If there was any lingering hope that cybercriminals would show mercy on health care providers during the COVID-19 crisis -- as some claimed they would do -- that pipe dream evaporated with the news that various ransomware groups attacked Fresenius, Europe’s largest private hospital operator, as well as a pair of U.S.-based plastic surgery clinics.
Krebs on Security reported today that Germany-based Fresenius, which also provides dialysis services, drugs and medical devices, has experienced disruptions across its global operations after being hit with the malicious Snake encryptor. Early reports of Snake first emerged in January 2020, as cyber experts took note of the ransomware's unusual behavior of killing named process related to ICS solutions and SCADA systems, potentially placing OT environments at risk.
"I can confirm that Fresenius' IT security has detected a computer virus on company's computers in a number of areas," a spokesperson said in an email to SC Media. "As a precautionary measure in accordance with the security protocol drawn up for such cases, steps have been taken to prevent further spread. Nevertheless, our production continues, with certain limitations. Also our patient care continues. Our hospital business, for example, is not affected at all."
Any disruptions of Fresenius' dialysis business would be worrisome, security expert Brian Krebs reported on his blog site, because the company owns 40 percent of the market share. Many COVID-19 victims are experiencing kidney failure, placing a strain on demand for dialysis equipment and supplies.
"As expected, the purported ceasefire on health care providers by ransomware operators has proven short-lived. Rather than being rooted in any sort of altruism, the attackers were simply waiting for the optimum time to strike: when Fresenius was under immense strain as it attempted to meet the demands onset by the COVID-19 pandemic. This should act as a lesson to other healthcare providers and industries," said David Jemmett, CEO and founder at Cerberus Sentinel. "In this climate of increased threat volume, it's imperative healthcare organizations have a cyber resiliency strategy in place, so they can continue to operate effectively and support and provide diagnoses for their patients."
"Being mindful of COVID-19 social challenges, some cyber gangs decisively called to abstain from any attacks against medical and healthcare organizations, but unsurprisingly not everyone follows this Robin Hood code of ethics," added Ilia Kolochenko, founder and CEO of ImmuniWeb.
Plastic surgery -- especially the elective variety -- is obviously not as vital of a medical service during the COVID-19 era. Nevertheless, by reportedly encrypting, exfiltrating and publicly leaking files that apparently belong to two plastic surgery practices, the operators behind Maze ransomware appear to have broken their previously stated commitment to avoid attacking and extorting health care providers during the pandemic. (Kroll, a division of Duff & Phelps, just released a detailed report on the latest TTPs of the Maze group.)
DataBreaches.net reported both of the plastic surgery attacks [1, 2], speculating that perhaps the two incidents were made possible by the compromise of a shared vendor or business associate. In its first report on May 5, the website reported observing data on Maze's doxing website that apparently relates to the clinical patients of Bellevue, Washington-based plastic surgeon Dr. Kristin Tarber. Leaks data appears to include patients' sensitive medical histories.
In a second report published today, DataBreaches revealed that the Maze team also struck the Nashville Plastic Surgery Institute, LLC -- doing business as Maxwell Aesthetics -- on the same day it was reopening after halting operations due to COVID-19. Stolen and doxxed patient information reportedly includes names, birth dates, diagnostic info, type of surgery and health insurance information.
SC Media has reached out to both plastic surgery clinics for comment.
These latest incidents -- but particularly the high-profile Fresenius one -- demonstrate the critical importance of health care organizations taking preventative steps to ensure patients don't suffer when an attack occurs.
"With COVID-19 pressing down upon us, we are again reminded of how critically important it is to secure our devices and networks so we can avoid impacting our currently over-strained hospital care environments further," said Bob Rudis, chief data scientist at Rapid7.
"To help resolve these issues, healthcare organizations should look to mitigate risk via network," Rudis continued. "To accomplish this, hospitals and medical care environments should consider segmenting their network into three general categories: medical business operations networks (run the hospital network), medical care network (general medical care appliances), and life critical care (ICU, appliances used to sustain life or administer drugs). By following these network segmentation principles, the risk to patient’s health and safety would be greatly reduced allowing more time for properly validate, update and patch devices."
Drex DeFord, former CIO at Scripps Health, Seattle Children's and Steward Healthcare, and current strategic executive for CI Security told SC Media that COVID-19 "drove many health care orgs to change business/clinical practices almost overnight," as they began urgently introducing work-from-home protocols, hiring new employees, and installing equipment -- some non-standard -- into their environments.
These actions only increase risk of a future ransomware infection. DeFord, therefore, recommends health care organizations "put your Security Operations Center into overdrive. And if you can't field you own SOC team for 24/7/365 monitoring... find a healthcare-focused SOC vendor-partner quick." He also advises these companies to maintain best practices and ensure effective communication between security and IT teams and the rest of the business.
"Healthcare orgs are already running on razor-thin margins and burning through days-cash-on-hand; the last thing they need is a cybersecurity incident that amplifies those challenges, and impacts care for patients and families," said DeFord.