Ireland's centralized health care system all but ground to a halt on May 14, after suffering a major ransomware attack that shut down all its information technology (IT) systems nationwide. In the subsequent days, provision of care for the entirety of Ireland's population of 4.9 million was severely impacted, a large ransomware demand was made and rejected, a handful of patient records were released online by the hackers, and the country's health system started a long slog back to full functionality.

The attack was a "zero-day exploit" – an attack via a previously unknown software/hardware flaw or vulnerability wherein the flaw is exploited and attackers release malware before a developer has an opportunity to create a patch to fix the vulnerability. By early September, 95% of all their servers and devices had been restored, but the health administration noted some residual impact remained.

"Ransomware is the perfect crime. We steal your access to your information and if you don't pay us, we're going to give your information to everyone else…I don't think that's going to go away anytime soon, because it's very successful for criminals. They're just getting started," said Keren Elazari, an internationally-recognized cybersecurity analyst, author and researcher.

Ever-changing variants and tactics make it nearly impossible for security teams to keep ahead of the criminals, but the basics of cyber hygiene practices still apply: beware of phishing emails that include a malicious attachment or link, stay clear of advertising containing malware, and keep software and hardware up to date.

Conti, the criminal group behind the Irish attack, has also hit more than 290 U.S. organizations including at least 16 U.S. health care and first responder networks, according to the Federal Bureau of Investigation.¹ Like most ransomware variants, Conti typically steals victims' files and encrypts the servers and workstations in an effort to force a ransom payment. Recent ransomware demands have been as high as $25 million.

Not If, But When

The first thing for health care organizations to understand about cybersecurity is that getting hacked is no longer a question of if, but when.

"As a person who built defensive networks for a living and penetrated them for a living, I would tell you that if a focused entity really wants to get into your system, they have a really high probability of success," said Admiral Michael Rogers, the former director of the National Security Agency and the former commander of U.S. Cyber Command under Presidents Trump and Obama.

Hundreds of health care facilities in the U.S. were attacked in 2020 and 2021. According to one report, more than 92 individual ransomware attacks on health care organizations in 2020 affected over 600 separate clinics, hospitals and organizations, and jeopardized the privacy of over 18 million patient records, representing a 470% increase from 2019.²

Hackers might have received just over $2 million in ransomware from these attacks, but the overall cost to all entities affected is estimated at over $20 billion.

This year, more than 360 hacks have been reported to the U.S. Office of Health and Human Services (HHS) Breach Portal. As required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, breaches of unsecured protected health information affecting 500 or more individuals must be reported. The top nine events listed under the "hacking/IT incident" category all involved more than 1 million patient records.

It's not just the big and rich who are at risk. The highest-profile events usually involve large hospital systems, but small and rural health care providers are increasingly coming under attack, with ransomware attacks and other breaches sometimes leading to weeks-long network blackouts.

Rogers and Elazari spoke during a panel discussion on the topic of health care cyber-resiliency at the annual Healthcare Information and Management Systems Society (HIMSS) meeting in August.

They were joined by two other panelists: Michael Coates, former chief information security officer (CISO) at Twitter and co-founder and CEO of Altitude Networks, a cybersecurity consultancy; and Alex Stamos, former chief security officer at Facebook and now the director of the Stanford Internet Conservatory at Stanford University.

Building Cybersecurity Resilience

Health care organizations need not be hopeless or helpless in the face of this onslaught, but should recognize the elusiveness of building an impenetrable defense against attacks, according to experts.

"There are certain meditative religions where accepting the inevitability of your own death is part of finding enlightenment. That's what it's like being a cybersecurity executive in 2021," said Stamos. "You have to accept the inevitability that you're going to fail, and then realize our definitions of what security teams were supposed to do, which is prevent a breach, prevent an attack, are just not realistic anymore," he noted.

Instead, organizations large and small should focus their efforts and resources on building enterprise resilience to enable continued functioning and recovery in the face of an attack, he advised. This includes a disaster recovery plan for when the inevitable attack hits.

