Holding Hospitals Hostage: An Overview of Ransomware Attacks on Hospitals and Healthcare Systems

By Sean Wang

December 9, 2020

As hospitals continue to increase their array of interconnected machines and software to care for and manage patients, they become increasingly reliant on digital ecosystems. Yet, this process of attempting to streamline and unify once separated systems is not without its dangers. The umbrella of healthcare data breaches encompass a number of events and threats including ransomware, privilege abuse and sale of information, and phishing. A paper from The American Journal of Managed Care reviewed 215 data breaches (that affected 500 or more individuals) at 185 different US hospitals between 2009 and 2016. Most noticeable, while network server attacks were reported in only 10 hospitals, over 4.6 million individuals had their information compromised. Data theft occurred in 112 hospitals and compromised 1.1 million individuals, while hacking/IT incidents at 27 hospitals affected 4.6 million individuals. While frequency should be a concern, even  a handful of data breaches can affect millions of lives. In this article, we will be exploring what happens when a healthcare system is attacked by ransomware, the consequences, and what can be done to stop these attacks. 

Ransomware attacks: What, when, where?

Much like how hostages are held for ransom in movies, the person (or in this case, software and data) of interest is held until a ransom is paid. In the context of a ransomware attack on a hospital, medical devices or patient medical records could be locked behind ransomware until a ransom is paid. Because of these system lockouts, events such as medical record loss, surgical procedure cancellation, and redirection of emergency patients could occur.  A striking statistic dating from 2016 by security company Solutionary reported that 88% of all ransomware attacks were on hospitals and health systems.  94% of these attacks were conducted with the ransomware Cryptowall. Security blog Emsisoft writes that in the year 2019, 996 government agencies were attacked by ransomware including state and municipal governments and agencies, healthcare providers (the majority of cases), and universities and school districts (which could be affecting over 1000 individual schools). Because of such widespread damage to government agencies, Emisoft estimates that up to $7.5 billion of damages could have been incurred. If we also consider private entities that could have been affected by ransomware attacks, the costs are even greater.   The National Health Service in the United Kingdom experienced a major breach in 2017 which effectively jeopardized the entire United Kingdom. While former British prime minister Theresa May stated that it was an international attack (as corporations in Spain and Portugal had also been affected), it was clear that an attack was still directed at up to 40 NHS organizations using software called WanaCrypt0r 2.0 or Wannacry which exploited Windows vulnerabilities. Infected computers would demand $300 USD ransom per machine via Bitcoin to decrypt files; after three days without payment, the price would double and after seven days the files would become unrecoverable. Other NHS workers reported that machines demanded $300 USD in bitcoin or files would be wiped. As a result of massive system lockout, hospitals had to revert to a slower offline process; NHS workers had no access to nationalized systems,medical records, prescriptions, or patient results, which resulted in a slowdown of  entire hospital operations. While ransom costs for hospitals are often not publicly disclosed, the Hollywood Presbyterian Medical Center paid $17,000 in 2016 afterts databases were locked for one week. Groups such as the US Department of Health and Human Services and the FBI have recommended against paying ransomware attacks, as such action would only encourage further attacks. In December 2019, New Jersey Hackensack Meridian Health paid an undisclosed sum of money (via an insurance plan related to cyber attacks) to ransomware hackers. In February 2020, two patients filed a proposed class-action lawsuit in a district court in Newark for the “reckless manner” that Hackensack Meridian Health exercised to protect patient information which included claims that HMH did not properly monitor and improve their cybersecurity risks which allowed their medical data to be seen by unknown individuals. These examples are among many of how hospitals have acted quickly to protect their patients; however, the cost of taking swift action is often the need to surrender to ransomware demands. Other groups such as LifeLabs, Health Quest, Tidelands Health, and Solara Medical have had lawsuits filed against them for similar data breaches.  This past month, a woman in Germany died after Dusseldorf University Clinic was unable to accept emergency patients after IT systems crashed in a potentially botched ransomware attack. The woman, in critical condition, was forced to be taken to another facility 32km (20 miles) away from the hospital. The New York Times stated that it is unclear whether the University Hospital Dusseldorf was the actual target or collateral of the ransomware attack. It’s possible that Heinrich Heine University, to which the ransom note was actually directed towards, was the real target, as the hackers stopped the attack on the hospital and gave them the encryption/unlock key before dropping correspondence.  Although German prosecutors are investigating possible manslaughter charges for the death of the patient, arrests and extradition are unlikely for the cybercriminals of this incident. However, given that most hackers are located in Russia, they are protected from extradition. What this inability to apprehend hackers means is that when hospitals or governments face ransomware attacks, the primary actions they can take are minimizing damages and preparing for the next intrusion; stopping future attacks, thus far, does not include preventing current hackers from hacking again. Major hospital chain Universal Health Services was attacked affecting more than 0 hospitals in the US, UK, and Puerto Rico. News site Bleeping Computer reported that UHS employees found that the ransomware had similarities to a high-profile ransomware Ryuk ,which has been linked to Russian hackers. Ryuk has been known to be used for what Wired calls, “big-game hunting”. The ransomware has a history of being directed at large companies who can pay hefty ransoms, such as Garmin. 

