Malware, Ransomware

‘Picture this’: CynergisTek CEO paints bleak picture of ransomware attacks against hospitals

Caleb Barlow speaks at TED@IBM salon – Spark, November 16, 2016, San Francisco Jazz, San Francisco, California. Photo: Russell Edwards/TED
Caleb Barlow speaks at TED@IBM salon - Spark, November 16, 2016, San Francisco Jazz, San Francisco, California. (Russell Edwards/TED)

Hospitals are under siege by two plagues: COVID-19 and ransomware.

In late September, hundreds of U.S. hospitals operated by Universal Health Services had their systems disrupted by an apparent Ryuk ransomware infection. Soon after came reports of similar attacks targeting hospitals affiliated with the University of Vermont Health Network, Sky Lakes Medical Center, the Dickinson County Healthcare System and the St. Lawrence Health System in northern New York.

These troubling developments prompted the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Department of Health and Human Services to jointly issue an Oct. 28 alert warning of “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers” that “will be particularly challenging for organizations within the COVID-19 pandemic.”

Caleb Barlow, CEO at health care cybersecurity consulting firm CynergisTek, has been working especially closely with hospitals in last week to help them quickly respond to this new wave of attacks, whereby multiple facilities are disrupted en masse, rather than individually. Even more worrisome: future attacks could deal an even more devastating blow if malicious actors tamper with the data integrity of medical records and devices, Barlow noted.

SC Media asked Barlow – who recently commented on the first known hospital death linked to ransomware – to imagine a worst-case scenario ransomware attack taking place at a hospital already under the strain of COVID response. What would the consequences be for patients and medical staff? It was not a pretty picture.

But he also listed some helpful actions that hospitals can take to better prepare themselves in the short and long term – steps that are curiously analogous to certain precautions Americans have been taking to safeguard themselves against COVID-19.

Imagine a scenario where a hospital treating COVID-19 victims and other patients is hit with a severe ransomware attack. What might that look like? What chain reaction of chaos and confusion might it cause?

It's 11 o'clock in the afternoon. And in a surgical suite, someone is getting a surgery that involves a lot of robotic instruments… And all of a sudden, everything in the room stops working, and they don't understand why. The patient’s on the table, open, but everything’s suddenly locked up. They realize that they can't recover the systems and they need to stop the surgery where they are... and that may have consequences.

In addition to that, as someone's checking into the emergency room, [hospital staffers] go to bring up their medical record and the entire system goes blank. Eventually there's a warning on the screen that they need to pay Bitcoin. At the same time, patients start to see this warning in patient rooms and they start to tweet out about it.

The entire population of health care workers that are now working remotely from their homes start to see their systems locked down, depending on how the malware works. All of a sudden, not only is their system locked up, but their kid who's going to school in the next room gets their system locked up because they're on the same subnet… Communications may actually be affected if it gets into the voice over IP system... And people are scrambling to run things on paper…

From there, the hospital starts to initiate its emergency procedures, and some very tough decisions need to be made: Do we want to start disconnecting some systems and capabilities? How much can we even operate? What are we going to do with patients? Are we going to divert?

Doctor Annalisa Silvestri during COVID-19 pandemic in Italy. (Alberto Giuliani/CC BY-SA 4.0)
Doctor Annalisa Silvestri during cOVID-19 pandemic 2020 in Italy (Alberto Giuliani/CC BY-SA 4.0)

If [the ransomware] is not in the electronic health care records, they're doing everything they can to lock down that EHR system and keep the bad guys from getting in. In some cases, it literally has meant that somebody walks into a data center and starts pulling plugs and everything they can get their hands on.

Over the course of the next day or two, they start to reach out to law enforcement [and] security community, to start to analyze and forensically understand what they're infected with.

They start to make some tough decisions on if they want to pay it or not. They start to look at their backups, to see if they've got good enough backups to recover. And then they realize that even if they have the backups, the time required to restore every one of these systems – because it didn't just take down a couple of systems, it took down everything – might be measured in weeks.

Even in a scenario where you pay the ransom, it becomes a month-or-two-long exercise to get fully restored back to normal. Now add a COVID situation like you were painting on top of that, and you've got an opportunity for just further stress and chaos. 

How should hospitals and medical facilities be reacting to the recent ransomware attacks and the ensuing government alert?

I've been spending most of my time over the last week on the phone with CISOs and CEOs working through their plans to shore up their defenses. Interestingly enough, it is very analogous to the start of [COVID-19 when] we needed to rapidly invest in masks, ventilators and PPE in order to stay open.

First thing you need is some social distancing… You need to social distance your network a la network segmentation. You want to make sure if [the attackers] get into the surgical suite, they're not going to take down the entire hospital.

The second thing they need to do is deploy the network equivalent of contact tracing. They need telemetry on: Where are the bad guys? What are they doing? You get that early warning indicator, so if you do see infection, you can contain it and eradicate it before it spreads. In this case, the metaphorical equivalent of contact tracing is endpoint detection and response. You need telemetry on every endpoint. More than just antivirus tools, you need real protection on every endpoint.

And then the third thing you need is masks. So you need something to protect you if they do get in there, and that's multifactor authentication… on everything, both internally and externally. Because it's so easy for the bad guys to crack a password once they get in the door.

And the last thing you need is the equivalent of a ventilator… You need something that can keep you alive while this attack is going on. And what that means is keeping them out of your administrative IDs. And that's where privileged access management comes in.

Those are kind of the critical things they've got to invest in. It's not in anybody's budget, and they've got to work very quickly to get these types of solutions supported.

