As Healthcare Innovation Senior Editor David Raths reported on Oct. 29, a variety of media outlets carried the news that day about a major surge in ransomware attacks, attacks of considerable ferocity. As Raths wrote, “The Washington Post is reporting that in the space of 24 hours, six hospitals across the country were hit this week with Ryuk ransomware attacks demanding up to $1 million, and that some hospitals have paid. In response, federal agencies have issued a warning saying that they have credible information of an increased and imminent cybercrime threat to more U.S. hospitals and healthcare providers. An AP News story identified a few of the hospitals attacked so far this week as three belonging to the St. Lawrence County Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Ore. “Sky Lakes acknowledged the ransomware attack in an online statement, saying it had no evidence that patient information was compromised. It said emergency and urgent care 'remain available.' The St. Lawrence system did not immediately return phone calls seeking comment,” according to the AP story.”
Further, Raths wrote, “In an interview with NECN and NBC10 Boston affiliate NBC 5 News, Vermont Public Safety Commissioner Mike Schirling confirmed that the University of Vermont Health Network's systems are down, and characterized the penetration as the largest cyberattack ever in Vermont that he was aware of. The Cybersecurity and Infrastructure Security Agency (CISA), FBI, and the Department of Health and Human Services are warning healthcare providers to take precautions to protect their networks from these threats, including attempts to infect systems with Ryuk ransomware. CISA, FBI, and HHS encourage healthcare organizations to maintain business continuity plans to minimize service interruptions. They also suggest reviewing or establishing patching plans, security policies, user agreements, and business continuity plans to ensure they address current threats posed by malicious cyber actors.”
And, Raths noted, “In terms of response to attacks, CISA, FBI and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered, they noted. ‘It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.’”
Meanwhile, Slate’s Josephine Wolff wrote on Nov. 2 that, “In September, hundreds of health care centers operated by the Universal Health Services network were hit by Ryuk ransomware. In October, the University of Vermont Health Network announced it had been forced to revert to using paper records due to an attack with the same malware. The Sky Lakes Medical Center in Oregon, the St. Lawrence Health System in New York, and the Dickinson County Healthcare System in Michigan and Wisconsin all confirmed they had fallen victim to Ryuk as well, interfering with their ability to provide patient care and forcing them to fall back on manual work-arounds as they lost access to their digital systems. At the heart these attacks was one particularly malicious bit of code—the Ryuk ransomware—and a campaign of phishing emails containing links to Google Drive documents that, once opened and enabled, would deliver Ryuk to the victims’ computers. While the Ryuk ransomware is not hosted in Google documents, the documents are used to direct viewers to download the malware from another source by tricking them into believing they are just “enabling” content in the Google Drive document. But when they click to enable that content they end up downloading the malware.”
Wolff went on to write that “Since many ransomware victims don’t publicize or confirm these attacks, it can be hard to assess exactly how much damage Ryuk has caused, but one recent estimate suggested that it was responsible for one-third of all ransomware attacks so far this year. Despite extensive efforts to undermine the Ryuk distribution infrastructure, the combination of phishing emails and infected Google Drive documents has enabled cybercriminals to continue spreading the malware unabated. It’s a warning that we need to be much more cautious around Google docs, and also a reminder of just how easily criminals can pivot in their distribution methods when one pathway is cut off for them. On Oct. 12, Microsoft announced that it had obtained a court order and taken measures to shut down Trickbot, a botnet comprised of thousands of infected computers used to distribute the Ryuk strain of ransomware, among other malicious activities. No one expected the take down to permanently stop the criminals spreading Ryuk, but it was the kind of coordinated, large-scale operation that might have been reasonably expected to at least significantly delay the criminals who relied on Trickbot, forcing them to rebuild fairly extensive infrastructure for distributing malware.”
