Mounting Health-Care Ransomware Attacks Morph Into a Deadly Concern

Hackers are increasingly targeting health-care institutions and threatening people’s well-being as their software attacks get more sophisticated and brazen.

Source: WSJ | Published on October 1, 2020

Medical technology concept.

Ransomware attacks, in which hackers cripple a software system until they receive a bounty, have surged this year, along with financial demands, security experts say. The attacks have been around for decades but have flourished as society has become more dependent on technology. Other factors include the rise of the cryptocurrency bitcoin, more advanced hacking techniques and, some say, the widespread adoption of cyber insurance.

“The trend has been going up for a while, but in 2020 it has just been skyrocketing,” said Dmitri Alperovitch, the chairman of Silverado Policy Accelerator, a nonprofit think tank focused on cybersecurity.

Hackers have expanded their targets to include health-care companies. This week, one of the nation’s largest hospital chains, Universal Health Services Inc., diverted ambulances from some facilities after a crippling ransomware attack. It said the outage didn’t harm patients, but systems used for medical records, laboratories and pharmacies were offline at about 250 of the company’s U.S. facilities.

The attack occurred Sunday morning, and the Universal Health’s network remained offline Wednesday, though priority systems such as email and clinical operations systems were being restored gradually across the country, the company said.

In a separate incident in Germany, prosecutors have launched an investigation after a woman died earlier this month when her ambulance was diverted from University Hospital Düsseldorf in the country’s North Rhine-Westphalia state.

A ransomware attack hit the hospital on Sept. 10, shutting down computer systems and forcing it to reroute ambulances away from its emergency room for 13 days. IT systems there are still recovering, hospital spokesman Tobias Pott said Tuesday.

Attacks on medical facilities are worrying because delays in patient care have been directly linked to patient harm, said Joshua Corman, a senior adviser at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. “We’ve had a growing concern that this degraded and delayed patient care would lead to a demonstrable loss of life.”

Mr. Corman said he had hoped hackers would leave hospitals alone as they were swamped by the coronavirus pandemic, but that hasn’t happened. “We’d assumed that they would be smart enough not to attack, but I think [hackers’] assumption was that [victims] would definitely pay.”

Cybersecurity company FireEye Inc. says ransom demands for large organizations can range between $10 million and $30 million, and hackers are increasingly following up their ransom demands with threats to publish stolen data online, hoping to extract more money. Many companies make the payments.

But some don’t. Last week, hackers released Social Security numbers and other private information after administrators at a Las Vegas public-school district refused to pay an extortion demand, The Wall Street Journal reported Monday.

This month alone, FireEye has tracked 100 ransomware incidents world-wide, more than twice what it saw in September 2019, the company said.

A shift occurred in 2018, according to a Federal Bureau of Investigation alert published last year. That is when the FBI said attacks became “more targeted, sophisticated, and costly.”

According to Mr. Alperovitch and other cybersecurity investigators, hackers now plan their attacks more thoroughly to lock down entire networks, not just a few workstations. Targeted companies effectively face a tough choice: Either pay the attackers or hire others to help recover systems, which can take weeks or longer.

Criminals in some cases have formed professionalized groups, cybersecurity experts say, sharing technical know-how and making ransomware available to a greater number of hackers, sometimes selling malware as an off-the-shelf product that is ready to deploy.

Companies can fight back against ransomware by keeping software up to date, paying for third-party security audits and training employees in cybersecurity practices like being careful about clicking on links, security experts say.

But they also need to plan for potential outages, said Mitch Parker, the chief information security officer with Indiana University Health Inc., a nonprofit health-care organization. “You can’t prepare enough,” he said. “A lot of organizations that have put technology in place have not thought about what happens when it fails.”

Companies are typically tight-lipped about ransomware payments, but an attack on the city of Atlanta’s systems in March 2018 illustrates the stakes. Hackers shut down computer systems and demanded $51,000 to unlock them. The city, absent a guarantee that the payment would solve their problem, chose not to pay. Recovering from the attack, which took a year, ended up costing more than $7 million, Atlanta’s chief information officer, Gary Brantley, said last year.

These days, companies frequently opt to pay ransoms, Mr. Alperovitch said. “As a result, you’re seeing the rewarding of these criminal enterprises where victims are paying millions of dollars in ransom, and it’s continuing to perpetuate this criminal activity,” he said.

The availability of cyber insurance has made those payments more financially palatable to many companies—though insurers say their underwriting requirements encourage customers to bolster their defenses to lower the risk of successful attacks. There is no simple answer, said John Coletti, cybersecurity chief underwriting officer for North America for insurer AXA XL. A global market of incident responders, cyber investigators and specialized lawyers has grown around ransomware.

“If the insurance industry stopped providing ransom payments, would this market go away? It is possible it would shrink,” he said. “It’s also possible more companies would go out of business and essential services might not be provided.”

But the flow of money has CISA’s Mr. Corman worried. “What’s happened is that by paying, we’re funding [research and development] for ransomware to come back harder at us.”