Talk a little bit more about the nature of the current threat facing hospitals and how it can evolve from there.

At the end of the day what the attackers are after are the electronic healthcare records, because they know if they lock up the EHR, they pretty much take down the hospital. And we're seeing this today with about a dozen hospitals down pretty hard right now.

When you can't access patient records, you don't know histories. You don't know the drug cocktail that grandma’s on. You don't know what the treatment protocols are that have been tried historically before you try something new. So, what typically happens is elective procedures are immediately put on hold. And oftentimes they start diverting their emergency room. And in addition to that, things like cancer treatments are also put on hold…

Let me throw one other variable in there, which is that in many major cities, including Boston, where I live, there might only be two or three hospital systems that all share the same electronic healthcare records. So if I take down the EHR, I might not just take down one hospital, I might take down most of them in an entire city. And then we have a real problem.

And this is also where these recent attacks have demonstrated a brazen change in what we call adversarial intent. Historically the adversary is… monetarily focused and it's in their best interest to proceed methodically: Take down the hospital, cause them pain, get paid, move on to the next one. What doesn't make a whole lot of sense here – and this started with the United Health Systems breach a few weeks ago – is: Why would you try to take down an entire system… all at once? That isn't in your best interest as an entrepreneur, because you're now going to draw the attention of every law enforcement agency, every intelligence agency and every security company on the planet.

The George Washington University Hospital, seen here, has been jointly owned and operated by a partnership between a subsidiary of Universal Health Services and the George Washington University. UHS confirmed that some of its hospitals are dealing with an ongoing, unspecified cyberattack, though it did not specify which. (Marcus Qwerty/Creative Com...
The George Washington University Hospital, seen here, is jointly owned and operated by a partnership between a subsidiary of Universal Health Services and the George Washington University. UHS was one of the earlier victims from the health care industry of a ransomware attack. (Marcus Qwerty/Creative Commons Attribution-Share Alike 3.0 Unported)

In addition to that, you're basically dealing with one [massive] ransomware incident when you could have just locked up each hospital one by one, and had several dozen opportunities to get paid. So it doesn't make sense. And now we've crossed over that threshold. We're seeing that activity continuing in this next wave of attacks, where they're going after entire systems and trying to take out multiple hospitals in the same city at once... So the entire security community is scratching their heads.

But also this is a marked change for hospitals because the level of defense they need is also changing dramatically.

And then adding COVID to the mix makes things worse right? Because it’s not like you can divert these patients easily to another hospital. In fact, in a COVID surge, most hospitals are likely full, and patients are on ventilators.

Hospitals do divert patients all the time, but they typically divert them based on prioritization and capacity, meaning that if you just broke your arm in a sporting incident and the level one trauma center’s full, you absolutely might get encouraged to go to the small regional hospital where they could easily treat your broken arm and it's not going to make a difference if you get there 10 minutes later. One the other hand, for a trauma patient or stroke patient, time matters. And that's how emergency medicine is built.

Now, you asked a very important question, which is: What happens if we're in a major city and they're all already at capacity because of COVID? …You can’t move them [the patients], right? You have a major problem, and that's why they're trying to divert everything else coming in. That's why they're saying, “Hey, we're gonna have to deal with this on paper.”

Cybercriminals have now proven that they’ll deliberately attack hospitals and endanger lives. Is this the final straw? Will the U.S. have to make payments illegal or take bolder action against attacking entities?

We've never seen this form of an attack on the U.S. homeland… almost all cyberattacks to date have not had a kinetic impact on the US population. Yes, you might lose your money. Yes, you might lose your intellectual property, but they don't physically harm people. And that's where this particular attack has crossed the Rubicon… We certainly have never seen an attack of this magnitude that has the opportunity to harm this many people.

People have been trying to decide for years: What is the threshold that we should define something as an act of war? What is the threshold at which you define cyberterrorism. At some point, when you actually have the ability to physically harm someone or kill them, you start to get pretty close to that line if you don't cross it.

But also, you start to get very close to the line of thinking about defense differently. And I think there are two areas in particular that this really raises eyebrows. One, we're not dealing with $500 ransomware payments anymore… Even you got to $100,000, you just pay it. We’re now in the millions... And that kind of funding is fueling the next series of attacks. So the first question we have to ask as a society is... Is it time to stop paying the ransom? And a lot of the reason why health care is being attacked is healthcare has a very high rate of paying ransoms.

The second thing we have to look at is: Do we need to require certain capabilities from a defensive perspective? There's a reason why you don't see lots of ransomware attacks on banks… Several years ago, they had to all invest very heavily in their cyber defenses and now cybersecurity is a major budget item on any bank’s asset sheet.

Unfortunately, it isn't that health care hasn't been invested in cybersecurity, it’s that they haven't been investing enough relative to the threat. A survey we did earlier this year looking at 1000 hospitals… found that 66 percent of American hospitals don't meet minimum cybersecurity standards.

So now that ransomware attacks on hospitals have evolved to the point where adversaries are hitting multiple facilities at once, what’s the next evolution?

Getting locked up with ransomware – it's not the worst thing that can happen... Eventually, the bad guys are going to realize... the real opportunity they have is [to] start changing data. Because the problem is, if they go in and start modifying data, it becomes very difficult to figure out what they’ve modified.

And all they have to do is show they're capable of it, and then the entire system you can't trust.… That's what we've got to deal with over the next couple of years. The bad guy goes and changes the data, shows you they could change the data, and extorts you.

Imagine an entire hospital where you couldn't trust anything in the medical records because bad guys were in there changing things. I don't know how you recover from that.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.