On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a joint warning advising the healthcare sector of potential cyber attacks. This warning continues to place pressure on medical providers within the U.S. facing challenges caused by the COVID-19 pandemic. As healthcare institutions became overwhelmed with the fight against the novel Coronavirus, the focus was shifted to caring for patients, creating safer ways to deliver care, and implementing new procedures to protect their staff. This, in combination with staff making the transition to work from home and an increased number of internet-connected devices, has created new opportunities for threat actors which has ultimately increased ransomware attacks on the healthcare industry. 

What Threat Actors Are After

The terrifying reality is that the threat groups targeting healthcare institutions aren’t picky when it comes to their targets. There has been no focus or pattern to the hospitals targeted; hackers have wreaked havoc on large facilities and 10-bed hospitals alike. Their motives are just as diverse. Some threat actors are looking to infiltrate research into immunizations and treatments against COVID, while many others are looking to make money. Confidential patient information is worth a lot to threat groups, which makes it a prime target.

Another target for hackers is medical devices, essential in modern medicine. Devices to deliver medicine, monitor patient vitals, or provide imaging capabilities usually are not designed with cybersecurity in mind. Medical devices provide threat actors with an easy access route into a healthcare institution’s main systems where they may deploy malware.

The Real Cost

While any cybersecurity threat posed to a healthcare institution should not be taken lightly, the repercussions of a cyber attack can be far more severe than the theft of patient data. In September, a German hospital dealing with a ransomware attack that infected nearly 30 internal servers resulted in the death of a patient. This female patient was required urgent medical care but was rerouted to a different hospital more than 30 km away from the Dusseldorf University Hospital, where the attack took place. This delay of medical care ultimately cost the woman her life, the first reported after a ransomware attack.

The numerous ransomware attacks on healthcare institutions across the country on average result in 15 days of downtime in EHR procedures with an average ransom of $111,000 requested from attack groups. These delays can seriously impact patient health and care, which can have severe repercussions.

What to Look Out For

Threat actors targeting healthcare institutions typically are using ransomware to carry out their attacks. During this type of attack, ransomware infects a computer system and blocks access to sensitive information until the ransom fee is paid. Cybercriminals often use Trickbot, which emerged in 2016 as a banking trojan. It has since evolved into a malware downloader used to infect systems with ransomware such as Ryuk.

In many of the attacks, hackers have deployed Trickbot using email lures to entice unsuspecting individuals to click on a link to a compromised webpage. These emails generally take the appearance of corporate communications, personalized with recipient-specific information such as the name of their employer. Once Trickbot has found its intended target, threat actors deploy the Ryuk ransomware to lock system computers out of essential programs and data.

The CISA has identified signs that point to a Trickbot infection. In Windows, Trickbot has been found to copy itself as an executable file titled with a randomly generated 12-character name (including the .exe extension). The downloaded file can then be found in several Windows directories.

Tips for Preventing Ransomware Attacks

With the trend of healthcare institutes facing cyber threats continuously on the rise, taking proactive steps to avoid potential ransomware infections is crucial. Here are some tips for establishing a better line of defense against these attacks:

1. Employee Training: Employees create vulnerabilities to any organization, but healthcare organizations face even greater threats. Hospital staff members have been targeted by threat groups with phishing attacks that impersonate reputable, government agencies claiming to have critical information on COVID treatments. This causes employees to click on links contained within emails that download malware. Training employees on the dangers and identification of phishing attacks can reduce their threat to healthcare institutes.
2. Review User Access: With numerous devices connected to a hospital network, threat actors can move laterally once they infiltrate the network. Each user should be limited in their system access capabilities to reduce the ability of threat actors to move throughout the system. When only authorized individuals have access to sensitive information, it increases its protection against cyber threats.
3. Simulate Cyber Threats: To accurately identify weaknesses that can be exploited by hackers, healthcare institutions can simulate potential attacks using products like rThreat. rThreat’s Breach and Attack Simulation technology mimics cyber attacks to measure the effectiveness of an organization’s cybersecurity defenses. With this information, weakness can be identified and repaired before they are exploited by attack groups. rThreat helps organizations take a proactive approach to their cybersecurity defenses to ensure that sensitive information and critical systems are not compromised.
4. Keep Systems Up-to-Date: In the healthcare industry, hesitancy to learn new systems presents vulnerabilities from outdated technologies. When vendors no longer release software updates, security protocols becomes ineffective and vulnerable to cyber threats. Replacing outdated systems with newer, updated ones can help prevent potential breaches. If healthcare organizations are using software that is capable of updates, they must always be up-to-date on the latest version that contains bug fixes and security improvements.

Do you want to learn more about cybersecurity? Please subscribe to our newsletter.