Holding Hospitals Hostage: An Overview of Ransomware Attacks on Hospitals and Healthcare Systems
By Sean Wang
December 9, 2020
As hospitals continue to increase their array of interconnected machines and software to care for and manage patients, they become increasingly reliant on digital ecosystems. Yet, this process of attempting to streamline and unify once separated systems is not without its dangers. The umbrella of healthcare data breaches encompass a number of events and threats including ransomware, privilege abuse and sale of information, and phishing. A paper from The American Journal of Managed Care reviewed 215 data breaches (that affected 500 or more individuals) at 185 different US hospitals between 2009 and 2016. Most noticeable, while network server attacks were reported in only 10 hospitals, over 4.6 million individuals had their information compromised. Data theft occurred in 112 hospitals and compromised 1.1 million individuals, while hacking/IT incidents at 27 hospitals affected 4.6 million individuals. While frequency should be a concern, even a handful of data breaches can affect millions of lives. In this article, we will be exploring what happens when a healthcare system is attacked by ransomware, the consequences, and what can be done to stop these attacks.
Ransomware attacks: What, when, where?Much like how hostages are held for ransom in movies, the person (or in this case, software and data) of interest is held until a ransom is paid. In the context of a ransomware attack on a hospital, medical devices or patient medical records could be locked behind ransomware until a ransom is paid. Because of these system lockouts, events such as medical record loss, surgical procedure cancellation, and redirection of emergency patients could occur. A striking statistic dating from 2016 by security company Solutionary reported that 88% of all ransomware attacks were on hospitals and health systems. 94% of these attacks were conducted with the ransomware Cryptowall. Security blog Emsisoft writes that in the year 2019, 996 government agencies were attacked by ransomware including state and municipal governments and agencies, healthcare providers (the majority of cases), and universities and school districts (which could be affecting over 1000 individual schools). Because of such widespread damage to government agencies, Emisoft estimates that up to $7.5 billion of damages could have been incurred. If we also consider private entities that could have been affected by ransomware attacks, the costs are even greater. The National Health Service in the United Kingdom experienced a major breach in 2017 which effectively jeopardized the entire United Kingdom. While former British prime minister Theresa May stated that it was an international attack (as corporations in Spain and Portugal had also been affected), it was clear that an attack was still directed at up to 40 NHS organizations using software called WanaCrypt0r 2.0 or Wannacry which exploited Windows vulnerabilities. Infected computers would demand $300 USD ransom per machine via Bitcoin to decrypt files; after three days without payment, the price would double and after seven days the files would become unrecoverable. Other NHS workers reported that machines demanded $300 USD in bitcoin or files would be wiped. As a result of massive system lockout, hospitals had to revert to a slower offline process; NHS workers had no access to nationalized systems,medical records, prescriptions, or patient results, which resulted in a slowdown of entire hospital operations. While ransom costs for hospitals are often not publicly disclosed, the Hollywood Presbyterian Medical Center paid $17,000 in 2016 afterts databases were locked for one week. Groups such as the US Department of Health and Human Services and the FBI have recommended against paying ransomware attacks, as such action would only encourage further attacks. In December 2019, New Jersey Hackensack Meridian Health paid an undisclosed sum of money (via an insurance plan related to cyber attacks) to ransomware hackers. In February 2020, two patients filed a proposed class-action lawsuit in a district court in Newark for the “reckless manner” that Hackensack Meridian Health exercised to protect patient information which included claims that HMH did not properly monitor and improve their cybersecurity risks which allowed their medical data to be seen by unknown individuals. These examples are among many of how hospitals have acted quickly to protect their patients; however, the cost of taking swift action is often the need to surrender to ransomware demands. Other groups such as LifeLabs, Health Quest, Tidelands Health, and Solara Medical have had lawsuits filed against them for similar data breaches. This past month, a woman in Germany died after Dusseldorf University Clinic was unable to accept emergency patients after IT systems crashed in a potentially botched ransomware attack. The woman, in critical condition, was forced to be taken to another facility 32km (20 miles) away from the hospital. The New York Times stated that it is unclear whether the University Hospital Dusseldorf was the actual target or collateral of the ransomware attack. It’s possible that Heinrich Heine University, to which the ransom note was actually directed towards, was the real target, as the hackers stopped the attack on the hospital and gave them the encryption/unlock key before dropping correspondence. Although German prosecutors are investigating possible manslaughter charges for the death of the patient, arrests and extradition are unlikely for the cybercriminals of this incident. However, given that most hackers are located in Russia, they are protected from extradition. What this inability to apprehend hackers means is that when hospitals or governments face ransomware attacks, the primary actions they can take are minimizing damages and preparing for the next intrusion; stopping future attacks, thus far, does not include preventing current hackers from hacking again. Major hospital chain Universal Health Services was attacked affecting more than 0 hospitals in the US, UK, and Puerto Rico. News site Bleeping Computer reported that UHS employees found that the ransomware had similarities to a high-profile ransomware Ryuk ,which has been linked to Russian hackers. Ryuk has been known to be used for what Wired calls, “big-game hunting”. The ransomware has a history of being directed at large companies who can pay hefty ransoms, such as Garmin.
How and why do ransomware attacks happen?
In general, ransomware is growing into a corporate enterprise with increasing efficiency and professionalism. Even though major ransomware Darkside Inc. has sworn off attacking groups like hospitals, schools, or non-profits, ransomware Ryuk has had its sight set on hospitals and health systems with a lengthening track record to prove it.
From a technical standpoint, ransomware attacks can happen because of a variety of security vulnerabilities. In the 2017 NHS case, an estimated 90% of NHS data trusts were on Windows XP systems that were fifteen years old and unable to receive up-to-date Microsoft security updates.
Ransomware like Wannacry or SamSam has been argued as potential openings for state-managed cyber offensives. Wannacry, with great organization, attacked not only NHS health systems but 150 countries in a single day.