Ransomware attacks are a growing threat to critical infrastructure and private industry worldwide. While every business sector has felt the sting of ransomware, few have been harder hit of late than health care. In April 2020, Colorado-based Parkview Medical Center was targeted by a ransomware attack on its information technology (IT) systems when it could least afford to have those systems shut down — during the height of the COVID-19 global pandemic.
Ransomware is the most prominent malware threat right now because it’s fast, easy and usually results in a tidy profit for the attacker. According to Sophos’ State of Ransomware 2021 report, 37% of 5,400 respondents surveyed said their organizations were hit with ransomware in the last year, and 54% of those reported the criminals succeeded in encrypting their data.
Often, attacks on the health care sector go after confidential patient records — Social Security numbers, financial data and the like — but this has shifted a bit in the last year as a result of the pandemic. Threat actors are looking for pain points, and health care is an almost perfect victim. When you’re dealing with matters of life and death, you can’t afford to have your systems go down for any length of time. It is even possible now for hackers to up the ante and endanger patients by manipulating medical devices or laboratory values.
“They realize that,” said David Masson, director of enterprise security at Darktrace. “If they ransomware an operational technology (OT) system, it’s on the basis of they know that the organization can’t afford to have production halted or changed or interrupted in any kind of way. Maybe the easiest solution to get things back to normal will be — take a wild guess — pay the ransom, and that’s why they go after them. It’s the same reason that attackers go after things like municipalities and hospitals. People have a big drive to maintain that service, and perhaps the easiest way to maintain that service is to pay the ransom.”
Parkview Medical Center attack
The attack on Parkview Medical Center, based in Pueblo, Colorado, occurred in late April of 2020, and essentially rendered the hospital’s systems for storing patient data inoperable. Most hospitals use digital systems to store all of their patient information. Without those essential medical records, providers are missing the core of what they need to do their jobs. Parkview released a statement after the attack ensuring the community that the hospital was managing the situation.
“Patient care is always our first priority,” read the statement. “Patients will not see any impact to the level or quality of care being delivered. As a regular course of business, Parkview Medical Center frequently trains and prepares for scenarios that result in IT system outages.
“We are well prepared, and our staff is trained to continue operations while we work to get our regular IT systems back online. While our medical staff continues to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as quickly and securely as possible.”
When the cyberattack was discovered, Parkview Medical Center officials engaged with a third-party team to mitigate and investigate the incident. In order to keep operations running, the hospital had to revert to using pen and paper forms to track patients, which slowed hospital service down. On a good day, this kind of delay can have a major impact on patients’ lives. But shortly after the country had essentially shut down as a result of the pandemic, this was time hospitals didn’t have. By April, health care facilities were overwhelmed by COVID-19 patients, placing undue stress on their systems.
Targeting health care
That’s exactly why hospitals are attractive to threat actors — especially now. In 2020, Emsisoft reported 560 health care facilities were impacted by ransomware attacks in 80 separate incidents. And according to Health and Human Services (HHS), ransomware attacks were responsible for almost 50% of all health care data breaches in 2020.
One of the biggest perpetrators of attacks on the health care sector has been Ryuk, a notorious Eastern European gang that accounted for about one-third of the 203 million ransomware attacks in the U.S. in 2020. The Wall Street Journal reported Ryuk has attacked at least 235 general hospitals and inpatient psychiatric facilities, plus dozens of other health care facilities in the U.S. since 2018.
“They do not care. Patient care, people dying, whatever. It doesn’t matter,” said Bill Siegel, CEO of the ransomware recovery firm Coveware in the Wall Street Journal article. “Other groups you can at least have a conversation. You can tell them, ‘We’re a hospital, someone’s going to die.’ Ryuk won’t even reply to that email.”
Hospitals also make good targets for extortion for an unfortunate reason shared by many other economic sectors: Their cybersecurity tends to be lax. Many experts recommend organizations to spend at least 10% of their IT budget on cybersecurity; others argue for more. According to Fierce Healthcare, health care organizations dedicate only around 6% of their budget to cybersecurity measures.
“There’s a reason why everyone is putting the blame on the cybersecurity basics not being there. That’s true, but there’s much more involved there,” said Ron Brash, director of cybersecurity insights at Verve Industrial Protection. “I think ransomware and the state of cybersecurity in general — besides the products being weak, for the most part — is systemically related to [the fact that] there’s no budget, and it’s something much bigger. We’re looking at the symptoms of the problem, but what is the basis of the problem? We basically bought a car, we didn’t change the oil in it, we didn’t change the brakes on it, and we’re wondering why the engine has blown. That’s where we’re at today with ransomware.”
To pay or not to pay
Ransomware ultimately results to a simple question: Should you pay the ransom or not? The HIPAA Journal reported that ransomware attacks against U.S. health care providers have caused more than $157 million in losses since 2016. For businesses, this usually comes down to a cost-benefit analysis. How much does it cost to have systems down versus how much the cybercriminals are asking for.
“Because [many businesses] just pay it, as if it’s like a tax that someone decided — it’s like a toll going over a bridge that you didn’t really want to pay, but you will pay — they’ll just do it and they’ll write it off,” Brash said. “It’s a business loss. Great. Shareholders don’t care. The company is still making money. Everything’s wonderful.
“That’s where we start to wind up in problems, where you start to apply the ethics of it. Does it make sense to be paying someone that’s very likely to attack you again? Or are you financing something else that you shouldn’t be financing in another country? That’s another conflict of it. So I think what needs to happen is paying ransom should not be your playbook. That should not be what your go-to plan is when this event occurs.”
The Cybersecurity and Infrastructure Security Agency (CISA), the HHS and the FBI issued an advisory in November 2020 warning of “an increased and imminent cybercrime threat to U.S. hospitals and health care providers.” They recommended providers take “timely and reasonable precautions to protect their networks from these threats.” According to the agencies, malicious groups are targeting the sector, “often leading to ransomware attacks, data theft and disruption of health care services.”
“These issues will be particularly challenging for organizations within the COVID-19 pandemic” the alert read. “Therefore, administrators will need to balance this risk when determining their cybersecurity investments.”
The health care sector is likely to remain in the crosshairs of threat actors because of the critical nature of its work. It’s essential for providers to invest in increased cybersecurity, effective backups and education efforts among staff to mitigate the threat and provide continuity for their life-saving work, especially as the COVID-19 pandemic rages on.