When Ransomware Turns Deadly: Why Health Care and Public Sector Entities Must Prepare for Cyber Risks
A hospital employee clicks a link embedded in an email that claims to be from a common PPE supplier. They login, entering official hospital credentials, only to find that they have unwittingly let a cyber criminal into their system via a phishing scam.
The hackers eventually use this information to gain access to the hospital’s VPN, where they find the information necessary to access the hospital’s entire network.
The attacker threatens to leak sensitive patient data and shut off life support machines unless the hospital pays the ransom.
Or, maybe, a hacker breaks into the electrical grid, shutting off power to an entire city. Food spoils in fridges, leading to cases of food poisoning. People lose the ability to run air conditioners in their homes. Street lights shut off, causing accidents.
Desperate city officials give in and respond to the attack with payment in order to keep constituents safe.
These attacks may seem like the stuff of movies, but a few recent ransomware attacks indicate that it could soon be a reality. In September of 2020, a German woman died after a ransomware attack on a hospital led to care delays.
This February saw hackers attempt to poison Tampa’s water supply by increasing the amount of lye from about 100 parts per million to 11,100 parts per million.
The attack was noticed quickly and public health was never at risk, but an increase of this magnitude could have resulted in skin damage, hair loss or deadly gastrointestinal symptoms.
“The threat actors in the ransomware world, they’re businesses. This is not the caricature of a guy in a basement,” said Heather Hughes, VP, engagement management at Aon Cyber Solutions.
“When any sort of ransom is negotiated during a ransomware event, you’re negotiating with threat actors who know exactly what they’re doing and they do cast a wide net.”
As ransomware payments trend downwards, hackers may test more extreme methods to get businesses to meet their demands, sometimes with dangerous or even deadly ramifications.
With Payments Down, Cyber Criminals Up the Stakes
Insurers and government entities have long encouraged businesses not to give in and pay cyber criminals after an attack. In 2020, the Treasury Department’s Office of Foreign Assets Control even went so far as to issue an advisory that states businesses that pay ransomware demands could face fines and other penalties.
The warnings seem to be working — The Coveware Quarterly Ransomware Report found that the average ransomware payment fell 34% in Quarter 4 of 2020 when compared to Q3, though attacks are still increasing in both frequency and severity for the health care sector.
“We’re definitely still seeing a surge in both frequency and severity in the health care sector. The good news is that the amount of ransom demanded has been going down a bit,” said Paul Davis, area vice president at Gallagher.
“We do not expect this trend of lower payments or frequency of claims to continue,” Jeremy Turner, Coalition’s head of threat intelligence, added.
The argument goes that paying ransomware demands, enables and encourages cyber criminals.
While discouraging businesses from paying ransomware demands is a good practice, cyber criminals will likely try to up the stakes by threatening data leaks, safety and even life if victims don’t meet their demands, making hospitals — and their patients — particularly vulnerable.
“They can’t necessarily be down for 48 hours if they have patients who need to access their electronic medical records,” Davis said.
One of the ways that attackers may try to force a payout is through exfiltrating the data and threatening to release it unless the ransom is paid.
“At Coalition, we’ve seen attack techniques become increasingly severe, with more and more threat groups exfiltrating and threatening to expose stolen data. Demands reached into the millions over the past year, with the recent Acer demand reported to be $50 million,” Turner said.
Health Care Entities and Municipalities Especially Vulnerable
While ransomware attacks occur in all sectors, some industries are more vulnerable than others. If attackers are trying to use life or death scenarios as leverage, they will go after organizations like hospitals and public entities, where they can shut down machines or cause damage to utilities with dangerous or even deadly consequences.
In the case of health care systems, hackers have sought to take advantage of the chaos caused by the pandemic in order to break into systems or to secure ransom payments.
Phishing emails related to PPE supplies, COVID tests and others related to the pandemic have become commonplace. Cyber experts expect that these types of attacks will continue, albeit with a new focus: the much-coveted COVID-19 vaccines.
“This time last year, we were seeing a lot of phishing emails about work-from-home or remote access,” Hughes said. “Now we’re seeing a lot of phishing emails that are very specific to vaccines like, ‘Vaccines available for employees. Click here.’ ”
Attackers are also using the chaos of the pandemic to try to force ransom payments. If a cyber attack causes a power outage at a hospital with 20 people on ventilators, officials will be more likely to pay in order to save lives.
It’s not just the pandemic that makes health care entities a popular target for hackers, however.
Cyber criminals will try to leverage fears over HIPAA violations to try to force a ransomware payment, especially if they’ve exfiltrated the data.
“Obviously, if they exfiltrate data, then that is a big issue for the health care entities, because it could be protected health information. So they have HIPAA issues, they have data breach notification issues, they have patient confidence issues,” Hughes said.
A lack of physical security, in addition to aging tech infrastructure, makes hospitals an appealing target as well.
“Next time you are in the hospital, take note of how many USB ports you could access that are unsecured. Physical security is the first perimeter, and often these areas are overlooked,” Turner said.
Hospitals, utilities, public entities and municipalities are at increased risk because of the chaos a hacker could inflict. Public entities also face increased risk, however, due to out-of-date network systems that are easy access for hackers.
Governments typically have a 33% larger attack surface on average when compared to other organizations usually due to a wide range of public facing applications, according to a 2020 report from Corvus.
They’re also slightly less likely to use email authentication schemes, a common tool for preventing phishing and ransomware attacks. Only 74% of government entities utilize basic email authentication schemes, compared to an 80% average for all organizations.
Utilities, like power grids, are so vulnerable that the U.S. government has created a subcommittee dedicated to protecting U.S. power grids from cyber attacks, which would likely be costly. A study from Lloyd’s and the University of Cambridge found that an attack on a U.S. electrical grid could cost over $1 trillion.
The stakes of locking up a power grid or water treatment plant can also have dangerous or even deadly consequences.
Take the attack on Tampa’s water treatment plant as an example. Though an employee of the plant was able to correct the issue before anyone was hurt, a hacker could lock up a system, infiltrate a plant with poison and demand a ransom to undo the damages, causing injuries or even deaths in the process.
Protecting Your Business from a Cyber Attack
Unfortunately, hackers will keep launching ransomware attacks so long as it is profitable for them to do so.
“Until it isn’t lucrative, they’re going to continue to do it,” said Steve Robinson, area president and national cyber practice leader at Risk Placement Services.
Businesses can prepare by having backups of crucial data — either on paper or on another system. They can also prepare by requiring multi-factor authentication on their systems and by educating their employees on how to avoid phishing and other common cyber attacks.
In the event that an attack does occur, a cyber insurance policy can help cover losses.
To help make sure that they have coverage that fits their needs, health care entities and municipalities should work with brokers that are familiar with their sectors in addition to strong cyber expertise.
Robinson flagged this as being of particular concern for the health care sector due to the unique regulatory consequences they could face in the event of a HIPAA violation.
“It’s important to partner with a broker that’s well versed in cyber, specifically for health care,” he said. “On the health care side, there is the regulatory side of the coverage as well — because we know HIPAA violations and things like that can become very time consuming and costly.”
Rates are increasing on cyber policies though as the market responds to increases in ransomware attacks and some carriers restrict coverage.
“Insurers are really starting to feel the pain and the stress on their overall books of business and their profitability around ransomware,” said Matt Chmel, senior vice president and team leader at Aon.
“The cyber insurance market is significantly changing and hardening due to ransomware losses. Some carriers are looking to limit their ransomware limits, as well as to restrict coverage. So, working with an insurance broker to make sure that language restrictions are as narrow as possible is important.” &