The following dire warning was issued by the FBI a few months ago to healthcare providers, first responder networks, and professionals tasked with protecting them from cyberattacks:
“[A]t least 16 Conti ransomware attacks in the past year that have targeted healthcare and first responder networks in the United States, including those of law enforcement, emergency medical services, 9-1-1 dispatch centers, and municipalities. Conti, like most ransomware variants, typically steals victims’ files and encrypts servers and workstations in an effort to compel a ransom payment from the victim. Healthcare and first responder networks are among the more than 400 organizations worldwide that have been affected by Conti. Over 290 of these organizations are located in the United States. In order to complete the transaction, the victims are instructed to contact the actors via an online portal in the ransom letter. The stolen data is either sold or published on a public website controlled by the Conti actors if the ransom is not paid. The amounts of ransom we determine are tailored to the victim and vary widely. There have been recent ransom demands as high as $25 million.
The number of ransomware attacks on healthcare providers and organizations has doubled in the past year, which is alarming. Not only are these attacks becoming more sophisticated, but they are also becoming more frequent.
Condition Made Worse by COVID-19
Although ransomware has been around for some time, the COVID-19 pandemic that began at the beginning of 2020 has made it even more problematic. We wrote about it here at the end of 2020, but since then, the situation has gotten even worse.) Cybercriminals were able to harvest more low-hanging fruit as more business operations moved online, particularly those involving inadequate or lax security protocols. Let’s say apples are the fruit. There are countless bushels ready to be picked at this point.
Check Point says that attacks increased by 102% in 2021 compared to the beginning of 2020, and there was no slowdown in sight. The “number of organizations impacted by ransomware worldwide has more than doubled in the first half of 2021” is also troubling.
Healthcare providers have been at the center of the conflict since the beginning of April. According to a cybersecurity expert who spoke with TechRepublic, “we see cybercriminals continue to target them because the majority of them are profit-generating organizations and are willing to pay up.” Patients may be wary of providing sensitive data to them out of fear that it will be stolen, not only do cybercriminals damage the infrastructure but also the organization’s reputation.
United Health Centers, based in California, had to shut down its entire network at the end of August after a large amount of sensitive data was stolen by the Vice Society ransomware gang. “The outrage disrupted UHC’s IT system at all locations, prompting the organization to re-image its computer and recover data from offline backups,” noted one well-placed source.
However, there is even more at stake than just respectability and money: Human Lives!
A recent report from the Ponemon Institute, a think tank, contains stark findings: Patients are dying more frequently as a result of ransomware. A rise in mortality rates was mentioned by nearly one-quarter of those who took part in the survey. Typically, ransomware is discussed in terms of its impact on operations (clinical changes) and the economy (ransom and lost revenue), but now we have the third component: mortality.”
In a recent lawsuit, this possible tragic outcome was detailed. The suit is based on a case that occurred in July 2019 at Springhill Medical Center in Alabama, as first reported by the Wall Street Journal. Teiranni Kidd, a woman, gave birth to a child whose umbilical cord was wrapped around its neck, preventing oxygen from reaching the brain and slowing the heart rate. Fetal heart rate monitors notify the doctor to perform an emergency C-section when that occurs. That is not stated in the lawsuit.
A summary of the WSJ article states, “Due to the ransomware attack, the monitors that track fetal heartbeats in the delivery rooms were not working at the nurse’s desk in the labor and delivery unit.” At the nurse’s station and in the patient rooms, the heart monitors are typically monitored on a large screen. The attending obstetrician informed the nurse manager via text that if she had seen the monitors, she would have performed a cesarean section.
As recently stated by Kevin Fu, acting director of cybersecurity at the FDA’s Center for Devices and Radiological Health: If a medical device that is safe and effective is unavailable due to ransomware, you cannot have it. The real threat actors, nation-states, and organized crime are harming the safety and efficacy of medical devices.
What can we do to fix this?
What, then, can be done? As usual, prevention is the first step. Despite the fact that ransomware will continue to exist, healthcare facilities can take several preventative measures to avoid being targeted and to lessen the impact of successful attacks.
Hire a knowledgeable professional or a team of professionals to oversee cybersecurity operations first and foremost. One area in which a jack-of-all-trades who also handles other tech tasks will not succeed is this one. A managed IT services provider can be a cost-effective, dependable, SLA-based alternative if hiring in-house security experts is too expensive, as is frequently the case for SMBs. Additionally, cybersecurity programs’ strategy, planning, implementation, and ongoing management are increasingly being outsourced to virtual CISOs. Companies like Preeminent Technology (PMTT) have extensive expertise in healthcare security and are an excellent (not to mention cost-efficient) resource to tap.
There are numerous mitigation strategies, too numerous to list here. Installing updates and patches, using multi-factor authentication, and requiring administrator credentials to install software are some of the recommendations made by the FBI. Other recommendations include regularly backing up data, implementing network segmentation, creating a recovery plan to maintain and retain data, and installing updates and patches. That’s just the beginning. The Cybersecurity and Infrastructure Security Agency (CISA) offers the following much more in-depth technical guidance.
Clements stated to TechRepublic, “For these organizations to protect themselves and their patients, they must adopt a true culture of security that goes beyond meeting the bare minimum compliance requirements and also takes into account the unique challenges of this industry.”
“To ensure that there are no gaps in the security life-cycle that can expose systems or data to compromise, it is essential to implement security awareness training for personnel, system and application hardening as part of IT’s processes, continuous monitoring for evidence of a compromise or suspicious insider behavior, and finally regular penetration testing.”
For more information, please visit: https://www.pmtt.us/managed-it-support/
Or mail us at: info@pmtt.us