When COVID-19 and Cyber Risk Collide, Lives Hang in the Balance
Scenario: It’s just after midnight and a hospital executive in Washington is checking his email for the last time that night.
All evening his wife and kids have been trying to pull him away from his computer for family dinner, a game of Sorry!, or even just to watch the nightly news, but he remains weary-eyed in his office, hunched over the company laptop.
He is summoned away only briefly to tuck his children in for the night before returning to work.
The hospital he works for has had 10 confirmed cases of COVID-19. So far three people, mostly elderly, have died.
Physicians are calling at all hours of the day and night, begging him for more testing kits. They describe patients with clear symptoms of coronavirus — fevers, extreme coughs, difficulty catching their breath — but the health department rules they shouldn’t be tested due to a shortage of kits.
In his inbox is an email that claims to be from the U.S. Department of Health. It’s set over a blue background and there’s a government seal in the corner. It looks innocuous, and he is desperate.
He clicks the link, enters his hospital login credentials and provides some basic details about his hospital — shipping address, the number of cases they’ve confirmed and how many they’re expecting.
Once he’s finished with the form, it prompts him to download a file that he’ll need to send in to request more testing kits. He downloads and opens the file, but figures he can fill it out in the morning. It’s not like he’ll be able to get more tests tonight.
He’s just about to power down his laptop, when a pop-up dominates his screen. His files, it says, have been encrypted and will be deleted unless he sends $120,000 in bitcoin to a hacker in Malta.
For good measure, the attacker threatens to leak sensitive patient data — including medical history and social security numbers — leaving the hospital exposed to HIPAA violations.
Within minutes, his phone is blowing up. Doctors are calling saying that life support machines are malfunctioning. The hackers were able to access his VPN and from there found information that enabled them to break into the hospital’s entire network system.
Two patients die without the support of their life support machines. There is no other choice, the hospital executive pays the ransom.
Does COVID-19 Leave Hospitals Vulnerable to a Cyber Attack?
Analysis: Without question, a cyber attack on a hospital treating coronavirus cases could be a nightmare.
A first taste comes in the form of an attack on the Brno University Hospital in the Czech Republic, just as COVID-19 is beginning to spread in the central European country.
The attack was severe enough to postpone urgent surgical interventions, and re-route acute patients to nearby hospitals and shut down the hospital’s entire IT network.
The U.S. Department of Health and Human Services also experienced a cyber attack that attempted to slow down its operations during coronavirus response, according to ABC News. While the system didn’t experience a breach, automated users, commonly known as bots, tried to overwhelm the public-facing HHS system in order to slow it down or even paralyze it.
In the U.S. and globally, COVID-19 is already surrounded by the chaos that comes with a shortage of tests, unclear directions from public officials and widespread panic generated largely by the media.
A ransomware attack would only contribute to that by unnecessarily interrupting business and patient care. Data breaches cost hospitals an average of 16.2 days and $918,000 since 2016.
Hospitals are also already vulnerable to cyber attacks. A health care security report put out by Corvus notes that four health care entities reported cyber attacks in January alone and there was a 350% increase in ransomware attacks in the industry between Q4 of 2018 and Q4 of 2019.
Health care companies are also less likely to use tools such as email scanners and filters, which can reduce the risk of phishing attacks. Corvus found that 75% of hospitals do not have these tools in place.
Given that 91% of ransomware attacks are the result of phishing exploits, hospitals should be especially concerned about this exposure.
“We’ve seen that health care organizations have become a very popular target for ransomware attacks,” said Mike Karbassi, head of cyber underwriting at Corvus. “Close to a third of ransomware cyber claims are tied to health care organizations and medical facilities.”
Add to these vulnerabilities the fact that hospitals and other health care facilities are also overwhelmed with managing the coronavirus outbreak and you have the perfect storm for a cyber criminal.
“Hospitals are understaffed and overworked and not paying attention, and then if you hit the hospital with an attack, like a ransomware attack, you’re going to debilitate an environment pretty heavily,” said Karim Hijazi, CEO of Prevailion, a cyber intelligence company that infiltrates attacker networks in order to detect new and emerging breaches.
