Steve Giles was having dinner in the Los Angeles area on Friday, Feb. 5, 2016, when he received an ominous phone call.
The computer networks of Hollywood Presbyterian Medical Center, the 434-bed hospital where Giles was the chief information officer, were seizing up. “This created panic, to some degree, within the nursing and physician staff,” Giles told the California Senate weeks later. “We immediately reverted to downtime procedures.”
His staff ended up running to an ATM across the street, twice, to withdraw $17,000 to convert to cryptocurrency and pay off the hackers who were holding his hospital’s computers hostage. There were no reports of patient harm from the incident.
Giles’ team averted a serious medical crisis, but the attack exposed vulnerabilities in one of the first high-profile ransomware incidents at a hospital. Nearly five years on, numerous health care organizations have endured their own version of that jarring experience.
“I equate Hollywood Presbyterian to the accidental revelation that these hospitals are prone and they’re prey, they just lacked sufficient predator interest,” Josh Corman, senior adviser for COVID and safety critical issues at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said in an interview in September. “And it was a feeding frenzy after.”
There have been more than 80 publicly reported ransomware attacks on health care providers in 2020 — more than in all of 2019, according to Allan Liska, a ransomware specialist at threat intelligence company Recorded Future. Health facilities large and small have been affected by the ransomware scourge as the sector’s longstanding cybersecurity challenges, including resource constraints and managing software updates, have come to a head during the pandemic.
A lesson from SamSam
The pandemic has created fresh IT security challenges in the health sector while exacerbating old ones. For example, health care organizations have in recent months relied more on telehealth services to treat patients remotely. If not configured properly, that IT infrastructure can introduce new vulnerabilities that attackers can exploit, according to Justine Bone, CEO of health security company MedSec.
“That became a real challenge for our customers during the pandemic as hospitals scrambled to stand up telehealth platforms without going through the normal checks and balances,” Bone said.
In other cases, deep-rooted cybersecurity issues are taking on more urgency as health care facilities are stretched to capacity by the coronavirus. Managing software updates, for example, in sprawling hospital IT networks has always been difficult for some organizations. But in the face of heightened ransomware threats, the ability of hospitals to promptly update buggy software has perhaps never been more important.
“Vulnerability management [in the health sector] is hard,” said Ron Pelletier, founder of Indianapolis-based security company Pondurance. “Not only do you have to stay on top of it, find the issues and patch them, but you have to constantly do it.”
Pelletier vividly remembers his own “Hollywood Presbyterian” moment: Hancock Regional Hospital in Indiana called him in to help recover from a SamSam ransomware attack in January 2018. The hospital’s careful logging of network traffic made it easier to trace and recover from the attack, he said.
Pelletier and other experts said that health care organizations have made security improvements in the last few years. There is better sharing of threat data in the sector, and more awareness of the network monitoring, security configurations and vulnerability management processes needed to protect networks.
“If you do those things, it lessens the attack surface, and the attackers will move on,” Pelletier said, echoing a pep talk he gives clients.
Corman emphasized the need to have offline-backup for data and the ability to restore networks after an attack. “Because you’re unlikely to prevent a motivated and well-financed campaign, but if you can get back up really quickly the total impact to patient care or patient care delivery is reduced,” he said.
A renewed threat from Ryuk
The economics of ransomware attacks in the health sector are an enduring problem. Despite having security protocols in place, Hancock Regional Hospital opted to pay roughly $45,000 to the attackers to unlock their computers. Many other organizations have coughed up money to retrieve their data.
“We as an industry have been paying too much, and we’ve fueling the R&D for them to come back at us harder and better,” said Corman, who cautioned that he was not referring to a specific incident. “To use a medical analogy, it’s almost like we’re creating drug-resistant bacteria. And it’s not going to be sustainable in the current course and speed.”
The issue has only magnified in the last two weeks as there have been a wave of suspected Ryuk ransomware attacks on U.S. health care facilities. The Eastern European criminal gang behind the attacks is known for demanding tens of millions dollars from large organizations, according to security company FireEye. Federal agencies issued an advisory about an “imminent” cybercriminal threat to U.S. hospitals and held private briefings for health care executives.
It’s a stiff test for a U.S. health sector that, on the one hand, has more awareness of cybersecurity issues and support from the government than before, but on the other is knee-deep in a pandemic. The goal is to bring back computer systems quickly, and not let ransomware crooks affect patient care.
“This latest threat is unique due to its immediacy, severity and potential for broad impact,” said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association. “Fortunately, the field has taken this [government] advisory very, very seriously and has rapidly bolstered cybersecurity defenses around medical devices and phishing emails, reinforced backups and tested incident response plans.”