United States hospitals were targeted by two major cybercriminals this fall: the first brought down Universal Health Services, a chain of hundreds of hospitals, and the second by a group called UNC1878 that threatened hundreds of individual health care facilities across the country. Targeting health care institutions marks a new step for cybercriminals.
“We haven’t seen an incident of magnitude that actually has the potential to harm people, literally all the way up to the point of death,” says Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek. “It crosses a line that I think the entire cybersecurity community just didn’t think was going to get crossed anytime soon.”
Many of the large-scale cyberattacks on hospitals over the past few years have been incidental. A piece of ransomware is sent out generally and happens to get into a hospital. That’s what happened to the United Kingdom’s National Health Service (NHS) in the spring of 2017 when the WannaCry cyberattack hit organizations around the world. However, the last two attacks did deliberately carried out in the hospital. They’re an appealing target during the COVID-19 pandemic because they’re so essential. Institutions shouldn’t go offline when they’re trying to get rid of ransomware, said Alan Woodward, a computer security expert, and professor at the University of Surrey in the United Kingdom.
They also targeted because some have paid a ransom to get their systems unlocked, he says. “There’s been quite a few high profile cases where people have paid,” Woodward says. “Whereas, if you ask any law enforcement agency, they will say, please don’t pay. You’ll paint a target on your back.”
Several cybercrime groups vowed not to target hospitals during the COVID-19 pandemic, but attacks on health care facilities have more than doubled in the second half of this year. Most health care institutions are unprepared for cybercriminals, and the pandemic could make things worse, Barlow says. “They are financially strapped because of that pandemic,” he says. “You have a perfect storm: ransomware has been hitting America’s hospitals heavily over the last few years, and almost always, they pay. You have a victim here that is weak, and if you attack them, you’ve got a high probability that you’re going to get paid.”
- Hackers stole $2.3 million from the Wisconsin Republican Party
- Phishing Attackers Prefer Microsoft Over Other Brands
- The COVID-19 vaccine is highly effective, reports the manufacturer
- The Capcom hack may have exposed 350,000 people’s personal data
Thankfully, the two major attacks this fall weren’t as devastating as they could have been. The electronic health records at United Health Services weren’t directly affected, and the system was able to get back up and running in a few weeks. The second threat, from UNC1878, was flagged by federal agencies early enough for many hospitals to prepare. Warning may have bought many health care centers enough time to harden their defenses by blocking phishing emails associated with the attack and searching their systems for dormant, malicious files. Hundreds of hospitals were at risk, and these actions may have helped most avoid falling victim to the ransomware. They’re not nearly out of the woods, and the attack took down the computer systems of at least 20 facilities already, but the scale of the disruption could have been much larger.
“I hope that what will happen is that people will be prepared, and the warnings will be enough,” Woodward says.
That’s one difference from the WannaCry cyberattack to the NHS. That attack shut down 80 hospitals across the system, forcing them to divert patients and reschedule regular care. The system had some warning, but it didn’t respond quickly enough.
Barlow says that since the warning was posted, he’s spent “all day, every day” in conversations with leadership at various hospitals around the US, helping them make sure they’re ready to ward off attacks. He thinks, so far, facilities taking those steps have been in good shape. Those investments will also help prepare them for the future: even if the current threat fades, he says, others will pop up.
During the pandemic, hospitals will stay a target, Woodward says. “The threat will continue to exist, and the danger will be that people will drop their guard, and they’ll be back,” he says.
For cybersecurity experts, the next step is to find out why cybercriminals are more aggressively targeting hospitals in a potentially lethal manner. There are dozens of theories floating around, says Barlow, but no direct evidence for any of them. “We’re all trying to figure out the same questions you’re asking: Why has the atmosphere changed? And what is their endgame?”