Hospitals Across the Country at Serious Risk for Coordinated Ransomware Attacks

Kennedy Chiglo
Associate Editor
Loyola University Chicago School of Law, JD 2022

The Federal Bureau of Investigation (“FBI”), the Department of Health and Human Services (“HHS”), and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (“CISA”) recently announced that hackers have been and will continue to target the United States hospitals and health-care providers. These attacks are cyber in nature and often lead to ransomware attacks, data left, and inevitable disruption of health care services when patient information is locked until the ransom can be paid.

What is the nature of the cyber-attacks targeting the health care sector?

Cybercriminals have increased their efforts to target hospital systems with new malware functionalities that allow for the increased ease and speed to scam and defraud victims. These cyber campaigns utilize sophisticated ransomware, a computer virus that locks up computers until a sum of money is paid for the decryption key. These attacks often occur in the form of phishing email campaigns with links or downloadable attachments that host the malware that can infect a user’s computer.

Phishing emails are the most common vehicle for the delivery of ransomware into a provider’s internal network. These emails usually contain a link to a criminally-controlled Google Drive document or other file hosting solution that appears to be a PDF file. Typically, this counterfeit document will report a failure to open the PDF file and will provide a link to access the file online. This link usually contains the ransomware and will subsequently be installed on the device upon the user’s decision to click the link and access the information. Many phishing emails are personalized to the user or appear to be routine business correspondence with customer complaints, hiring decisions, updated internal policies, or other important tasks that would capture the email recipient’s attention.

The health care industry has become the most targeted for ransomware, cyber-attacks are more frequent and expected to increase in the coming months. These attacks have resulted in more than 5.6 million patient records that have been breached this year alone and may result in lawsuits against providers for comprising the most private individual data.

How does the current public health emergency impact health care providers at risk for cyber-crime?

The COVID-19 pandemic has resulted in unprecedented regulatory requirements for health care providers that have resulted in the postponing of otherwise standard health care operational decision-making. Most health care providers have transitioned their daily procedures to revolve around tracking and reporting suspected and confirmed COVID-19 cases, maintaining adequate PPE supplies, installing new safety protocols for staff and patients, and communicating with patient families who are not allowed access into the facilities.

However, as COVID-19 cases and hospitalizations surge across the country, so has coordinated ransomware attacks. Six large hospital systems have suffered significant cyber-attacks in the past week alone, with many more anticipated attacks to come this winter as COVID-19 cases spike again. These attacks can cause total disruption of care delivery and can expose patient data to criminals. The rapid expansion of telehealth has left many health care providers vulnerable as they quickly work to expand and secure their networks, but this has led to a swell of cybercriminal activity that targets uninformed patients and their medical devices for monetary benefit.

In the face of the public health emergency, maintaining best practices and compliance with technology requirements is not on the forefront of many health care provider’s agendas. However, technology administrators in hospitals and clinics need to balance the risk of a data breach with other daily demands in order to secure the integrity of their internal networks.   

What can be done to protect an institution’s network from being attacked?

It is important to first note that the FBI, HHS, and CISA do not ever recommend paying ransoms to cybercriminals as this can embolden adversaries to target similarly situated health care organizations and encourage other criminal actors to engage in ransomware attacks. Instead, these government entities encourage best practices such as:

  • Patching operating systems whenever manufacturers release updates to the technology;
  • Regularly changing passwords to network systems and accounts and avoid reusing passwords for different accounts;
  • Utilizing multi-factor authentication where possible;
  • Auditing user accounts with administrative privileges and configuring access controls with least privilege in mind;
  • Auditing logs to ensure new accounts are legitimate;
  • Implementing network segmentation so that sensitive data does not reside on the same server and network segment as the email environment; and
  • Setting antivirus and anti-malware solutions to automatically update or conduct regular scans of the solutions to ensure they are up to date.

Health care providers should also emphasize regular educational trainings and exercises to alert employees about the dangers of malware. Some providers elect to send fake ransomware emails to give employees some indicators of what may appear in their inbox and what should be avoided. Health care providers should also create clear reporting channels for employees to escalate any suspicious activity online. CISA has created free cybersecurity resource for all providers to reference as threats of cybercrime continue to rise. Cybersecurity is not the first priority in the health care sector during a pandemic, but it should be.

The current public health emergency can only be combatted with seamless health care delivery to patients through safe and secure technology. Health care providers must take heed of the warnings from the FBI, HHS, and CISA to ensure that their internal technology protocols and safeguards can prevent a cyber-attack. Compliance officers consider internal auditing of their institution for an accurate assessment of conformity with the current guidance on secured technology offered by the Centers for Medicare & Medicaid Services, the Office of Inspector General, the Office for Civil Rights, and the Office of the National Coordinator for Health Information Technology.