As hospitals struggle amid the coronavirus pandemic – with limited personal protective equipment, a flood of patients in need of critical care, and exhausted staff – there’s another threat that could make the situation dramatically worse: cybersecurity attacks.
“We’re seeing an increase in attacks,” said Justine Bone, CEO of MedSec, a cybersecurity consulting firm that specializes in hospitals. Bone said one of her clients, a medium-sized hospital in the southeastern U.S. with mature security infrastructure, has seen a 75% increase in attempted attacks, compared to two months ago.
“Unfortunately, a lot of hospitals aren’t as resilient as other clients,” she said. “At a time like this, these hospitals are likely to pay.”
A few weeks ago one of the Czech Republic’s biggest COVID-19 testing facilities got hit by a heavy cyberattack, which struck the hospital’s computer systems badly enough that the disruption caused them to reroute patients to other hospitals and surgeries to be postponed.
In Illinois, the Champaign-Urbana hospital was hit with a ransomware attack in mid-March, disrupting the hospital’s computers at a very inconvenient time.
Even without the public health crisis adding stress to the situation, cybersecurity experts see hospitals as already vulnerable in myriad ways, from how their networks are laid out, the types of devices that are on the network, and the high stakes of the industry — for health care workers, patients, and criminals.
A ‘viable business model’ for scammers
At the beginning of the coronavirus crisis, many cybercriminals said they wouldn’t go after hospitals during this difficult time, Bone said. While this might sound like a nice gesture, it doesn’t seem to be true.
“The first thing you have to remember is you’re dealing with criminals,” said Tyler Hudak, who works with hospitals as incident response practice lead at TrustedSec, a cybersecurity firm, and former team lead for Mayo Clinic’s security operations center. “You can’t trust their word to begin with.”
With hospitals stretched to their limits, they are more likely to pay, something that attackers know. When a hospital’s network and system is held for ransom, the attackers usually have deleted all the backups they could find beforehand, making it very difficult for the hospital to avoid paying.
“We’ve seen ransoms in the $1,000 range all the way up to six-figures,” Hudak said.
Bone pointed out that this is a “very viable business model” for these perpetrators that is only getting more lucrative.
“On top of that a new trend in ransomware where they’re exfiltrating and stealing data before holding hospitals hostage,” she said. People’s medical files are significantly more valuable than their financial data, she added.
“If you think about a credit card number, it can very easily be changed. But blood type or other medical history is info that is static," she said. "It's highly reliable data that can be used much more effectively.” While financial data is useful to perpetrate identity theft, Bone said that medical data is especially sought after for similar purposes.
Hospitals are easy targets for attacks
Hospitals, in the business of treating the sick and saving lives, are naturally a high-stakes industry. But from a technical standpoint, they’re often far less secure than they should be.
“A lot of these hospitals have large flat networks,” Bone said. “A nurse’s workstation could be on the same network as a highly sensitive medical device that might be delivering therapy to a patient.”
The lack of “network segmentation” – having firewalls between different parts of the hospital’s network – means that if one part of the network is compromised with a fairly simple attack, the malware can spread uninhibited, leaving the entire system open to ransomware.
In the best of times, having patient records and a hospital network be brought to its knees would be a massive problem. In the past, hospitals have resorted to paper and pen operations, but today’s environment of connected medical devices means it’s possible an attack could — even accidentally — bring a critical device like a ventilator to a halt and endanger a patient.
“This is what my company spends a lot of time thinking about,” said Bone.
Bone added that it’s not just a “Hollywood” thriller scenario where people are held hostage that’s the problem, but that even when a network is scanned — by a bad actor looking for files or control or a security professional checking on the system — that can be enough to knock an older medical device offline.
“[Hackers] might be deploying a ransomware campaign now, and it’s possible medical devices could be caught up in that net, which is a much scarier scenario than ransomware,” said Bone. “That’s really where it can interfere in patients' safety. Without causing fear and panic, I think it’s entirely feasible hospitals will be put in a position where they can’t deliver healthcare as a result of a ransomware attack.”
Out of date medical equipment, she said, makes this the “perfect storm” for hackers. The first course of action for cybersecurity defense is usually to update software to install security patches. But in this case, some devices, designed to last far longer than consumer electronics, might be running ancient software that hasn’t received an update in years.
“The inside of an MRI you’ll often find XP, an unsupported operating system,” Bone said.
Furthermore, with the rush of mobilization of devices to combat the COVID crisis, many hospitals have no idea where their devices are — let alone whether they are secure.
But that’s not all. As patients can’t visit the hospital for follow ups and routine visits, hospitals have finally embraced telemedicine, using remote technology to allow healthcare providers to provide certain types of care.
“Rolling out remote telemedicine platforms is very hard to manage in the best of times,” said Bone, adding that it was traditionally under-resourced since it’s a new technology that hasn’t yet taken the place of in-person visits.
How attacks happen — and how to fix them
Bad actors often go after hospitals through phishing, but they’re also especially vulnerable because of the amount of people who come in and out without monitoring. If someone just came in and plugged a USB device into a computer, that could be enough.
“I have seen attacks where a patient plugs into the hospital network and starts scanning it,” said TrustedSec’s Hudak.
It could also come via one of the many third-party vendors of medical equipment, from an internet-of-things device, to the point-of-sale device used in the cafeteria.
“Any of these can be vectors for any type of attack,” said Hudak, adding that even slowing down a network could be a critical issue for a hospital.
The attacks are often guided by humans, who search the network for critical systems to take over and potentially valuable information to mine, a phenomenon Microsoft calls “human operated ransomware.”
An attacker will trawl the system, deleting the backups, adding privileges, and finding the virtual keys to the kingdom, the whole time trying to figure out how to hurt the hospital the most.
“They make sure the organization has to pay so they make it hurt as much as possible,” said Hudak.
Hospitals and security pros are responding
While most large hospitals have solid security protocols and are able to deal with attacks, cybersecurity professionals are most worried about small and medium-sized facilities without large teams to deal with these threats.
Many hospitals do realize they may be at risk and have been working to steel themselves against attacks with the help of cybersecurity experts, often working at reduced or pro-bono rates.
This is key because surveys show that very few small hospitals conduct phishing simulations and many don’t even use two-factor authentication.
“A number of groups spun up to work towards making sure hospitals have resources available externally for them,” said Hudak. “Typically smaller hospitals don't have security teams or limited budgets so now they have some place to go if they do need help.”
Some of that help has come from larger hospitals working with their smaller counterparts, Bone said, and that medical device companies are stepping in to help smaller hospitals as they often have cybersecurity know-how.
But even if there doesn’t end up being a major uptick in attacks right now, Bone and Hudak are concerned that hacks are still happening — perhaps more so, given the vulnerability — with the ransom just postponed.
Going forward, Bone thinks the potential for ransomware damage may prompt regulation similar to what was seen with HIPAA (Health Insurance Portability and Accountability Act).
“I would not be surprised if we see a fair bit of discussion [about hospital cybersecurity] after the increased exposure to hospitals regarding COVID-19,” said Bone.