Things continue to evolve forward. As Slate’s Wolff added, “And yet, barely more than two weeks after Microsoft’s announcement, on Oct. 28, the FBI, the Department of Health and Human Services, and Department of Homeland Security issued a joint cybersecurity advisory warning that the criminals behind Ryuk and Trickbot were operating more aggressively than ever, targeting hospitals and other health care organizations with Ryuk and Conti strains of ransomware. It was a devastating reminder not just of how vulnerable hospitals computer networks are during the Covid-19 pandemic, but also of how resilient cybercrime organizations to even the most carefully planned and executed countermeasures, like the Trickbot takedown.”
Senior leaders at the Austin, Texas-based CyngergisTek consulting firm found in a recent survey that 66 percent of hospitals and health systems fail to meet minimum cybersecurity requirements, as articulated by NIST, the National Institute of Standards and Technology, a division of the U.S. Department of Commerce.
Recently, Healthcare Innovation Editor-in-Chief Mark Hagland spoke with Caleb Barlow, who has been CynergisTek’s president and CEO since August 2019, regarding the current moment in cybersecurity. Prior to joining CynergisTek, Barlow led the IBM X-Force Threat Intelligence organization. Below are excerpts from that interview.
What is the overall situation like right now in healthcare?
The situation right now in healthcare is pretty alarming. What we have going back to the UHS [Universal Health Services, a 400-facility organization based in King of Prussia, Pa.] incident last month, is a series of ransomware attacks. That’s not new. But what was new starting with UHS is the change in adversarial intent. What do the bad guys want? Remember, these are criminal gangs. You don’t necessarily want to draw the ire of every law enforcement entity in the country. And you don’t necessarily want to harm your victims; you want money from them.
We saw a marked change in adversarial intent here, meaning, starting with UHS, they were targeting an entire system, in the case of UHS, one with hundreds of hospitals and clinics. And they know if they take the hospital down, they’ll have to divert patients. And 80-90 percent of the time, the hospital organization will pay. And last month, in Düsseldorf [at the Düsseldorf University Clinic in Germany], we actually saw the first patient die because of a diversion. But now, if you take down a system, you’re really seeing a shift. Now, these criminals are trying to bring down patient care organizations during a pandemic. Why this is happening is open to speculation; but this isn’t entrepreneurial anymore, this is something different. And we’ve never had an attack like this that has had a sustained impact on people, what we call a kinetic impact. And so we’ve drawn chalk lines around different types of activity. But this is clearly major. Over a dozen hospital systems are down now that we know of, already. The command and control servers, web addresses, instrumentation they’re using to control the bot net, that information is now largely known, and cybersecurity companies and network carriers are sink-hole-ing this, meaning, shutting down channels. As we talk with network carriers and intelligence agencies, they’re seeing continued attempts to break into at least two dozen more hospitals. But one network carrier only sees what’s going on in their network. So this is an ongoing attack. Right now, a lot of that infrastructure is being sink-holed, which will work for a while, until the bad guys likely change their infrastructure.
So the pause we’re all kind of breathing here is like the eye of a storm. If they change their infrastructure, many more patient care organizations will be in danger. From our own studies, we know that 66 percent of America’s hospitals do not meet minimal cybersecurity standards, according to the NIST framework.
In fairness, healthcare has always struggled to fund this. They’ve been making investments, but not fast enough to keep up with the adversary. And right now, airlines and hotels aren’t going to be attacked, because they’re so underpopulated right now. Healthcare is what’s still opened, but also has a weakened security posture. And hospitals have had to be responding to the coronavirus. And typically, half of the hospital’s employees are working remotely. All the right things were done at the time, but now, just as we had that shortage of masks and ventilators and PPE; in the same way, we now need to shore up America’s hospitals’ cybersecurity structures, for them to remain open.
What will happen in the next several weeks?
The line has been crossed, and now a pattern has been set for an adversary to target an entire hospital system or multiple systems, knowing that you’re potentially causing harm or even death. So these attacks will likely continue, because they’re successful. And hospitals have lots of vulnerabilities because they haven’t invested in cybersecurity at the level of banks and financial services. And there’s no longer empathy in terms of leaving hospitals alone.
