The hacker ‘ceasefire’ with hospitals is over—and that should terrify us
In the early days of the pandemic, cyber hackers hinted at a sort of honor code among thieves. Prominent hacking groups like Maze declared that no attacks would be launched against medical organizations until “the stabilization of the situation with the virus.” Other hackers offered free decoder keys if a hospital was inadvertently impacted by a ransomware attack.
If this purported ceasefire was ever real, it is now a distant memory. In an unprecedented joint bulletin, the FBI, Department of Homeland Security (DHS), and Department of Health and Human Services recently warned of a “credible” and “imminent” ransomware attack against U.S. hospital networks.
Hospitals may not seem like ideal targets for cyberattackers, but two factors are making them more valuable and vulnerable than ever. The first is that COVID-19 hospitalizations are spiking as never before. Earlier this week, the U.S. exceeded 100,000 daily hospitalizations due to COVID, breaking a series of earlier records—including those that were set in April during the pandemic’s first wave.
At the same time, hospital systems have expanded dramatically. In the past decade there have been more than 680 mergers of hospital systems, creating sprawling networks that span hundreds of hospitals and tens of thousands of physicians. The goal of this industry consolidation was undoubtedly efficiency. Yet increased connectivity across disparate IT systems has introduced a systemic risk to a vital piece of our nation’s infrastructure.
If a ransomware attack disabled the operations of dozens of hospitals at this moment of maximum vulnerability, the impact would be profound. As health care workers fight heroically against one invisible enemy, we must not be blindsided by another shadowy foe.
Given the stakes, hospitals need to confront this risk head-on.
First, recognize the epidemic of ransomware. Ransomware attacks have doubled in just the past three months. And hospitals in particular have become the new soft targets, with more than 80 publicly reported ransomware attacks thus far in 2020.
In addition, hackers are utilizing a new, more vicious form of attack called “double extortion.” Rather than simply encrypting and holding your data hostage, attackers are also threatening to release reams of sensitive data publicly. This double whammy has greatly increased the leverage of attackers and the pressure on hospital management teams. To date, the health care sector has lagged other industries like finance and energy in making greater investments in their cyber resilience. Recognizing and internalizing this new ransomware threat, and its potential potency, is a critical first step.
Second, back up your data. Every organization needs a multilayered system of defense that includes security measures to prevent breaches by connected devices; network segmentation, which allows network administrators to control the flow of traffic across networks; and relentless efforts to find and fix software vulnerabilities. To combat ransomware, however, backups are a critical line of defense—especially for a hospital system that is the guardian of sensitive, personal information. An organization that is able to rapidly restore or recreate its data is far better positioned to fend off demands for ransom.
The specific form of backup—whether it’s an offline system, or the emerging “immutable” technology that relies on Write Once, Read Many (WORM) formatting, which stores files in a way that can’t be altered—is less important than the fact that a sound system exists. And wherever possible, encrypt your data both in transit and at rest.
Third, pressure test your ransom philosophy. Frustrated by the growing number of organizations that are paying ransoms, the U.S. Treasury issued an advisory opinion last month reinforcing the potential penalties for doing so. Ransom payments are effectively funding hackers’ R&D for more sophisticated forms of attack. Any organization that feels coerced into paying a ransom should, at a minimum, analyze the potential risks of sanctions, especially if Bitcoin payments eventually find their way to a terrorist organization.
Now is the time for hospital networks to revisit their incident response plans and build stronger relationships with law enforcement, the Cybersecurity and Infrastructure Security Agency at DHS, and information sharing and analysis centers (nonprofit organizations that offer resources on cyber threats). In addition, hospitals need to test their business continuity plans against multiple scenarios arising from a widespread IT outage.
Cyber threats are no longer confined to the digital realm. Instead, they have dire implications for hospitals and vaccine research labs that are critical to saving lives. As hackers increasingly target our nation’s health care infrastructure, the potential consequences have morphed from the loss of data to the loss of life.
With forecasts for a bleak COVID winter before us, our hospitals, and their leadership teams, need to step up to protect us all.
Peter J. Beshar is general counsel of Marsh & McLennan and has testified before Congress on cybersecurity multiple times.
Jane Holl Lute served as deputy secretary of homeland security from 2009 to 2013 and is on the board of the Center for Internet Security.