Ransomware vs. healthcare: How the pandemic added to a cyber crisis

Dive Brief:

  • Ransomware hit at least 26 U.S. healthcare providers between January and May, according to Recorded Future, which used open-source reporting to verify the attacks. 
  • April and May averaged six ransomware attacks each, compared to five attacks in April and three attacks in May last year. Recorded Future confirmed Maze was responsible for at least six ransomware attacks this year and NetWalker was responsible for at least five. 
  • Since 2016, Recorded Future said it cataloged 161 publicly disclosed ransomware attacks targeting healthcare providers. Of the 57 attacks recorded in 2019, at least 10 organizations paid or partially paid the ransom.

Dive Insight:

Last year the healthcare industry was inundated with an unprecedented level of ransomware attacks. Smaller healthcare providers, unable to pay a ransom or recover from the damage, were forced to shutter. 

We expected the problem to get worse in 2020, but many ransomware actors are focusing on healthcare providers specifically because we are in a crisis,” Allan Liska, senior security architect at Recorded Future, told CIO Dive. 

The U.S. Department of Health and Human Services requires businesses to report data breaches impacting at least 500 patients. Recorded Future expects the number to increase because breach notifications “lag by several months.”

The operators behind the prolific Maze ransomware have publicly — and perhaps falsely — claimed it refrains from attacking “socially significant services,” including “hospitals, cancer centers, maternity hospitals and other socially vital objects.”  

While it’s hard to confirm direct COVID-19 correlation with the attacks, “it is safe to say that many of these attacks were initiated through COVID-19-themed phishing attacks,” said Liska. The Federal Bureau of Investigation issued warnings for phishing schemes in April regarding “municipalities purchasing protective equipment” and supplies related to the coronavirus response. 

The healthcare industry’s problem is “compounded further by the fact that many healthcare providers have a remote workforce for the first time ever and have had to lay off staff, including IT and security staff,” said Liska. While the attack surface broadened, in some cases, those protecting it dwindled. 

On Friday, the University of California San Francisco (UCSF) School of Medicine disclosed a ransomware attack discovered on June 3. The IT department, “quarantined several IT systems” to prevent further spread. However, through negotiations with the hackers, the university paid its attackers $1.14 million. 

Since April, UCSF is the only known confirmed healthcare victim to pay its hackers, according to Recorded Future. Seven healthcare providers, out of 14, did not pay their attackers between April and June 29. 

Because UCSF’s encrypted data was “important to some of the academic work we pursue as a university serving the public good,” university was compelled to pay, according to UCSF. 

Given the trend ransomware operators are following — weaponizing locked data — paying a ransom risks paying for a false promise. “The only way to stop ransomware attacks is to make them unprofitable, and that means organizations must stop paying ransoms,” Brett Callow, threat analyst for Emsisoft, told CIO Dive in an email. 

However, “the only exception, [in] my mind, is hospitals in cases where non-payment could negatively impact patient care, potentially putting lives at risk,” said Callow.