Do you have any idea of what’s behind this change in adversarial intent?
That’s a great question; we don’t know all the answers yet, but there’s a theory about the attempted takedown of TrickBot by Microsoft and a series of private-sector partners, and allegedly U.S. Cyber Command, which it’s reported, tried to take down this bot net about three years ago. Microsoft went to court and made a very interesting case to get access to these servers. They won in court and processed their takedown and disrupted the bot net but didn’t kill it. So you have a wounded animal that might be fighting back; so there’s the theory that this is retaliatory. Also, generally, takedowns occur quietly; you don’t want the bad guy to know what you’re doing, so you can do it again. But this got sucked up into the PR machine.
Who’s behind TrickBot?
It’s a hacker group called Wizard Spider, a Russian-speaking actor. They’re very efficient. They can go from initial compromise to locking up a victim in a matter of hours. They’re very good at what they do, but their motivations have historically been entrepreneurial in nature. So they could be retaliating. The U.S. Treasury Department has reminded people that paying ransomware could result in civil or criminal penalties. There’s no evidence this is election-related, but it is curious that it occurred a week before an election. So no one really knows what’s going on. But it’s a different world now if you’re a healthcare CISO. You’re going to have to get the necessary protections in place now.
What should CISOs and their teams be doing right now?
Think of it this way: in a lot of ways, this is like a pandemic. Just as we have social distancing from people, we need social distancing in a network, and that’s done through network segmentation.
Network segmentation has historically been a low priority for hospital system IT people, right?
It’s almost been non-existent. Think about it: a surgeon is in surgery in the morning, in research in the afternoon, and then in his office practice. But think about the social distancing metaphor there. In fact, I’m going to analogize extensively to the COVID-19 pandemic situation here.
The second element is contact tracing; the analogy on your network is endpoint detection response, or telemetry. And that’s so much more important now, because half of your workers are at home, where they’re outside your network and the normal levels of protection.
And the third element is equivalent to PPE [personal protective equipment], and that’s identity management, and multi-factorial authentication inside the hospital, zero trust. Once the bad guys get inside, they’re inside. And you can crack a 12-digit password in seconds. And if you’re coming from the inside… there’s very little to stop an intrusion. So privilege access management, are key. That’s PAM, the equivalent to PPE.
Shouldn’t organizations also be engaging in behavioral monitoring?
That’s important, yes, but advanced. Endpoint detection response, privilege access management, multi-factor identification, and network segmentation, are all essential now; then we need to get to behavioral monitoring. And you don’t see ransomware attacks on banks. Why? Because they have all these tools in place—even your small, local bank—they have to. Three or four years ago, they found that out. And healthcare has more valuable data; the bank only knows how much money you have. And there’s a huge amount of information in medical records. Bad guys attack hospitals because that’s where the data is. And what this ultimately means is that we have to invest in security relative to the threat and risk to the data we hold. Hospitals have a wealth of data; and unfortunately, with lots of data and analytics comes lots of risk, and you have to protect that.
And unfortunately, rather than a slow realization that we have to catch up in this cat and mouse game, is a revolutionary response: we need these defenses, and we need them now. And now’s not the time to be spending more money on security, given the challenges of the coronavirus, but that’s exactly what will have to happen.
And if you get locked up by ransomware, you won’t be able to do elective surgeries, you’ll lose trust with patients, and you might not even be able to pay ransomware. And in the past, people went out and bought cyber insurance. And hospitals have revealed that they have cyber insurance. And the problem is that the hospital gets locked up and they pay the ransom, and that only fuels further ransomware attacks. It doesn’t change until you change the economic landscape.
Is there anything that you’d like to add?
I think that at the end of the day, as difficult as this is at this time, we have to realize that ransomware is largely preventable. But it is going to take a response from America’s cybersecurity companies to help healthcare get through this. Just as we’ve responded to the pandemic, we have to get shored up from a cybersecurity perspective, and we have to do it now. We’re capable of doing it, but it’s going to take immediate action to get there.