"Plan to be breached, plan to have a security incident, build the culture of your organization to be ready for that and for that not to be a career-ending moment for your security team," advised Stamos, who also runs a cybersecurity consultancy.

For Elazari, getting employees familiar and comfortable with dealing with a cybersecurity incident is a crucial part of building resilience. In the cyber world, this takes the form of interactive cybersecurity simulations.

During these simulations, which they call tabletop exercises, says Elazari, the first few hours are often "pure chaos," with participants frantically trying to understand who is responsible for what, what to share inside the organization and outside the organization, and more. The point, she stresses, is to "learn all this before the real stuff happens."

Another point, stressed by all, is the need to instill a culture focused on harm mitigation and recovery. Firing – or even just throwing blame at – the cybersecurity team members at the first sign of a breach is a bad mistake.

The job of the security team is to try to prevent a breach, but also to detect a security incident quickly, and respond in a fast, professional manner "to make it survivable for the organization," said Stamos. When the whole organization, from the CEO down, has this mentality of being survivable, "you invest much more in responder efficiency and effectiveness, instead of prevention effectiveness."

"Traditionally in cybersecurity, collectively, we tended to focus on cyber defense, trying to make it hard for entities to penetrate our moats. I think the pivot today is increasingly much more about cyber resilience. Despite my best defensive efforts, there's a high probability something's going to get in," says Rogers.

"When I started at Twitter years ago, we did one of these tabletop exercises where we created a scenario where there was a data breach inside the company and then we sent an email from the outside saying we have your records, we're going to write a story. What's your response? And then we just watched what happened," said Stamos.

"We watched that email bounce around, how long it took to get to the right people, how they assembled, what they did. We learned so many things that we then took those insights back and improved our processes. That's where resiliency is: thinking about the core controls and the key items to protect. It's not as sexy as some of the research you see, but it will make you dramatically more secure," said Coates.

Plan Ahead: Find Your Ghostbusters

Part of building cyber resilience should be either building a cybersecurity team in-house that is sufficiently powered and empowered to operate effectively or contracting with an outside team to be on call when an attack happens. Once you've been hacked and received a ransomware request, it's too late.

"The service providers that do DFIR [Digital Forensics and Incident Response], the negotiation experts, are working at 500% capacity, so if you're waiting for that moment [when you've been attacked] to find your trusted go-to partner for dealing with an incident, it's already too late. You need to know who your Ghostbusters are, so you know who to call when something happens," said Elazari.

With cybersecurity consultancies booked up solid, finding good help can be hard. One option is to hire a hacker with heart.

"There is a growing potential workforce of friendly hackers, people who have similar backgrounds, but also ethics and a moral compass," said Elazari. In health care specifically, there are projects ongoing like #WeHeartHackers, a collaborative movement between medical device and security research communities, with support from the U.S. Food and Drug Administration and Department of Homeland Security.

Interestingly, a certain "honor among thieves" concept has been declared by some in the hacking world. BlackMatter, a new "highly sophisticated, financially motivated" cybercriminal operation, according to a brief from the Health Sector Cybersecurity Coordination Center (HC3), the cybersecurity arm of HHS, has said they will not target health care organizations.

Should a hospital be attacked, according to a representative from the cybergang, they can request free decryption.

HC3 suggests, however, this promise may not be worth the code it's written in, and they rate BlackMatter an "elevated" threat to the health care and public health sector.

"While there have not been any public health care victims yet, BlackMatter's suspected predecessors targeted the health care sector," said HC3.

Also, can you really trust a "get out of jail free" card from a gang of criminals? Indeed, when Ireland's health system was hacked in May, the hackers – along with their $20 million ransomware demand – offered a decryption key that could be used to unlock the computers infected with ransomware.

However, after a "technical review" of the tool, the government opted neither to pay the ransom nor use the complimentary decryption tool for fear it might do more damage. Data on more than 500 patients were released online by the hackers at the end of May.

