It’s been three years since the WannaCry ransomware attack struck the world, affecting business operations of all kinds in approximately 150 countries. Yet, even as most industries recovered from the initial attack that jolted the information technology world across the planet, the impact continues to be felt.
According to a June 2019 report from cybersecurity firm Armis, for instance, more than 40 percent of healthcare organizations experienced a cyber attack involving the WannaCry ransomware cryptoworm within the six months prior. The goal of WannaCry has been to encrypt the data on the computer and display a demand for ransom to be paid in bitcoin. Researchers have indicated that this method has worked; some estimates have put the cost of WannaCry attacks at over $4 billion in financial losses, including $325 million in paid out ransom. “Healthcare, manufacturing and retail sectors have high rates of old operating systems in their networks,” the report indicated.
Indeed, healthcare organizations continue to be the preferred target of cyber criminals who can gather patient names, insurance and financial information, addresses, Social Security numbers and other personal data that hackers can use for identity theft or other fraudulent activity. These threats in healthcare are not new, but they are still regularly occurring, as pointed out in a recent report from cybersecurity company Emsisoft, which found that 764 healthcare providers were hit with ransomware attacks in 2019.
So, what are health systems and their technology partners doing today to become more resilient? And what lessons have been learned that could be applied to planning for the future? Healthcare security leaders interviewed for this piece emphasize that practicing good hygiene and having a strong security program in place are still the most important pieces to preventing, responding to, and if necessary, recovering from a ransomware attack.
“It’s my job as a [security officer] to make sure I’m securing my environment, picking the right tools to secure my environment, and that I have the right people and processes in place,” says John Houston, vice president, privacy and information security & associate counsel, at UPMC, an $21 billion health system and insurer, headquartered in Pittsburgh. “Threats and technology are always changing, but having a mature program in place will allow you to [continuously] look at how risks and threats are evolving, so you can adapt appropriately. Does it mean I will never have a security incident? Of course not, but [having a program in place] shows that I have done an in-depth risk analysis within my environment, and that I’m thinking enough about where I am at and where I am going,” he says.
Cybersecurity “hygiene” is a term often used by experts in this space, referring to the regular maintenance that’s necessary for computers and software to run at peak efficiency. Ultimately, offers Houston, one of the biggest security risks to a healthcare organization continues to be people. “Simply put, we tell users to not store sensitive information on computers,” he says. “Every employee needs to have seen samples of real phishing emails, malicious links and [must] know how to avoid becoming an unwitting victim,” adds Shefali Mookencherry, principal advisor at consulting firm Impact Advisors.
Undoubtedly, poor hygiene can result in the exposure of unpatched vulnerabilities, something McMillan recently experienced from one hospital chief information security officer (CISO) who, after running a recent system scan, found out that his organization stopped patching its systems and stopped making updates as a result of the COVID-19 crisis. The rationale behind that decision, McMillan recounts, was that the organization’s CIO said the focus needed to solely be on operations, and that patching, updates, or other changes to IT systems had the potential to negatively impact them—a scenario that the IT team had to avoid at all costs in the face of a healthcare pandemic.
“The issue there is that ransomware exploits typically look for some weakness in the system they can take advantage of, meaning something that’s not patched, something that isn’t running that should be, or something that’s not configured properly,” McMillan says. “So the minute you stop doing those things, you immediately increase your [attack surface], and all it takes is one phishing message to get through, and we’re off to the races. You cannot just neglect your systems during an emergent situation, because that’s exactly what the bad guys are hoping you do,” he emphasizes.
The heightened need for security during a crisis
Indeed, the COVID-19 epidemic has hit healthcare organizations hard at many levels, and information security is not a department that has been spared. However, a possible silver lining is that authorities are making it known that organizations must maintain their security postures during a crisis.
To this end, the International Criminal Police Organization, commonly known as INTERPOL, recently released a warning to industry stakeholders at the forefront of the global response to COVID-19 outbreak that they will be the targets of ransomware attacks during this pandemic. A key element of the notice, notes McMillan, was that organizations that support health systems—such as laboratories and pharmaceutical companies— needed to be on high alert as well. The unfortunate consequence of this is “an attack surface for cyber criminals that is exponentially multiplied,” he says.
Another core challenge, notes, McMillan, is that COVID-19 has forced organizations to deal with both people and third-party vendors remotely. “Cyber criminals know businesses are stressed right now, and are sending people home and connecting them remotely. And they’re doing it so fast that they don’t have time to [ensure] these are the most secure connections.”
Once cities and states started applying lockdown laws, hospitals told their third-party vendors to figure out how to support them remotely, McMillan explains. “So they are [helping] hospitals remotely, but these are services that are designed to be done [on-site]. In hospitals’ contracts with their security vendors, remote support often gets overlooked, so when COVID-19 came along, hospitals would tell their security partners they have to go home since they’re not essential staff, but still [stressed] that they needed their support. It created a tough situation,” he contends. Adds Mookencherry, “For the last decade, ransomware has been corporate focused. Now it will turn to anyone working at home or remotely as well.”
McMillan emphasizes that ransomware is a particularly effective attack when an organization is overly reliant on its information and systems. “If I can deny you your systems and data, damage it, or destroy it, I can have a tremendous impact. And then I can extort you,” he says. “Not all criminals have a conscious and will stop because you are in a stressful situation. Rather, they will look at that as an opportunity to go after you. That’s the really scary part,” he says.