The Health Sector Cybersecurity Coordination Center (HC3) often warns the healthcare sector about malicious ransomware gangs that are targeting the healthcare and public health sector. In January, the hacktivist group KillNet took responsibility for distributed denial of service (DDoS) attacks on official websites of U.S.-based hospitals. In February, HC3 warned of the lesser known MedusaLocker ransomware group that operates as a ransomware-as-a-service (RaaS) model. In March, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), through a joint advisory, warned the healthcare industry that Royal ransomware was still a serious threat to the industry (HC3 issued a threat brief on Royal and BlackCat ransomware in January). These are just a few examples of the warnings, threat briefs, and notes that agencies are issuing to warn healthcare organizations that ransomware is, perhaps, on the rise.
As to the question of why the healthcare industry is such a prime target for ransomware attacks and bad actors, Angela Rivera, associate principal and market lead and cybersecurity advisor, of the Chicago-based Chartis consulting group, says, “Healthcare still holds the most valuable data including financial data, personal health information (PHI), and personally identifiable information (PII) in very large amounts. Cybercriminals are very attracted to that data. Many healthcare organizations still have very outdated and old legacy systems that are prime for target. And it's interesting because even though there's so much new technology, we do a lot of work with organizations that still have a lot of legacy applications that they haven't decommissioned or retired yet, so it still leaves the healthcare organizations vulnerable. They still rely on people every day.”
She adds, “The attackers are getting smarter. They’re getting more sophisticated. There’s talk right now about how ChatGPT will help the attackers even more but they’re already getting smarter even without ChatGPT.” Rivera notes that cybercriminals have no problems getting humans to click on the phishing emails, even though the concept of being aware of such emails is basically common knowledge across organizations.
“The other thing is,” she comments, “there’s a really high cost to continuing to invest in so many security tools. And right now, there is a lot of financial pressure within healthcare organizations. They really have to figure out where they’re going to not only cut costs, but how they’re going to spend their money and usually other things come first. So attackers will continue to take advantage of that and target them [healthcare organizations].”
Lastly, Rivera says “Also, because of all the great things that we’re doing in healthcare, we’re becoming more connected with each other. We’re doing a lot of care at home and telehealth outside the four walls of a hospital, and this provides a lot more attack surfaces and opportunities for the attackers to target.”
Daniel Uzupis, former chief information officer and information security officer, of the Fairfield, Iowa-based Jefferson County Health Center, doesn’t necessarily see a rise in ransomware. “I want to say I haven't seen it more now than I have in the past 10 years,” he says. “However, I will say that if there is any reason for an increase in it, it's because everyone's become increasingly aware of the fact that healthcare organizations just have not been practicing good cybersecurity.”
As to what can be done, especially for smaller organizations, Uzupis notes, “What it all comes down to is the fact that at smaller organizations, they just don't see themselves as a target. They don't see themselves as a target because they think, ‘We’re a tiny little FQHC, who’s going to target us?” Well, to a hacker, they don't care. They don't know how big you are. They don't know what your revenue is. They frankly don't care. And the same thing goes for a smaller hospital.”
Uzupis explains that it doesn’t matter if the organization is out in the middle of nowhere because on the internet you’re not in the middle of nowhere. Individuals exist on the internet regardless of whether or not you think that people can’t find you.
“The biggest problem with the smaller organizations is that everyone knows everyone and when you have an environment like that the concept of confidentiality is really a hard sell,” he says. “And that's really where security starts. If we talk about the CIA triad—confidentiality, integrity and availability—confidentiality is first and there's good reason for that. It's very difficult at small organizations, because everyone knows everyone so how can you really maintain confidentiality when that's the case? And it carries through with their perception of security.”
Uzupis notes that “As far as the budget goes, organizations have to decide how much risk they’re willing to accept at their organization. And that is always the big question for a small facility. In most situations, organizations should place confidentiality at the top of their list, because patients go to you when they’re vulnerable. I can’t say from a technological standpoint what the solution is but I can say from a leadership perspective that it [the solution] starts at the top and organizations need to accept the fact that they need to protect their patients not only in terms of their healthcare, but in terms of keeping their data confidential, keeping it provide, and keeping it safe.”