How and why do ransomware attacks happen?

In general, ransomware is growing into a corporate enterprise with increasing efficiency and professionalism. Even though major ransomware Darkside Inc. has sworn off attacking groups like hospitals, schools, or non-profits, ransomware Ryuk has had its sight set on hospitals and health systems with a lengthening track record to prove it. 

From a technical standpoint, ransomware attacks can happen because of a variety of security vulnerabilities. In the 2017 NHS case, an estimated 90% of NHS data trusts were on Windows XP systems that were fifteen years old and unable to receive up-to-date Microsoft security updates. 

Ransomware like Wannacry or SamSam has been argued as potential openings for state-managed cyber offensives. Wannacry, with great organization, attacked not only NHS health systems but 150 countries in a single day. 

Solutions to future ransomware attacks:

As a deterrent to prevent health systems from continuing to leave their security defenses unprepared, the Department of Health and Human Services’ Office of Civil Rights (OCR) has been serving HIPAA violation fines for patient data releases. Between 2016 and 2019, fines have ranged from 12 million to over 28 million dollars with an average HIPAA penalty between 1.2 million to 2.6 million dollars. To clarify, however, these fines can be enacted for multiple reasons like data breaches and not necessarily just ransomware attacks.  Various recommendations have been made including both technical and systematic changes to how healthcare IT departments handle their cybersecurity. The Emsisoft blog has recommended actions such as: improving security standards and oversight, more guidance, debt and funding changing, closing the intelligence gap and better public-private sector cooperation, introducing legislative restrictions on ransom payments, and requiring cybersecurity vendors and services “to do more” to protect their customers proactively.  A prominent argument is “closing the intelligence gap” which proposes setting a legal requirement for public entities to disclose when and how ransomware attacks occur. In doing so, this information can be collectivized to unify understandings of how ransomware attacks persist. By linking this practice with better public-private partnerships, defending hospitals and public health can be protected as a unified defense for cyber systems in general. On the EMR front, some private vendors are using Proactive Patient Privacy Analytics (P3A) Ambient Cognitive Cyber Surveillance to track log activity and automate analysis of violation detection; however, making this auditing process forensically sound still or do not offer the tracking activities that are most useful.  One paper featured in the Journal of Medical Systems recommended a new architecture to track healthcare data breaches using “Forensic logging as a service” (FaaS) and payload interception. Conceptually, this proposed architecture has benefits as it is lightweight on an EMR system by “injecting” payload analyzers rather than overhauling or editing EMR data as well as convenient to deploy and potentially useful in a large network of data collection about movement of healthcare data.   In regards to budget, the American Journal of Managed Care stated that hospital IT departments use about 95% of their budgets on federal government compliance and the remaining 5% on actual cybersecurity. While this statistic may be extreme, it shows that budgets likely have some available flexibility to further improve cybersecurity measures. A stipulation is that while cyberattack insurance (to pay ransom demands) may be a worthy investment for redirected funding, it should not be seen as an alternative to better prepared and designed security systems.  Although Emsisoft recommends legislative effort, the American Hospital Association contends that more can be done without changing the law. The AHA argues that we do have sufficient legal strictures in place such that beyond just criminal investigation, the US can utilize financial sanctions or go on the “offensive” to disable or disrupt potential cyber threats as means to deter future cyber attacks. Additionally, something worth considering is that while hackers could be jailed for up to twenty years in the US, extraditing hackers located outside the US may prove to be a difficult task. As such, looking for alternative means to eliminate the potential for future attacks without the hassle of introducing new legislation can bear some utility. 

The future of medical information and cybersecurity:

What makes ransomware attacks so viscerally scary is that they show how lives can be easily collateralized. They pose a clear and imminent threat to how abuse can occur in cybersecurity systems. In addition, there are major legal and privacy issues that come up when medical data is compromised. Especially in the US where an individual’s medical data is privileged to very few by-laws such as the Health Insurance Portability and Accountability Act, the release of your medical records and potential misuse are gross violations of an individual’s privacy. In the broader landscape, health data breaches occur not only to hospitals but also to health insurance companies  like Anthem Premera Blue Cross and Excellus Health Plan. These breaches can affect millions of people and cost companies millions of dollars as well. As cybersecurity attacks grow in number, scale, and professionalism, it is imperative that we bolster our defenses, and reevaluate data access policies to keep our systems and each other protected.