If you use the healthcare system, you’re a ransomware target

It’s hard to imagine anyone talking about the “good old days” of the ransomware era.

But compared to now, there were some — sort of. There was a time when the damage from most ransomware attacks was purely financial, as in, pay to get your files unencrypted. Even when attackers upped the ante to extortion, most apparently had an unwritten rule that although they would steal any and all private, personal, and professional information from their targets and squeeze them for every possible dollar, they would refrain from jeopardizing their physical safety and health. They’d drain your wallet and steal your intellectual property but stay away from your pacemaker and let you get that life-saving surgery.

Not anymore. Healthcare organizations have been a top ransomware target for several years. In 2022, while the industry was still coping with Covid, healthcare had become the top target for cybercriminals, with more than twice the number of attacks than on other industries. And the trend seems to be worsening.

The U.S. Department of Health and Human Services (HHS), in its December 2023 “Healthcare Sector Cybersecurity”reported a “93% increase in large breaches from 2018 to 2022 (369 to 712), with a 278% increase in large breaches reported to the OCR [Office for Civil Rights] involving ransomware from 2018 to 2022.”

When it comes to bloodless logic, it makes sense. The key to a successful ransomware attack is leverage. And there’s not much better leverage than saying, in effect, “pay up, or you and/or some of your customers (patients) may die.”

Hence the attack last Thanksgiving weekend on Ardent Health Services that required ambulances to be diverted from hospitals in Texas, New Jersey, New Mexico, and Oklahoma was no outlier. It’s the current business model.

Indeed, a more recent example of the power of that business model is the attack this past February on ChangeHealthcare, a subsidiary of UnitedHealth Group. The company, which has more than 152 million customers, said last week that it had paid about $22 million in ransom in an effort to prevent the disclosure of patient data including protected health information and personally identifiable information.

As a post in the ANA Center for Health Innovation puts it, “Ransomware attacks on hospitals are not white-collar crimes, they are threat-to-life crimes because they directly threaten a hospital’s ability to provide patient care, which puts patient safety at risk.”

Cybersecurity firm Claroty’s Team82 recent State of CPS [cyber-physical systems] Security Report: Healthcare 2023documents that and other reasons why the healthcare industry is a prime target.

• Modern healthcare is connected healthcare — as in, connected to the internet — which makes it accessible worldwide. Embedded devices, imaging systems, infusion pumps, surgical tools, patient monitoring machines, and more, all depend on reliable Wi-Fi. A recent post in Security Week noted that all those systems have “a very low tolerance for disruption. The industry is eminently exploitable and has a strong incentive to settle extortion attacks as quickly and as seamlessly as possible. Lives may depend upon it.”
• It’s a target-rich environment within the buildings. The federal Cybersecurity and Infrastructure Security Agency’s (CISA) KEV [Known Exploited Vulnerabilities] catalog has nearly 1,100 entries and 63% of them are in healthcare networks, perhaps in part because there are 360 different medical device manufacturers — a lengthy and complicated supply chain of vendors.
• It’s a target-rich environment outside the buildings. An estimated 3 million people in the U.S. are walking around with pacemakers that communicate data back to a hospital or doctor’s office via the internet. Those people can’t be expected to be savvy to cyber risks. And that’s just one kind of connected device.
• Patching vulnerabilities is much more complicated in the healthcare industry than in others. It’s not like tapping an icon on your smartphone and waiting a few seconds for an app to update. Claroty notes that those 360 medical device manufacturers have “patch certification programs to ensure compliance requirements and verify that products provide reasonable protection against risk.” That often means that as long as a device or product is functioning, healthcare organizations don’t update it. The result, according to Claroty, is that “medical devices provide attackers with a rich source of ‘forever-day vulnerabilities’: vulnerabilities that are known and fixed by the manufacturer but are never patched by the customer.” Not to mention that embedded devices are meant to be safe and functional 24/7. Tim Mackey, head of software supply chain risk strategy within the Synopsys Software Integrity Group, noted the risk reality. “If a pacemaker is updated, and that update requires a reboot, that then implies that during the reboot cycle, the pacemaker isn’t functioning and that there is a nonzero chance the pacemaker will fail to restart,” he said.
• Privacy doesn’t automatically mean security. The Claroty report notes that “We have been conditioned as an industry to equate healthcare cybersecurity with data privacy,” thanks to the Health Insurance Portability and Accountability Act’s focus on “the protection of personal patient information and enacting privacy and security rules aimed at keeping such data confidential.” But it’s not enough to protect data. In healthcare, it’s also about protecting people.
• Ransomware is no longer something “lone-wolf” or hobbyist attackers launch from their basements. It’s now a sophisticated, well-established, well-funded industry, frequently conducted from hostile nation states with the support of their governments. As the ANA post puts it, “most cyberattacks on health care facilities today are not carried out by domestic, individual hackers […] The vast majority of cyber criminals are operating from the safe haven of adversarial nation states that will not cooperate with or extradite these criminals to the United States. In many situations, these hostile nation states actually facilitate the cyberattacks against the U.S.”

That is a lengthy, depressing list. But not everybody thinks things are quite as bad as those statistics suggest. Mackey said it’s “not as dire as the report implies. Most of those devices operate using connection methods like Bluetooth, which have a limited range,” he said. “This implies that any attack will be limited in scope, and likely targeted since success would require preknowledge that a vulnerable device was in use.”

Government is also involved. In 2022, Congress gave the U.S. Food and Drug Administration (FDA) authority over medical device cybersecurity, allowing it to block the release of devices that don’t meet required cybersecurity capabilities. Among those required capabilities are that it be easier to update devices and systems to patch vulnerabilities, and that they include a Software Bill of Materials (SBOM) listing all the software components running on a device.

Still, as the focus of ransomware criminals and recent successful attacks show, there is clearly a need for better cybersecurity within the healthcare industry. While medical technology has brought vast benefits to millions of people — not just lengthening life but also quality of life — the ultimate irony is that if devices and other tools are vulnerable to attacks, they could turn into threats to health and safety.

The same road to security

So what is the road to better security? It’s pretty much the same one it’s been for decades: Do security basics. As Mackey puts it, ransomware attackers make their money from “those who don’t have good cyber hygiene.”

Cyber hygiene means good vulnerability management, which includes the FDA requirements mentioned above — make devices and systems easier to update and include SBOMs, which give users visibility into what’s inside the product they’re using.

But it also includes other basics that security experts have been preaching for decades. Among them is segmentation. The Claroty report urges healthcare organizations to “isolate connected medical devices — patient and surgical — from corporate networks.” That ensures if attackers get through one door, they don’t have access to every door.

Another basic is regular vulnerability scanning of assets directly exposed to the internet, and then setting priorities on what needs patching first, or performing other mitigation efforts based on how likely a system or device is likely to be breached and how much damage a breach could cause. In the case of UnitedHealth Group, the damage was $22 million — at least — along with compromised medical and personal information of some or all of its 152 million customers.

Finally, privacy and security are related but not the same. “The cost of an application security issue is different than that of a data breach,” Mackey said, “and the core cost of mitigation for each of these events is different in different organizations. This is a complex problem to solve, and one that starts with health delivery organizations prioritizing AppSec during their procurement processes and conditioning physicians and clinicians to recommend devices from vendors with robust AppSec programs.”

He added that government has a crucial role to play. “While its unreasonable to expect users to understand the risks of unpatched vulnerabilities, regulators like the FDA understand that a risk-based approach to AppSec is a requirement and expect medical device manufacturers to have robust testing programs in place that focus on patient health,” he said.