Why Ransomware On Hospitals Is One Of The Greatest Dangers Of Our Time

Recently, I unfortunately needed to spend some time in a hospital, attending to a family member. I was shocked to see firsthand how much Covid-19 has impacted healthcare processes. As reflected in various reports, the availability of personnel and level of care have been negatively affected, and so many non-urgent procedures have had to be postponed, ultimately leading to worse patient outcomes. Across the board, we’re just starting to realize the impact Covid-19 has had on healthcare outcomes, beyond Covid-related illness and deaths.

 

I think a similar parallel can be drawn to the dangers of ransomware on healthcare organizations.

 

Over the last couple of years, cybercriminals have increasingly targeted critical infrastructure organizations with ransomware attacks since time pressures and the vital services they provide compel these entities to pay more quickly. In 2021, 80% of these organizations surveyed experienced an attack, and 62% paid the ransom, according to my company’s research. One critical infrastructure sector is healthcare delivery organizations (HDOs). Just like any other enterprise, HDOs are increasingly interconnected, and technology controls are relied upon in nearly every step along the delivery process.

While the impact of downtime due to ransomware in other critical infrastructure organizations is mainly related to financial losses and loss of essential services like power, it’s usually not life-threatening. Ransomware on HDOs, however, can be. Looking at the data, it’s clear that ransomware on HDOs can lead to increased mortality.

There are multiple reasons, including procedure delays, having to transfer urgent care patients to other facilities and relying on vital signs monitoring equipment that is not functioning. A tragic example is the death of a baby that may have been caused by a ransomware attack that brought down equipment that monitors birth progress, so healthcare workers didn’t realize the baby was in distress. Researchers say the Covid-19 crisis further exacerbated the impact on patient care and is an “urgent wake-up call for the healthcare industry to transform its cybersecurity and third-party risk programs or jeopardize patient lives.”

Those outcomes are horrific—even a single death is too high a price to pay for ransomware.

Why are HDOs attractive targets for cybercriminals, and what can security teams do about it? Let’s survey the situation first.

 

It’s essential for Internet of Medical Things (IoMT) devices to communicate with an array of other technologies to speed up diagnosis, deliver care and enhance outcomes. So, it’s not a surprise that we’ve seen significant increases in medical devices that are interconnected to the IT network and to each other. Unfortunately, that interconnectivity is also what makes them a great target for attackers.

• Similar to other types of IoT devices, such as industrial ones, IoMT devices have known critical vulnerabilities that are hard to patch in many cases for the same reasons. Patching isn’t practical or even possible due to uptime and availability requirements, lack of infrastructure to do the patching and reliance on old versions of Windows that are no longer supported or updated. A recent report by Cynerio stated that 53% of connected medical devices and other IoT devices in hospitals have a known critical vulnerability!

• Since IoMT devices are usually not part of the overall governance process and in many cases are still outside of the purview of the security team, they don’t get audited for simple things like weak passwords or default credentials. According to the same study, one-fifth of IoMT devices fall in this category.

• Lastly, and very significantly, there is usually no segmentation between IoMT devices and the corporate network. Medical devices are directly connected to the rest of the network and, given their high-risk security profile, are an easy exploitation target and entry point into the network.

As I said at the outset, our healthcare system is overburdened right now. No one is sitting idle on the sidelines, including IT and security staff. So, what can security professionals do to get some quick wins?

1. Identify and add all IoMT devices to the security governance process. This can be super tricky as IoMT devices typically don’t show up in traditional IT tool dashboards. You have to go hunt for them with purpose-built technology. If you cannot get to everything, prioritize the more critical machines, devices and processes.

2. Identify vulnerabilities and remediate risks associated with those devices based on this visibility. Patch where possible or implement compensating controls such as firewall rules and access control lists.

3. Implement network segmentation. Physical segmentation might take a long time to implement. In the meantime, consider virtual segmentation to help detect lateral movement. Network access policies over users, devices and sessions restrict unnecessary connectivity.

4. Monitor for threats across IoMT devices, so you can cover the totality of the assets in HDO networks. Visibility into unusual activities across the network allows you to take specific steps to manage and mitigate risk from ransomware.

As a resource, CISA has published a lot of information to help the healthcare sector deal with ransomware, including best practices and recommendations. To quote them, “Cyber safety is patient safety.” Security professionals in the healthcare sector should take the escalating threat landscape very seriously.

HDO networks are literally essential for delivering positive patient outcomes. It’s essential they get the investment required to give security teams needed visibility to protect against attacks and minimize the possibility that lives could be lost due to medical equipment impacted by ransomware or other threats.

Enterprise Cyber Security – Data traveling into Enterprise through network entry points including devices, downloads and attachments are checked for threats and security breaches.

Industrial Cyber Security – Controlling attacks frequency and strength due to increased demands for connectivity on the Industrial Control Infrastructure. Transferring of files is an eminent factor that ensures unidirectional data transfers and safe media usage.

In the Industrial Cyber-attack, the clarity between information technology (IT), operational technology (OT) and Industrial Control System (ICS) networks becomes blurred due to increased demand for connectivity. This combination of these exposes OT and ICS assets to cyberattacks, which can circulate from the IT domain into operational environments.

In the Industrial Cyber-attack, the clarity between information technology (IT), operational technology (OT) and Industrial Control System (ICS) networks becomes blurred due to increased demand for connectivity. This combination of these exposes OT and ICS assets to cyberattacks, which can circulate from the IT domain into operational environments.

In the Industrial Cyber-attack, the clarity between information technology (IT), operational technology (OT) and Industrial Control System (ICS) networks becomes blurred due to increased demand for connectivity. This combination of these exposes OT and ICS assets to cyberattacks, which can circulate from the IT domain into operational environments.