By Justin Fier / Special to Healthcare Facilities Today

With the rise in cyber-attacks that has accompanied the COVID-19 pandemic, hospitals, already susceptible to ransomware attacks, have been acutely affected.

Cyber security experts and government institutions have released warnings about advanced criminals taking advantage of new and known vulnerabilities during this time of reshuffling, remote work, and increased demand. INTERPOL warned of rising ransomware attacks against hospitals and the medical research industry globally, the U.S. issued a statement about threats facing the Czech Republic, and the U.K. and U.S. issued a rare joint advisory from the U.K.'s National Cyber Security Centre and the U.S. Department of Homeland Security.

These warnings have unfortunately turned into a reality, with more attacks against hospitals and healthcare becoming public knowledge as the pandemic continues. One example is the recent attempt against a Romanian hospital by four members of a cyber-criminal group known as PentaGuard. Romania's Directorate for Investigating Organized Crime and Terrorism, shortened to DIICOT, learned that this group was planning to infect Romanian hospitals with ransomware. According to ZDNet, hackers intended to send COVID-19 related emails to trick healthcare workers into clicking on malicious links, thus infecting computers, encrypting files, and causing disruption.

This is just one example of how cyber-criminals have broken their promise to steer clear of attacking hospitals during the coronavirus outbreak. Cyber-criminals thrive during chaos and are inherently opportunistic, so could we have realistically expected them to stand down when opportunity comes knocking? As they look to monetize the crisis, hospitals and patients alike are caught in the crosshairs.

What happens during a successful attack?

But what does it look like when a cyber-criminal does successfully infect a hospital with ransomware? 

The reason ransomware attacks are particularly effective, especially at this time, is because of how quickly ransomware can spread throughout an entire organization and because new, never-before-seen strains are constantly emerging. The time between when an employee initially clicks on a link in an email – instantly downloading a malicious payload – to when a businesses’ critical systems have been fully encrypted and taken offline can be as quick as a matter of seconds.

Hospitals depend on digital systems that contain all of their patient information for day-to-day operations to run smoothly. These electronic medical record systems, known as EMRs, can be equated to the “brains of a hospital.” Without them, medical care professionals don't have the vital information they need to do the most basic parts of their jobs. If these systems are compromised during an attack, healthcare providers must revert back to pen and paper, diminishing their already limited time spent treating patients. 

A recent ransomware attack against Parkview Medical Center in Colorado presented the nightmare situation – an EMR system gone dark. It was the first public example in the U.S. of a successful COVID-19 related cyber-attack that was able to shut down hospital operations, and one week after suffering the attack the medical facility’s network was still down. Thankfully, the staff was properly trained in using paper records and Parkview notes that they were “able to continue patient care without any detrimental impacts”, even as they experienced IT system outages and worked around the clock to fight the pandemic.

Key learnings to protect our systems and our patients

Healthcare organizations around the world can learn from the example set in Parkview. It is commendable that their staff was trained to continue operations and maintain patient care when faced with network outages. However, it also served as a reminder that cyber-criminals are both sophisticated and opportunistic, stopping at nothing when presented with an opportunity to profit. In order to prevent advanced attacks, organizations must implement advanced defenses. 

With 90% of attacks starting in the inbox and email as the origin of both the Parkview ransomware attack and the planned attack against Romanian hospitals, organizations should focus on securing their email ecosystem. Hospitals aren’t just protecting revenue streams and intellectual property, but human life, and may need to look beyond traditional security tools. Tools that rely on whitelists and blacklists will fall short, especially as attackers continue to register new COVID-related domains and launch novel threats. The best way to get ahead of advanced spear-phishing attacks is by using cyber security tools that rely on normal patterns of communication to detect threats.

When attacks are able to spread throughout an organization in a few seconds, even the most sophisticated security teams will struggle to keep up. And with teams stretched thin – and busy getting telehealth up and managing remote work – rapid response becomes that much more of a challenge. Organizations should look towards technology that can save time by taking autonomous actions, stepping in at the earliest signs of an attack to stop ransomware from spreading through critical systems. 

Looking to the future 

Hospitals are inherently prepared for crises. Parkview Medical Center proved that even when struck by ransomware, during a global pandemic, patient care will continue. However, hospitals and healthcare organizations shouldn’t have to juggle concerns over cyber-attacks in addition to worrying about PPE shortages, inpatient care, and decreased revenue.

Yet, in a world where cyber-criminals will stop at nothing for profit, hospitals need to be two steps ahead of attackers, not hope that they will not be targeted. The future is always unpredictable – the next cyber-attack won’t look like the attack against Parkview, and the next global crisis won’t be a pandemic. We must plan for the future, implementing security strategies that can help us get there safely and securely, regardless of what unexpected events or attacks it may hold. 

Justin Fier is the Director of Cyber Intelligence & Analytics at Darktrace.