In early December, employees at a healthcare provider in Canada came into work to find a ransom note on about 20 of the organization’s workstations and servers. The note claimed that sensitive data had been exfiltrated from the company's network and would be leaked unless a ransom was paid.
The known group behind the attack, the Karma ransomware group, claimed that they had not encrypted the stolen data due to the targeted organization being in the healthcare sector. However, while an incident response team was setting up monitoring tools to begin to understand what had happened, "things suddenly started to go far south,” said Sean Gallagher, senior threat researcher with Sophos. Another ransomware group, Conti, had also gained access to the network, and unlike Karma, they had no such apparent reservations about encrypting data.
“Our [incident response] guys were called onsite, they were setting up shop to take inventory of what happened, when Conti launched the attack,” said Gallagher, who did not name the victim company. “Patient data was stolen, data was lost. We don’t know the full scope of what was taken but we know it was a lot.”
Groups like Conti and Karma aren’t the only ones closing in hospitals, healthcare providers and clinics: Other recent culprits include the FIN12 ransomware group or the Hive ransomware gang. Conti itself has a track record of targeting healthcare and first responder networks, with the FBI in May warning of at least 16 ransomware attacks by the group in this sector.
Recent data from IBM showed healthcare cyberattacks doubling in 2021, indicating that the rate of these attacks is not slowing down anytime soon. The good news is that, like many other organizations across different industries, healthcare companies are becoming more aware of the security risks in their environment and how they can better proactively defend against threats.
“What makes healthcare different is that at the end of every process is a patient."
Security issues pose a unique threat for the healthcare sector that in some cases can be more daunting than financial and reputational damage. Some ransomware incidents have impacted the efficiency of healthcare processes, with hospitals being forced to divert patients away from their emergency departments or reschedule appointments and surgeries. The types of data at stake in cyberattacks is also potentially extra sensitive, ranging from data about medical conditions to personal identifiable information (PII), all of which can be sold on underground forums, used for insurance fraud or identity theft and other malicious activities.
“What makes healthcare different is that at the end of every process is a patient,” said Jeff Tully, anesthesiologist and security researcher at the University of California San Diego. Tully worked on the front lines during the pandemic as an anesthesiologist, where he witnessed the “incredible strain on personnel and resources arising from each of the surges” - a level of institutional stress that was exacerbated by cyberattacks, he said.
“The legacy device may be a CT scanner essential to diagnosing strokes or chest trauma,” said Tully. “The ransomware attack may render an electronic medical record inaccessible or disrupt the systems used to treat heart attacks. The phishing email may lead to exposure of protected health information resulting in large fines that could have otherwise been spent hiring new nurses.”
Just this week, West Virginia-based Monongalia Health System notified patients and employees that their data - such as medical treatment information, social security numbers, health insurance claim numbers and more - was stolen in a cyberattack (its second reported breach in 12 months). And a June ransomware attack of the Georgia-based St. Joseph Candler Health System compromised the data of 1,400,000 patients, including social security numbers, driver’s license numbers, health insurance and financial information and medical data.
Healthcare organizations also face a distinctive set of challenges in how cybersecurity measures are implemented. Many of these impacted organizations are mid-sized or small, without the resources or budget to deal with security, with doctors and nurses in some private practices and clinics setting up their own networks or using insecure methods to transmit data.
“A lot of this goes back to medical records and the conversion of those to electronic,” said Gallagher. “Healthcare organizations suddenly became very reliant on IT, but no money was being dropped to hire an IT team.”
"If there’s a vulnerability that affects a wide range of devices, it’s difficult for a hospital to find how this affects them and identify what devices are even impacted."
In the case of the healthcare provider in Canada, researchers found that the two ransomware groups had exploited known ProxyShell flaws in order to compromise the healthcare provider. While patches were released in April for the set of flaws (though not disclosed until July), the provider had not yet applied the patches when the first signs of initial access by cybercriminals appeared in August. Because this initial access came over three months before the ransomware activity began on the victim's networks, researchers pointed to the potential likelihood of an access broker discovering the flaw and either offering it up for sale on an underground forum or sitting on it until ransomware affiliates needed it.