“It can absolutely create mass panic because now you’ve got systems down and they’ve got to go to some sort of manual effort to check people in and contend with patient care.”
Cyber criminals have already created attacks intended to play off of coronavirus fears, Corvus warns. The World Health Organization (WHO) warns that phishing emails pretending to be WHO officials have been reported and Wired has written about phishing emails that promise coronavirus safety tips.
“Cyber criminals may be using phishing attacks to exploit our fear about the coronavirus,” Karbassi said.
“It could be in the form of a fabricated CDC alert or it may claim to offer some health advice that doctors think they can share with their patients.”
In a worst case scenario, attackers could try to shut down critical medical devices or other aspects of a hospital’s network that could prevent them from offering patients care in order to goad them into paying a ransom — something hackers are increasingly willing to do.
A recent report from Comparitech warns that hackers may become more willing to attack crucial patient data or life-saving systems if health care entities continue to leave their systems unprotected.
“If you’ve got some sort of prolific flaw in an environment where some of the life support systems can be impacted, that would be tragic,” Hijazi said.
“I’m not trying to fear monger, I’m just being honest, there are some very scary implications here where if an adversary were motivated, and they could very well have a dramatic, life-threatening impact.
“Life support machines run on fairly old operating systems that could be easily compromised.”
Other experts noted that we haven’t seen attacks on medical devices yet, but they warned that cyber criminals are no longer just after data when they breach a system.
“We certainly see that ransomware is definitely not just about the data,” said Chris Hedenberg, director of data science at Corvus.
“We do see ransomware that’s tied to the fact that attackers likely know that these are systems that they need access to and that’s what incentivizes targets to pay the ransoms.”
Other Companies Are Vulnerable Too
Health care and finance are the industries most likely to suffer from a cyber attack, cyber security experts said.
“It’s like Jesse James said, he robbed banks because that’s where the money was. And so that’s true if you’re kind of going after financial data or if you’re going after the most valuable records, and oftentimes those can be healthcare records,” said Alex Hamerstone, GRC practice lead for TrustedSec, a company that conducts ethical hacking tests, security reviews and audits for major corporations.
TrustedSec was founded by a former NSA hacker, and they train the cyber protection teams for the U.S. military.
While health care and finance are the most likely industries to be targeted, other companies are becoming more vulnerable as they rush to get employees working remotely during the coronavirus outbreak.
Outside of the office, employees may join unsecured WiFi networks, such as those available at coffee shops, and their devices may become more vulnerable to attacks.
“The rushed effort to try to get a VPN apparatus or connectivity set up is scary because it does take a bit of time to get that working smoothly,” Hijazi said.
“It’s hard enough to get employees to follow cyber security protocols in the office, much less when they’re at home and left to their own devices.”
Employees’ personal WiFi networks and devices may also create openings for attackers.
“They’re on a network that’s not managed by the company. So they’re not able to control it. It might be insecure, they might have their refrigerator at home that’s insecure on the same network as now a work machine,” Hamerstone said.
How to Prepare for the Worst
As hospitals and other companies prepare to respond to coronavirus, they should also take extra steps to make sure their networks, systems and data are protected.
“I think health care facilities and really all organizations should ensure they’re employing the proper digital tools to make sure they have the best IT security best practices,” Hedenberg said.
“When it comes to ransomware, your only defense with ransomware is to have really sufficient and suitable backups that are completely in a different environment than where the adversary can get to them, so that way you’re not hamstrung by the adversary,” Hijazi said.
Prior to a data breach, companies need to develop incident response plans that they can use in the event of a cyber attack.
“Having an incident response plan is essential. The time to come up with a plan is not when you’re under attack or you have a breach; the time to do it is prior,” Hamerstone said.
The best way to avoid the ramifications of a cyber attack is, of course, to make sure that one never occurs in the first place.
There’s no one-size-fits-all solution, but companies can make sure their networks are protected by making sure remote employees have access to a VPN, know how to encrypt sensitive files and have completed cybersecurity training.
For health care companies, these steps could be as simple as getting email filters that detect potential phishing scams in place and providing cyber security training to their employees.
“Nothing works 100%, but everything works a little bit. And so when you start to kind of layer the different protections together, you can start to put together a pretty decent program,” Hamerstone said. &