare and public health sector with ransomware. Such an assault could shut down hospitals that are already under strain from the coronavirus. Health centers have not prepared sufficiently for such attacks, experts say.

"We found that 66% of hospitals do not meet the minimum security requirements as outlined by the National Institute of Standards and Technology (NIST)," Caleb Barlow, CEO of CynergisTek, a cybersecurity firm focusing on healthcare, said in an email interview. "In the midst of a pandemic when travel, tourism, and education have been severely hampered, healthcare is open and a soft target for hackers. 

"A ransomware attack on a hospital or healthcare organization often involves a kinetic impact as patients are diverted. This potential impact on patient care increases the likelihood that organizations will pay the ransom."

A ‘Credible’ Threat

In a joint alert last week, the FBI and two federal agencies said they had credible information of "an increased and imminent cybercrime threat" to US hospitals and health care providers. The agencies said groups are targeting the healthcare sector with attacks aimed at "data theft and disruption of healthcare services."

The ransomware, called Ryuk, affected at least five US hospitals last week. Like most ransomware, this strain can distort computer files into meaningless data until the target pays whoever launched it.

"Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT (internet of medical things) devices, as we’ve seen this year with radiology machines," Jeff Horne, CSO of cybersecurity firm Ordr, said in an email interview. "Once attackers are on an infected host, they can easily pull passwords out of memory and then laterally move throughout the network, infecting devices through compromised accounts and vulnerabilities."

Under Siege From Ransomware

For more than a year, the US has been assaulted by ransomware attacks. An attack in September crippled 250 facilities of the hospital chain Universal Health Services. Employees were forced to use paper for records and lab work was impeded.

"Hospitals have been attacked in this way previously, but with the pandemic plus everyone relying on digital applications more than ever, we’re seeing an increase in these attacks," Sushila Nair, CISO at IT consultancy NTT DATA Services, said in an email interview.

Healthcare organizations have underestimated the threat, experts say, and normal antivirus software isn’t enough to fend them off.

"These ransomware attacks are run by sophisticated attackers and malicious developers operating more like a criminal company with customer service, online support, call centers, and payment processors," Horne said. "Just like a modern customer-focused business, they have people who respond to questions, assist with payment and decryption, and are very organized."

Not all experts agree that hospitals aren’t prepared for cyberattacks, however.

"Healthcare organizations move quickly to remediate flaws in their applications, in part because they deal with high volumes of sensitive information," Chris Wysopal, Chief Technology Officer and co-founder of cybersecurity firm Veracode, said in an email interview. "Another contributing factor may be that healthcare companies are using more than one type of application security scan, allowing them to find and fix more flaws than if they used just a single type of scan, such as static analysis alone." 

With coronavirus cases trending upwards, the last thing hospitals need now is for their computer systems to be crippled. Let’s hope they don’t have to go back to paper and pencil to record COVID-19 test results.