“The big reason that we see ProxyShell and ProxyLogon still being exploited by cybercriminals is the number of older Microsoft Exchange servers still running,” said Gallagher. “To deploy a patch you have to upgrade, which means downtime, and there may be some additional cost there too. Organizations will keep kicking the can down the road.”
The “extremely diverse range of devices” amplifies the challenge of patch management for organizations, said Daniel dos Santos, director and head of security research with Forescout. This lineup may include both computing devices, like workstations and servers, but also more critical, connected devices and operational technology, from remote patient monitoring devices to imaging equipment. Even beyond connected medical devices, hospitals may also have Internet of Things devices on their networks like point-of-sale systems at gift shop kiosks, vending machines, smart building systems and more.
Many of these devices are older, and Daniel Brodie, CTO and co-founder at Cynerio, said that “medical device shelf life is extremely long and patching is extremely hard.” A Cynerio report last year, for instance, found that 50 percent of devices in oncology, pharmacology and laboratory departments run old versions of Windows that are no longer updated.
“In many cases these devices are 10 to 20 years old, and the manufacturers they were getting their support from may not exist anymore,” said Brodie. “Hospitals can’t treat their devices as a regular off-the-shelf device like an enterprise would.”
At the same time, many connected, medical devices have been found to have serious security vulnerabilities, such as a set of vulnerabilities in 2019 called Urgent:11, which could enable remote code execution and denial of service attacks on affected devices. A report this week that looked at 200,000 infusion pumps across networks of hospitals and other healthcare organizations found that 75 percent of the pumps scanned had known security gaps “that put them at heightened risk of being compromised by attackers.”
“If there’s a vulnerability that affects a wide range of devices, it’s difficult for a hospital to find how this affects them and identify what devices are even impacted,” said dos Santos.
"Healthcare organizations are becoming more aware and they are trying their best, but it is very challenging.”
Tully said that various governmental agencies have been taking steps in the right direction to address security issues in the healthcare sector. He hopes that the industry will begin to better "bridge the gap" between large hospitals with readily available security resources and smaller rural hospitals and clinics across the country, through increased information sharing and better development of security best practices.
“A lot of credit has to be given to a veritable alphabet soup of forward-thinking government agencies like the FDA, who have helped broker really productive and beneficial collaborative relationships between security researchers and medical device manufacturers, CISA, which has been insightful during the pandemic at understanding the potential double-whammy of already stressed healthcare delivery organizations being hit with cyberattacks, and the new [Office of the National Cyber Director] which takes a whole-of-nation approach and is well positioned to bring together collaboration across government and industry,” said Tully.
Cynerio’s Brodie said he’s seeing an “improved trend” by hospitals of better prioritizing security. For instance, more healthcare providers are requesting that manufacturers issue MDS2 forms for their devices, which disclose medical device security information, giving organizations better insight into the security profiles of the devices that they use so that they can set up effective security controls. At the same time, hospitals are starting to conduct more thorough security reviews for the devices that they purchase, looking at factors such as whether they encrypt electronic patient health information.
“When we first started out, we were hearing of hospitals purchasing medical devices without consulting their security staff or the CISO,” Brodie said. “Now we’re seeing a purchasing decision shift, with more hospitals making more informed decisions.”
For healthcare organizations, having a proper inventory of devices, software versions, and connected equipment is essential. Another mitigation strategy is conducting a proper review of networks used throughout organization environments to pinpoints where network segmentation is needed. But beyond these fundamental measures, healthcare organizations are becoming more proactive in how they plan for defending against - and reacting to - cyberattacks at a broader level, he said.
“2021 was a difficult cybersecurity year for everyone, everyone was more targeted, especially healthcare organizations that were dealing with Covid-19 on top of ransomware attacks,” said dos Santos. “Healthcare organizations are becoming more aware and they are trying their best, but it is very challenging.”