Late in October, a variety of media outlets carried the news about a major surge in ransomware attacks—attacks of considerable ferocity. The Washington Post reported that in the space of 24 hours, six hospitals across the country were hit inside of a week with Ryuk ransomware attacks that demanded up to $1 million, which some hospitals have paid. In response, federal agencies have issued a warning saying that they have credible information of an increased and imminent cybercrime threat to more U.S. hospitals and healthcare providers.
The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Department of Health and Human Services are warning healthcare providers to take precautions to protect their networks from these threats, including attempts to infect systems with Ryuk ransomware. In terms of response to attacks, CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered, they noted. “It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” the agencies cautioned.
What is the overall situation like right now in healthcare?
The situation right now in healthcare is pretty alarming. What we have going back to the UHS [Universal Health Services, a 400-facility organization based in King of Prussia, Pa.] incident [in September] is a series of ransomware attacks. That’s not new. But what was new starting with UHS is the change in adversarial intent. What do the bad guys want? Remember, these are criminal gangs. You don’t necessarily want to draw the ire of every law enforcement entity in the country. And you don’t necessarily want to harm your victims; you want money from them.
We saw a marked change in adversarial intent here, meaning, starting with UHS, they were targeting an entire system, in the case of UHS, one with hundreds of hospitals and clinics. They know if they take the hospital down, they’ll have to divert patients, and 80 to 90 percent of the time, the hospital organization will pay. [Recently], in Düsseldorf [at the Düsseldorf University Clinic in Germany], we actually saw the first patient die because of a diversion. But now, if you take down a system, you’re really seeing a shift. Now, these criminals are trying to bring down patient care organizations during a pandemic. Why this is happening is open to speculation; but this isn’t entrepreneurial anymore, this is something different. We have never had an attack like this that has had a sustained impact on people, what we call a kinetic impact. So we’ve drawn chalk lines around different types of activity. For more than a dozen hospital systems [at the time], their command and control servers, web addresses, instrumentation they’re using to control the bot net—that information is now largely known, and cybersecurity companies and network carriers are sink-hole-ing this, meaning, shutting down channels. As we talk with network carriers and intelligence agencies, they’re seeing continued attempts to break into at least two dozen more hospitals. But one network carrier only sees what’s going on in their network. So this is an ongoing attack. Right now, a lot of that infrastructure is being sink-holed, which will work for a while, until the bad guys likely change their infrastructure.
The pause we’re all kind of breathing here is like the eye of a storm. If they change their infrastructure, many more patient care organizations will be in danger. From our own studies, we know that 66 percent of America’s hospitals do not meet minimal cybersecurity standards, according to the NIST framework.
In fairness, healthcare has always struggled to fund this. They’ve been making investments, but not fast enough to keep up with the adversary. And right now, airlines and hotels aren’t going to be attacked, because they’re so underpopulated. Healthcare is what’s still opened, but also has a weakened security posture. And hospitals have had to be responding to the coronavirus. And typically, half of the hospital’s employees are working remotely. All the right things were done at the time, but now, just as we had that shortage of masks, ventilators and PPE. In the same way, we now need to shore up America’s hospitals’ cybersecurity structures, for them to remain open.
Do you have any idea of what’s behind this change in adversarial intent?
That’s a great question; we don’t know all the answers yet, but there’s a theory about the attempted takedown of TrickBot by Microsoft and a series of private-sector partners, and allegedly U.S. Cyber Command, which it’s reported, tried to take down this bot net about three years ago. Microsoft went to court and made a very interesting case to get access to these servers. They won in court and processed their takedown and disrupted the bot net but didn’t kill it. So you have a wounded animal that might be fighting back; so there’s the theory that this is retaliatory. Also, generally, takedowns occur quietly; you don’t want the bad guy to know what you’re doing, so you can do it again. But this got sucked up into the PR machine.
Who’s behind TrickBot?
It’s a hacker group called Wizard Spider, a Russian-speaking actor. They’re very efficient. They can go from initial compromise to locking up a victim in a matter of hours. They’re very good at what they do, but their motivations have historically been entrepreneurial in nature. So they could be retaliating. The U.S. Treasury Department has reminded people that paying ransomware could result in civil or criminal penalties. There’s no evidence this is election-related, but it is curious that it occurred a week before an election. So no one really knows what’s going on. But it’s a different world now if you’re a healthcare CISO. You’re going to have to get the necessary protections in place now.
What should CISOs and their teams be doing right now?
Think of it this way: in a lot of ways, this is like a pandemic. Just as we have social distancing from people, we need social distancing in a network, and that’s done through network segmentation.
Network segmentation has historically been a low priority for hospital system IT people, right?
It’s almost been non-existent. Think about it: a surgeon is in surgery in the morning, in research in the afternoon, and then in his office practice. But think about the social distancing metaphor there. In fact, I’m going to analogize extensively to the COVID-19 pandemic situation here.
The second element is contact tracing; the analogy on your network is endpoint detection response, or telemetry. That’s so much more important now, because half of your workers are at home, where they’re outside your network and the normal levels of protection.
And the third element is equivalent to PPE and that’s identity management, and multi-factorial authentication inside the hospital, zero trust. Once the bad guys get inside, they’re inside, and you can crack a 12-digit password in seconds. If you’re coming from the inside, there’s very little to stop an intrusion. So privilege access managements are key. That’s PAM, the equivalent to PPE.
Shouldn’t organizations also be engaging in behavioral monitoring?
That’s important, yes, but advanced. Endpoint detection response, privilege access management, multi-factor identification, and network segmentation, are all essential now; then we need to get to behavioral monitoring. You don’t see ransomware attacks on banks. Why? Because they have all these tools in place—even your small, local bank has them—they have to. Three or four years ago, they found that out. Healthcare has more valuable data; the bank only knows how much money you have. There’s a huge amount of information in medical records. Bad guys attack hospitals because that’s where the data is. What this ultimately means is that we have to invest in security relative to the threat and risk to the data we hold. Hospitals have a wealth of data; and unfortunately, with lots of data and analytics comes lots of risk, and you have to protect that.
Unfortunately, rather than a slow realization that we have to catch up in this cat and mouse game, is a revolutionary response: we need these defenses, and we need them now. And now’s not the time to be spending more money on security, given the challenges of the coronavirus, but that’s exactly what will have to happen.
If you get locked up by ransomware, you won’t be able to do elective surgeries, you’ll lose trust with patients, and you might not even be able to pay ransomware. In the past, people went out and bought cyber insurance; hospitals have revealed that they have cyber insurance. The problem is that the hospital gets locked up and they pay the ransom, and that only fuels further ransomware attacks. It doesn’t change until you change the economic landscape.
Is there anything that you’d like to add?
I think that at the end of the day, as difficult as this is at this time, we have to realize that ransomware is largely preventable. But it is going to take a response from America’s cybersecurity companies to help healthcare get through this. Just as we’ve responded to the pandemic, we have to get shored up from a cybersecurity perspective, and we have to do it now. We’re capable of doing it, but it’s going to take immediate action to get there.