The questionable honor of being the first reportedly ransomware victim belongs to the healthcare sector, where in 1989 the Harvard graduate biologist, Dr. Joseph L. Popp distributed at the World Health Organization AIDS conference in Stockholm, Sweden around 20,000 floppy disks with the title “AIDS Information Introductory Diskette” or “AIDS” in short. The disk’s payload encrypts the main hard drive and asks the victims for  $189 ransom money to regain access to their Drive C: directories.

A History of Digital Neglection

On May 12th, 2017, “WannaCry” ransomware, the mother of all cyber pandemics stormed into our life, leaving behind it scorched earth of more than 200,000 infected devices across 150 countries, including 70,000 British National Health Service (NHS) computers, all in a record time of 24 hours. Medical records, test reports, and critical systems were denied access. Doctor treatments, appointments, and surgeries were all canceled, ambulances were diverted between hospitals and a sense of anarchy was felt all around.

In 2019, 400 dental practice offices, were affected after a known dental managed service provider was compromised by the “Ryuk” variant, exploiting their connection to the remote offices and encrypting them as well.

During the 2020-2021 COVID-19 lockdowns, attacks merely skyrocket and ransomware came more contagious. As all attention went toward healthcare facilities, many hackers took advantage of the situation making to be the first ones to hit a facility and collect the ransom payment.

In 2021 the cybercriminal groups, FIN11 and Clop were reported to hit the Accellion legacy File Transfer Appliance product, causing one of the largest healthcare data breaches of that year. Other ransomware campaigns were reported by the Irish Health Service Executive (HSE) and 850 other healthcare facilities and hospitals in the U.S. alone

New World Record

The past year is yet to be over but it already breaking records in reported cyber campaigns against healthcare facilities. The most noticeable one happened recently in October, when the second largest non-profit hospital chain in the United States, reported a cyber-attack that forced the system to reschedule crucial appointments and even take certain IT systems offline till they manage to overcome the attack. The hospital system entails more than 140 facilities across 21 states.

As many industries suffer from cyber campaigns targeting mainly Small and Medium Businesses, small hospitals are no exception.

Bullying the Smallest Kid

Smaller hospitals are more vulnerable and more likely to get cybercriminals’ attention.  Penetrating those facilities is relatively easier and takes less time due to a lack of resources, manpower, and cyber-awareness.

Whether hackers find a new vulnerability, develop an exploit, or even acquire a toolkit, they would rather try it on in a “safe space” before tackling cyber-resilient and robust healthcare facilities. It improves their breaching success rate and is less likely to trigger an alarm if something in their scheme needs some fine-tuning.

We Have a Disease and We Don’t Care

Careless healthcare facilities put their patients’ and staff’s data at risk because of deliberate neglect. In many cases, the cyber breach could be easily avoided by implementing basic measures.  Many attackers aren’t necessarily demonstrating highly sophisticated schemes, but simply exploit known vulnerabilities to unpatched, out-of-date systems. In some cases, they simply gain access through open and unsecured connections with a contractor or third-party medical provider. And with many facilities that are unaware of the attack until weeks or months later, it’s no wonder some of them suffer from multiple incidents in a single year.

As an establishment that by nature is publicly available for all, it offers noticeably more entry points for attackers to find vulnerabilities. More medical systems are now interconnecting by third-party solutions connected externally to the internet, contractors, and other supply chain service providers. Furthermore, even when hospitals make the effort in deploying tools for monitoring, detection, and prevention, they often lack a sufficiently skilled labor force to proactively track and operate those systems. Put all of those ingredients together and you will get an accelerated countdown for the next system breach.

Taking the Cyber Secret to the Grave

The simple truth is that when a cyber-incident happens (and is discovered by the IT), many hospitals steer clear of discussing the matter, or delay their statement for longer after the attack occurs. The U.S. Department of Health and Human Services mandates healthcare facilities report them as soon as a cyber event that affects more than 500 people happen on their premises. In the first quarter of 2022 alone, the U.S. Department of Health was investigating 125 high-profile breaches. Sadly, in some cases, medical centers discover the breach months after it was initiated, and took their time reporting to the health department (up to 3 months later), which poses a nonexistent chance to remediate the attack or to alert peer facilities.

Circling back to the Alabama-based hospital lawsuit, as taught by local News 5 provided contradictory statements. While at first, they describe the event as a “standard downtime procedure to mitigate the impact on our patients”. They also reassured that the hospital “seeing a regular volume of patients at the time”. A few days later they revised their statement to “currently addressing a security incident affecting our internal network. After learning of this issue, we immediately shut down our network to contain the incident and protect all data, notified law enforcement, and engaged leading outside forensic experts to support our investigation.”

In both cases, the updates were the leaser inaccurate.

A short inquiry by the local WKRG station found that the hospital was indeed turning away some patients because of the ransomware attack. A patient of the facility told the station his doctor’s appointment scheduled for that week was unexpectedly postponed with no further explanation: “The only information they could tell me is they possibly could call me back later in the week if the computers are back up but currently they are having issues with it”. Also, When contacted by the said police department and County Sheriff’s Office, both agencies claimed they “did not take any incident reports on this”.

A short inquiry by the local WKRG station found that the hospital statements were for the least inaccurate. Demonstrating that the hospital doesn’t have (or want) the capacity to manage a cyber-incident similarly to their associates in other sectors.

Read Part I |
Read Part II |
Read Part IV