This September, a ransomware disrupted the emergency services at the Düsseldorf University Hospital in Germany. A female patient intended to receive care when the incident took place was forced to transfer to another hospital 30 kilometers away. Her treatment was eventually delayed for an hour. The local police had since launched a “negligent-homicide” (i.e., killing a person through neglect) investigation. The attack attracted the world’s attention as it could possibly be the first medical cyberattack that is directly linked to a patient’s death.
However, the Cologne public prosecutor’s office concluded recently there is insufficient evidence to hold the hacker responsible as the patient would have died anyway due to her poor health. Although the claim has been dropped, the case is still under investigation. It is believed an existing vulnerability in Citrix virtual private network (VPN), a relatively common software application had led to the ransomware. Nine days after the attack, the hospital was still salvaging the damage done.
More patients could have died or deteriorated during this period of time. As legal causations cannot be established between the ransomware, all the disturbances that were created, and the patients’ medical conditions, the culprits will not be charged more than hacking and blackmailing. Nevertheless, Some experts believe it is only a matter of time before tragedy happens. Ransomware, or encrypting data and demand its owner to pay a sum of money to unlock it, threaten healthcare systems in many ways.
Importance of education and continuous vigilance
Care providers rely on data and digital infrastructure to concert staff, beds, treatment, and equipment. Putting a halt means they will have to turn ambulances away and cancel critical procedures and operations. On 28 October, The Federal Bureau of Investigation (FBI), the US Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) issued a warning after six health systems in Oregon, California and New York suffered from ransomware on the same day.
The warning specified a kind of common ransomware called “Ryuk”. According to cybersecurity firm Check Point, there had been a 71% surge in cyberattacks against the US healthcare sector for the month of October alone and Ryuk is answerable for 75% of them. Criminals are targeting healthcare systems more often as COVID-19 sees a sudden surge in patients, they know hospitals are willing to pay more to save lives and reduce harm. The bare minimal that healthcare systems can do is education.
Usually, some of these attacks may begin with targeted email. Avoid opening emails from unknown senders; clicking on suspicious links, or giving unauthorized access can in fact be one of the most common-sensical yet effective defense. IT professionals within the organizations should constantly look out for traces of trojans like Trickbot, Emotet, Dridex and CobaltStrik and ensure they are removed to close the door for Ryuk. Be extra cautious on weekends and holidays when there is less manpower on site.
Reuters reported the Wizard Spider or UNC 1878, a group operating out of Eastern Europe, could be behind the series of ransomware in the US healthcare systems. The FBI and Homeland Security officials advised hospitals to have their backup systems in order, avoid the use of personal email accounts at work, and disconnect any system from the internet whenever possible.
Prevention is better than cure
Managers or administrators’ desktops are not likely to be the initial or primary crime scene of a ransomware in the age of IoT and artificial intelligence (AI). Many of the smart medical equipment and algorithms are likely to be hooked up to the internet and across databases or devices. Many of them can be just as vulnerable to breaches especially when there is a rush to adoption. In an unprecedented situation like the ongoing pandemic, when AI tools were rapidly developed or re-purposed, cybersecurity may be overlooked or left unfixed.
Ironically, October also happens to the National Cybersecurity Awareness Month in the US and the Food and Drug Administration (FDA) urged healthcare providers to come up with a framework to communicate with both manufacturers and patients on cybersecurity management. Particularly, what is considered “normal” and “abnormal” for each party; assess the vulnerabilities of each party, have a protocol on who to report to when potential breaches occur and so on. Even the best security team struggled in keeping the system updated and protected.
Cyberattacks tend to take place unknowingly and in a speedy manner, so the number of hires in the security team does not correspond to overcoming the challenge. It’s also true that AI can be deployed to counter cyberattacks but detection does not stop the attack. Likewise, hackers can also use machine learning to stage more stealthy attacks, like producing more generic or personalized phishing emails, stealing specific files from a computer, or invent entirely novel strategies.
The likelihood of an algorithm fighting against another algorithm may seem dystopic now, but scientists are not denying the possibility. Whether that is a near or distant future, what can be done right now is perhaps prevention. Like medicine, it will be better than cure, even if a cure does not exist. The real cyber-resilient should require effort from anyone and everyone who interacts or leverages the health systems.