As Coronavirus cases are spiking in the U.S., the healthcare system is in fear of getting overwhelmed. But that's something every hospital worker is trained to handle. However, that's not the only problem. Federal agencies have warned about cyberattacks that could encrypt the hospital networks and steal patient data. In a sense, the U.S. healthcare system is in shambles from a cybersecurity perspective.
The Federal Bureau of Investigation (FBI), Department of Health and Human Services and the Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) have warned that they have "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers" that would lead to "data theft and disruption of healthcare services."
The federal agencies issued the alert after Alex Holden from the cybersecurity research firm Hold Security tracked online communications between Russian hackers who were discussing plans of deploying Ryuk ransomware at over 400 hospitals across the U.S. That would cause a major disruption to patient care amid a pandemic.
Hospitals Easy Target
Healthcare providers deal with a vast amount of data from financial to health and personal information of patients. It's the best place to get social security numbers without much hassle. Considering that, one would expect them to be careful with data security but they only spend less than five percent of the total IT budget on cybersecurity as per a report, making them vulnerable to cyberattacks.
As modern-day hospitals are leaning more towards technology and internet-connected ecosystem, most of the equipment has become vulnerable to cyberattacks. As per research done in 2014, from drug infusion pumps to Bluetooth-enabled defibrillators, pacemakers and digital patient records, everything can be hacked that have direct implications on patient health.
While equipment manufacturers have mitigated certain risks, some of them are still vulnerable. The reason for that is using weak passwords. In many hospitals, the common security flaws included unauthenticated access, weak and unchanged passwords. Most of them used factory-set default passwords or put passwords like "1234" or "admin" that takes less than a second to break into. While cyberattacks have evolved, in most of the cases, healthcare providers haven't. The same security risks of 2014 remain constant even in 2020.
Among the cyberattacks, the most popular is planting ransomware that would encrypt the hospital networks and make patient data inaccessible to doctors and nurses. As hospital administrators would be liable for anything that happens to a patient, in many cases, they would oblige, paying up the amount demanded.
The most popular ransomware is Ryuk which is operated by Russian hackers' groups and East European hackers named UNC1878. Hackers can gain access to the system through phishing attacks and exploiting security flaws in either Windows, routers or equipment.
Three of New York's St Lawrence Health System hospitals were under attack by Ryuk ransomware on Tuesday while Oregon's Sky Lakes Medical Center too suffered the same fate on the same day. Last month, one of the largest hospital networks in the U.S., United Health Service (UHS) was also targeted with Ryuk ransomware.
When hospitals don't concede to ransomware demands, the result is often catastrophic. In September, a German hospital was mistakenly targeted with a ransomware attack and a patient died. The hospital in Dusseldorf could not admit the patient who needed urgent care.
The federal agencies issued the alert to warn healthcare providers of the risks and "to ensure that they take timely and reasonable precautions to protect their networks from these threats."
However, the alert might have been too late for hospitals that have already been infiltrated by Ryuk ransomware. Often, hackers break into a network and take days or weeks to encrypt the entire or a part of the network. The payload is often dropped as a Windows executable file (.exe) that when executed communicates with the command and control server. A healthcare industry official told KrebsOnSecurity that the hundreds of medical facilities were at imminent risk. Mitigating those risks were beyond any healthcare provider group.