‘91 percent of hospital administrators considered the security of data as a top focus last year, 62% feel inadequately trained and/or unprepared to mitigate cyber risks’ that could impact their healthcare organisation/hospital’, reports Abbott.
The volume and intensity of direct cyberattacks on hospitals and systems increased during the pandemic. The NCSC scanned ‘more than 1 million NHS IP addresses for vulnerabilities leading to the detection of 51,000 indicators of compromise’ and continue to work internationally to highlight awareness of threats related to research surrounding COVID-19 and vaccine developments.
Disruption to the Healthcare Industry
Frequently, an attacker wants to cause major disruption to systems, often to the point of bankruptcy. The motive can be personal, a disgruntled employee for instance. Or it can be politically or religiously fuelled.
One example of this comes from Israel where, according to Kim Zetter from the Washington Post, a computer virus had been created to insert the detection of tumours into CT and MRI scans of patients. The idea behind this was to misdiagnose high-profile patients, and to confuse doctors.
While this attack may have only targeted a niche few, attacks on a grander scale were/are also prevalent. In October 2020, for instance, over 5,000 networks/devices were targeted, shutting down the IT systems of the UVM Health Network. The system went down for 40 days and caused a loss of over 1.5 million dollars a day in revenue and expenses. The outage led to the furlough of 300 workers who were unable to do their work while systems were down. It is predicted to cost more than $63 million by the time all the issues have been resolved.
Another example can be noted when the PA based Universal Health King of Prussia, was attacked in September. The organisation became a victim to a malware attack that caused a network outage. UHS is an umbrella to hundreds of healthcare services across the U.S, many of which also were affected and had to resort to paper records while systems were under attack. Often, even when a ransomware is the final end-goal, this disruption in services can cost more in the long run.
The Impact of Ransomware in Healthcare
Ransomware is a form of malware that penetrates and locks users out of their systems.
An attack is often made with the objective to acquire personal or sensitive data that can then be used as part of a ransomware attack for monetary gain. Usually, the purpose of a ransomware attack is to blackmail the victim/targeted organisation into transferring large sums of money or assets.
‘For a ransomware attack to be possible, a breach needs to be made. To create a breach, bad actors need to target an organisation or individual, and send out phishing emails. Once a phishing email attack is successful, this makes a breach possible. Then, through this breach, and without the victim knowing, a malicious payload is dropped. A malicious payload is the element of the attack which causes the actual harm to the victim and contains the malicious code. Once the attacker has access to the victim’s networks, this leads to data exfiltration. Which is what the victim is held to ransom to. Following this the payload is deployed. The payload is activated over time. Sometimes staying inactive for months at a time. A threat is meaningless without proving that the data is actually stolen/accessible. So, the bad actor needs to exfiltrate the victim’s data, and threaten to make this data public. By shutting down systems, or reducing access, the victim then knows that the threat is not a bluff. This, usually, is the catastrophic moment when the target recognizes the gravity of the situation.’ – Mohsin Mahadik, a Security Analyst, SecurityHQ
According to Interpol, ‘since hospitals are overwhelmed with the health crisis and cannot afford to be locked out of their systems, the criminals believe they are likely to pay the ransom. The ransomware can enter their systems through emails containing infected links or attachments, compromised employee credentials, or by exploiting a vulnerability in the system.’
In an attack on London’s Hackney Borough Council, the BBC reported how ransomware attacks ‘are a growing problem for public services. In such attacks, hackers take control of computer systems and data and demand payments in order to unlock them.’
Take the Ryuk Attack, for instance. Ryuk is a Russian speaking form of ransomware that has been used to make targeted attacks on healthcare organisations throughout 2020 and 2021. It is particularly clever in that it can identify and encrypt network resources. It is also able to delete shadow copies on endpoints. This makes it practically impossible for the victim to recover their data, and therefore recover from an attack.
The list of aggressive persistent threat groups (APT’s) actively holding healthcare organizations to ransom throughout 2020 and 2021 are large. The concern, however, is that these examples of reported and discovered attacks that are shown in the media are just touching the tip of the iceberg.
The Impact of Nation State Actors in Healthcare
An attack made by a nation state actor is made with the intent to acquire valuable information regarding personal data or research that can be used to aid the development of the attacker’s nation/state and sabotage opposing geopolitical entities.
The National Cyber Security Centre has revealed the impact of the global pandemic with regards to cyber-attacks and threats on the healthcare sector. Within the paper, The NCSC Annual Review 2020, the level of espionage has significantly increased as hackers try to gain access to research and confidential information regarding vaccines, pharmaceuticals, and medical developments associated with the vaccine supply chain.
The attack against Blackbaud is a comprehensive example. Blackbaud is a service widely used within many sectors, including education and healthcare, to store information regarding health systems, financial information, sensitive and personal patient information and much more. A breach was made in early February, and exposed personal and private data on more than 1 million individuals. As Blackbaud holds data regarding postgraduate research, it also holds data related to pandemic-based investigations.
In July, a Russian hacking group that has been named ‘APT 29’, also known as ‘Cozy Bear’, made UK businesses involved with the manufacturing and research of vaccine development, a prime target. According to the NSCS, the attack was certainly connected to Moscow’s intelligence service. Moscow denies any associations and the allegations made against them. ‘While the UK has only publicly called out Russia for vaccine-related espionage, the FBI in May accused China of targeting American labs working on Covid vaccines. The NCSC declined to comment on whether it suspected China of similar actions in the UK.’- Financial Times.
In agreement with Forbes, ‘The sad reality is that people could [and are suffering] as the direct result of a healthcare cyberattack. The only positive outcomes here are that a tragedy would force the healthcare industry to shore up its defences and make law enforcement more aggressive in pursuing cybercriminals.’
Recommendations to Organisations to Mitigate Attacks
- Enforce multifactor authentication for everything, for all employees.
- Update and manage passwords throughout the organisation. Change them frequently and use different passwords for each account.
- Enforce access policies based on risk levels.
- Ensure IoT devices are set up properly and that training is provided to ALL on securing devices, including portable devices outside of the network.
For more information, or if you think you have been the victim of a cyber-attack, contact our incident response team at SecurityHQ.
SecurityHQ prides itself on its global reputation as an advanced Managed Security Service Provider, delivering superior engineering-led solutions to clients around the world. By combining dedicated security experts, cutting-edge technology and processes, clients receive an enterprise grade experience that ensures that all IT virtual assets, cloud, and traditional infrastructures, are protected.
Authors: Eleanor Barlow, Content Manager, SecurityHQ