In the early days of the pandemic, cyber hackers hinted at some sort of code of honor among thieves. Prominent hacking groups like Maze have said that no attacks will be launched against medical organizations as long as “stabilization of the situation with the virus. Other hackers have offered free decoder keys if a hospital is inadvertently hit by a ransomware attack.
If this so-called ceasefire was ever real, it is now a distant memory. In an unprecedented joint bulletin, the FBI, the Department of Homeland Security (DHS) and the Department of Health and Human Services recently warned of a “Credible” and “Imminent” Ransomware Attack against American hospital networks.
Hospitals may not seem like ideal targets for cyber attackers, but two factors make them more valuable and vulnerable than ever. The first is that COVID-19-related hospitalizations are increasing like never before. Earlier this week, the United States surpassed 100,000 daily hospitalizations from COVID, breaking a series of previous records, including those that were set in April during the first wave of the pandemic.
At the same time, hospital systems have grown considerably. In the last decade there have been over 680 mergers of hospital systems, create sprawling networks that span hundreds of hospitals and tens of thousands of doctors. The goal of this industry consolidation was undoubtedly efficiency. Yet increased connectivity between disparate IT systems has introduced systemic risk to a vital piece of our nation’s infrastructure.
If a ransomware attack shut down the operations of dozens of hospitals at this time of maximum vulnerability, the impact would be profound. As healthcare workers heroically fight an invisible enemy, we must not be blinded by another dark enemy.
Given the stakes, hospitals must face this risk head-on.
First, recognize the ransomware epidemic. Ransomware attacks have double in the last three months only. And hospitals in particular have become the new soft targets, with more than 80 publicly reported ransomware attacks to date in 2020.
In addition, hackers use a new, more vicious form of attack called “double extortion”. Rather than simply encrypting and keeping your data hostage, attackers also threaten to publicly disclose tons of sensitive data. This double whammy has considerably increased the weight of the attackers and the pressure on the hospital management teams. To date, the healthcare sector has lagged behind other sectors like finance and energy to invest more in their cyber resilience. Recognizing and internalizing this new ransomware threat, and its potential power, is a critical first step.
Second, back up your data. Every organization needs a layered defense system that includes security measures to prevent breaches by connected devices; network segmentation, which allows network administrators to control the flow of traffic on networks; and relentless efforts to find and fix software vulnerabilities. To combat ransomware, however, backups are an essential line of defense, especially for a hospital system that is the custodian of sensitive personal information. An organization that can quickly restore or recreate its data is in a much better position to fend off ransom demands.
The specific form of backup – whether it’s an offline system or the emerging “immutable” technology that relies on Write Once, Read Many (WORM) formatting, which stores files in an unalterable manner, is less. important than the fact that an audio system exists. And where possible, encrypt your data in transit and at rest.
Third, test the pressure of your ransom philosophy. Frustrated by the growing number of organizations paying ransoms, the US Treasury last month issued an advisory opinion strengthening potential sanctions for doing so. Ransom payments effectively fund hackers’ R&D for more sophisticated forms of attack. Any organization that feels pressured into paying a ransom should, at a minimum, analyze the potential risks of sanctions, particularly if Bitcoin payments end up channeling to a terrorist organization.
The time has come for hospital networks to review their incident response plans and strengthen their relationships with law enforcement, the DHS Cybersecurity and Infrastructure Security Agency, and information sharing and analysis centers ( non-profit organizations that offer resources on cyber threats). Additionally, hospitals should test their business continuity plans against multiple scenarios resulting from a widespread IT outage.
Cyber threats are no longer limited to the digital domain. Instead, they have dire implications for hospitals and laboratories researching the vaccines that are essential to saving lives. As hackers increasingly target our nation’s healthcare infrastructure, the potential consequences have shifted from loss of data to loss of life.
With forecasts of a grim COVID winter ahead of us, our hospitals and their leadership teams must step up to protect us all.
Peter J. Beshar is General Counsel for Marsh & McLennan and has testified before Congress on cybersecurity on several occasions.
Jane Holl Lute was Assistant Secretary of Homeland Security from 2009 to 2013 and is a member of the Board of Directors of the Center for Internet Security.