On October 28, 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) issued a joint warning that they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” The warning comes on the heels of what may be the earliest reports of a causal relationship between a ransomware attack and the death of a patient at a healthcare facility. In September, prosecutors in Germany launched a negligent homicide investigation after a patient at Dusseldorf University Hospital died following a ransomware attack that hampered emergency services. More recently, authorities linked the same incident to a ransomware attack in the U.S., impacting all 250 locations of a hospital chain headquartered in Pennsylvania, with additional hospitals and healthcare facilities facing current threats, several of which are being adversely affected by similar ransomware events.
U.S. agencies believe that hackers are targeting the healthcare industry with the Trickbot malware and the Ryuk ransomware, with the intent to engage in “data theft and disruption of healthcare services.” Once a target is infected with the malware such as Trickbot, it is used to deploy the Ryuk ransomware. When targeted towards the healthcare industry, the malware and ransomware combination can disrupt critical healthcare services that are already taxed due to COVID-19 and facing increased cyber vulnerabilities due to the pandemic. While hospitals may have considered taking specific systems offline or spent time bolstering their systems and defenses, many are scrambling just to keep them up and running in light of the operational challenges presented by the COVID-19 pandemic including the rapid scaling of the remote workforce and resulting security vulnerabilities such as a vastly expanded attack surface for such organizations. The warning provides technical details about the malware, which should be reviewed by system administrators and other IT professionals responsible for protecting the organization’s IT systems, particularly those in the healthcare space.
While this warning was specifically directed at new threats targeting the healthcare industry, hackers have targeted other industries using similar, if not the same, methods with the sole intention of stealing data, extracting money, and disrupting the economy. Targeted industries include manufacturing, automotive, logistics, hospitality, and financial services, among others. The warning directs organizations to study CISA’s Ransomware Guide, which should be referred to by organizations of all types to help develop best practices to prevent, protect, and respond to a ransomware attack.
The potential for disruption to safety-critical applications, such as medical and life-support systems, make healthcare organizations, including retirement communities, a high-value target for ransomware attacks. Faced with the inability to provide life-saving medical services, especially in the face of the COVID-19 pandemic, healthcare organizations may be tempted to pay the demanded ransom. However, organizations should be aware that the payment of the ransom does not ensure that they will be able to decrypt the data or that the system will not be left compromised with malware, allowing for a later ransomware attack or compromise of data. Furthermore, in some cases, the payment of a ransom may be considered aiding terrorist activities or otherwise violate federal law, leading to governmental or regulatory sanctions and increased potential liability. Therefore, organizations are recommended to take the steps outlined in the Ransomware Guide to help the organizations defend against ransomware before it strikes and to recover the lost data if it does rather than pay the ransom. Organizations should also contact federal law enforcement agencies and determine if a cipher key is available for the particular strain of ransomware affecting the organization. Such efforts may allow for decryption of their illegally encrypted files as well as avoidance of being forced to make a ransom a payment to the attackers. Organizations that cannot recover from a ransomware attack in a timely manner without paying the ransom should consult experienced legal counsel before making any payments to understand the potential liabilities and risks associated with making such a payment.