Clearly, not all cybergangs have such compunctions. According to the Wall Street Journal, one criminal gang named Ryuk, with ties to Russian government security services, was responsible for one-third of the U.S. ransomware attacks in 2020.⁴ Since 2018, Ryuk has hit at least 235 general hospitals and inpatient psychiatric facilities, along with dozens of other U.S. health care organizations.

Any request by negotiators to take into account that lives are at stake is ignored, according to comments obtained by the Wall Street Journal.

"They do not care. Patient care, people dying, whatever. It doesn't matter," said Bill Siegel, CEO of the ransomware recovery firm Coveware. "Other groups you can at least have a conversation. You can tell them, 'We're a hospital, someone's going to die.' Ryuk won't even reply to that email."

Recent victims include Universal Health Systems, one of the country's largest hospital chains. That attack alone served to shut down about one-third of the hospital capacity in Las Vegas.

Ryuk attacks are primarily delivered via phishing emails. Once deployed in a system, Ryuk, which is the name of the software as well as the organization, encrypts files. Attackers execute multilevel attacks against company networks, carefully selecting targets rather than adopting an automated, scattershot approach to ensure a high rate of success. Once Ryuk obtains a user's credentials, it commences a multipronged attack, moving laterally across a network and gaining ever-higher access privileges until it can, essentially, take over the entire system.

Everybody is Operating at Full-Tilt

With wave after wave of SARS-CoV-2 infections over the last 18 months, most hospitals are just hoping to stay operational.

By moving workers out of hospitals and accelerating the adoption of cloud-based collaboration, the pandemic has been a dream come true for hackers. The trend of migrating work into the cloud has been fast-forwarded by several years, requiring cybersecurity professionals to rethink all processes.

According to Coates, most cyber defenses are built on an architecture that is predicated on a well-established perimeter, with all services flowing through a central security stack (a network of cybersecurity tools that network to protect against varying forms of attack (e.g., antivirus software, email protection, firewall, data backup/recovery, data encryption, etc.). "What we've seen in the last 18 months is that COVID-19 has blown that to hell. The days of a well-defined perimeter just doesn't exist anymore and we've all been forced to pivot," he said.

At the same time, the bad actors are getting ever more sophisticated and aggressive, and the lines between the nation-state and the criminals have blurred.

In February, a Chinese group's hacking campaign against Microsoft Exchange email servers and email accounts based mostly in the U.S. quickly devolved into a widespread operation involving at least 10 hacking groups. Most of these groups were government-backed cyber-espionage teams that exploited the vulnerabilities on thousands of servers in more than 115 countries.

"There's been this real trickle-down effect where the capabilities that we would have once only ascribed to the Ministry of State Security or the SVR [the Russian intelligence service], or to certain groups in North Korea, are now with a bunch of teenagers doing ransomware attacks," said Stamos.

"I knew things were fundamentally changing when I watched criminal groups doing attacks that I'd only seen nation-states do before, like supply chain hacks," said Rogers.

The solutions, again, revolve around a renewed focus on resiliency. "Realize security perfection is not possible and it will be a fool's errand," said Coates. He advised to recognize one's limited resources, identify the most important systems and data, and spend the time on putting controls on those areas. Health care systems should also realize, he added, the most valuable assets and their location(s) have, with COVID-19, likely changed over the last 18 months.

References

1. FBI Flash. Federal Bureau of Investigation, Cyber Division. Alert Number CP-000147-MW. Conti Ransomware Attacks Healthcare and First Responder Networks. May 20, 2021. Available here. Accessed Oct. 20, 2021.
2. Bischoff P. Comparitech. Ransomware attacks on US Healthcare Organizations cost $20.8 bn in 2020. March 10, 2021. Available here. Accessed Oct. 20, 2021.
3. Health Sector Cybersecurity Coordination Center. HHS Cybersecurity Program. Office of Information Security. Demystifying Black Matter. Available here. Accessed Oct. 20, 2021.
4. Poulsen K, Evans M. The Ruthless Hackers Behind Ransomware Attacks on U.S. Hospitals: 'They Do Not Care.' Wall Street Journal. June 10, 2021. Available here. Accessed Oct. 20, 2021.