On October 28, 2020 the Cybersecurity and Infrastructure Security Agency (CISA) issued alert AA20-302A as a joint alert from CISA, the FBI, and the Department of Health and Human Services (HHS) regarding ransomware activity targeting the healthcare and public heath sectors in the United States. The potential attacks are coming at a time when the number of COVID-19 cases is accelerating and has the potential to seriously disrupt healthcare delivery across the entire US. The perpetrators appear to be solely motivated by money, with early reports indicating that ransoms in excess of $10MM US dollars will be the norm.
A Growing Problem
Ransomware has increased significantly over the past 18 months, with schools, government facilities, and hospitals being hit especially hard. A total of 59 U.S. healthcare providers/systems have been impacted by ransomware in 2020, disrupting patient care at up to 510 facilities. In September of this year, two events occurred in the healthcare industry that illustrate the seriousness of these attacks:
- A ransomware attack on hospital chain Universal Health Services disrupted operations at 250 healthcare facilities, forcing doctors and nurses to resort to handwritten record-keeping. Lab results were slowed down, and employees reported chaotic conditions impeding patient care, including mounting emergency room waits and failing wireless vital-signs monitoring equipment.
- In Duesseldorf, Germany, an IT system failure forced a critically ill patient to be routed to a hospital in another city. The patient died en route, becoming the first documented casualty attributable directly to a ransomware attack.
One month earlier, Watertown Samaritan Hospital in Maine suffered a malware attack that took all its systems offline. Full restoration of their systems was not completed until the first week in October – 10 weeks after the event.
As of November 1, at least four healthcare institutions have been reported hit by ransomware so far: three belonging to the St. Lawrence County Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Oregon. Sky Lakes confirmed the report, and said it had no evidence that patient information was compromised. They also reported that emergency and urgent care “remain available.”
The warning by the FBI and CISA does not necessarily mean that healthcare facilities or others are not already compromised. Cybercriminals often load the malware weeks before activating it, waiting for moments when they believe they can extract the highest payments. In many cases, the malware creates scheduled tasks that run frequently to ensure that it remains active on the system.
Hospitals may not realize such theft has taken place if they only review events in proximity to the ransomware activation. The criminals may have spent days or weeks inside network before the ransomware is activated. During this period they will very likely spend time:
- Mapping the network so they can attack as much of it as possible
- Finding sensitive data and stealing it
- Elevating privileges
- Creating new accounts as backdoors
- Installing “grey hat” penetration testing tools used for attack
- Disabling key components of internal security software
- Carrying out small “dry runs” with various malware samples to test attack techniques
- Identifying and wiping online backups
- Establishing the optimal time to execute the malware to inflict the most damage to the organization
Criminals take the time to search through online files, locating the most sensitive and valuable data – business plans, financial accounts, internal emails, personal information about patients and employees, data covered by regulations such as GDPR, HIPAA and so on – essentially, anything that could be damaging to the business deeply if it were to leak out. This can then be used to further extort the business by threatening to disclose or sell the information if the ransom is not paid. In many cases, the data will be sold regardless of whether the ransom is paid or not.
CISA, FBI, and HHS do not recommend paying ransoms. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. It may also be considered illegal, according to the Treasury Department’s Office of Foreign Asset Control, who stated that facilitators could be prosecuted even if they or the victims did not know the hackers demanding the ransom were subject to U.S. sanctions. This particularly applies to consultants who help organizations pay off cybercriminals. Cybersecurity firms that have recently begun to specialize in facilitating payments may be required to register as money services businesses if they help facilitate ransomware payments.
How GDT Can Help
GDT’s Advisory Services practice provides a full range of services to assist you in complying with CUBI. We can assess your company’s current state of compliance and recommend a strategy and architecture to attain and maintain compliance. This starts with an evaluation of your company’s policies, procedures, and practices related to privacy and data retention and destruction. A review of network and security architecture, vulnerability assessment, patching policy, auditing/logging/review, and access management controls and protocols can further identify areas of opportunity for cybercriminals and alert you to the possibilities of compromise.
Once identified, GDT can assist by providing state-of-the-art tools and technologies to increase the resilience of your organization to attack and can provide consultants with deep expertise in all aspects of security, risk, compliance, and operational best practices. Our NOC and SOC services, Compliance-as-a-Service, and staff augmentation capabilities can provide you with critical resources that do not require the time and expense of building a staff and a program to effectively address your security, risk, and compliance needs.