Healthcare organizations in California alone have already paid $35 million in ransom since 2016. Ransomware will continue to prosper as long as hospitals pay, experts told CyberNews.
Many medical devices are running on unsupported systems and unpatched software, which means that they are susceptible to attacks and threaten patients’ lives. Guidehouse researchers estimated that California alone paid $35 million in ransom since 2016.
Hospitals are willing to pay ransom because there’s more at stake for them. They also fear being drowned in lawsuits. As long as they pay, ransomware will continue to prosper, experts argue.
Patient monitors, MRI scans, and other lifesaving equipment have improved the quality and speed of patient care delivery. On the other hand, they have also increased the variety and severity of threats, reckon Jack O'Meara and Ricardo Davidson Sr. of Guidehouse.
Vulnerable IoT medical devices can function as backdoors for malicious hackers to access sensitive information.
Over the past three years, IoT-related breaches in the healthcare industry have compromised more than 135 million people in the US.
It is estimated that more than 80% of medical imaging devices could be susceptible to these attacks because they run on unsupported operating systems and unpatched software.
“Many medical devices are legacy devices, they are older, so it is sometimes difficult to upgrade them. Ransomware will continue to be on the rise, as long as healthcare organizations and hospitals are willing to pay,” O’Meara told CyberNews.
Ransomware is costly compared to other malware attacks, especially in the healthcare sector, Davidson added. CEOs and legal teams have to decide whether to pay the ransom, and the fear of being hit with lawsuits is an important factor here.
In 2020, a woman died in Dusseldorf due to a ransomware attack. But cybercriminals are not attacking hospitals and other healthcare organizations to try and kill somebody.
“It is for financial gain. That is the motivation. Criminals know that they are attacking systems that have the potential of impacting the health or life of patients,” O’Meara said.
As there’s a lot at stake, hospitals are more willing to pay the ransom than other organisations, and criminals exploit that.
“They are out there just to try and get the victim to pay the ransom. Maybe it could be minimal to a hospital, or it could be quite extreme but, I think, they are not worried about patients. They are worried about getting money. Hospitals are more publicized, but other sectors have been affected by ransomware,” Davidson said.
Along with targeting industries that have more to lose to ransomware, criminals are also attacking sectors that traditionally have been known for not having sound cybersecurity.
“It is like a burglar going through the neighborhood - they are not going to attack a house that probably has bars on the windows as much as the one that looks like a much easier target to penetrate,” O’Meara said.
He recommends any organization that suffers a ransomware attack with a potentially big
impact on the organization, engage the FBI for guidance.
“Then they can work with administrators or a board of directors and offer a general counsel. Ultimately, organizations have to decide whether they pay a ransom or not,” O’Meara said.
Many medical devices could be susceptible to cyberattacks because they run on unsupported operating systems and unpatched software. Why?
According to Davidson, the upgrades are costly, and there is a need for cybersecurity training to maintain the technology.
“A lot of technology is supported by third-party vendors. Healthcare organizations have to establish some kind of serviceable agreement with them to ensure that they are incorporating some type of security patches on the devices that are there,” he said.
O’Meara sees some positive trends - larger healthcare organizations and hospitals are starting to build cybersecurity requirements into their procurement processes and practices to force the manufacturers of medical devices “to provide adequate support to make sure security is built-in their products, to test it adequately.”
The IoT Cybersecurity Improvement Act of 2020 that requires the National Institute of Standards and Technology to develop guidelines for the IoT devices.
“They started generating some drafts last year for organizations on how to manage their IoT devices, recommendations for manufacturers how to build security into their devices and adequately test them. And also establishing guidelines of how to build cybersecurity requirements into your procurement process,” he said.
Another law, which was enacted in 2018 but came fully into law on January 1, 2020, requires any internet-connected device manufacturer who wants to sell their products in California to build adequate security control into the products.
“We are seeing a lot more regulations and guidance coming out from both federal and trade associations to not only benefit vendors but also benefit organizations that have to implement those kinds of technology,” O’Meara explained.
Despite these positive steps, the ransomware, O’Meara argued, “will continue to prosper as long as healthcare organizations and hospitals pay.”
FDA’s first medical device cybersecurity chief
The Food and Drug Administration (FDA) just named its first medical device cybersecurity chief - Kevin Fu, a University of Michigan associate professor, who will serve a one-year term as acting director of medical device cybersecurity at the agency's Center for Devices and Radiological Health.
“They require medical device manufacturers to build security into their products and to adequately test them,” O’Meara said.
Moreover, the FDA works with the Department of Homeland Security cybersecurity team to monitor medical devices with vulnerabilities. They publish special reports so that hospitals and health organizations are aware and can take appropriate precautions to protect those devices.
“A good trend is that the oversight of medical devices is coming under the chief information security officer, and a lot of standard IT and cybersecurity practices are applied to medical device technology,” O’Meara said.
According to him, the first step to protecting yourself from a ransomware attack is making sure you have an inventory of all your medical devices and know where they sit on the network, how old they are, and what their vulnerabilities are.
“Then you can take appropriate steps to prioritize your protection of those devices,” he said.
As in any other organization, cybersecurity training in hospitals is crucial too, as, typically, they are targeted with phishing attacks designed to compromise a computer. Once the attacker has done that, they can move throughout the network.
“If there are medical devices connected to the same network that computer is connected to, then they are susceptible if it's a vulnerable device,” O’Meara said.
Forced to increase cybersecurity budgets
Taking better care of medical devices does not necessarily mean costly investments. At least, at first. According to Davidson, hospitals should take a proactive approach to cybersecurity, understanding what it is, what it does, and what it is supposed to do.
“If there is a network security issue, you need to understand what services are running in that network, so you get a good understanding of what is in your environment, what is running, what needs to be patched, and what needs to be updated,” he said.
Usually, malware, including ransomware, gets into a hospital environment through phishing attacks. Therefore, cybersecurity training is essential - hospital staff needs to understand how malware gets into the systems. Understanding is a huge step towards preventing cyberattacks and protecting your organization.
Regulations, experts argued, are helping to improve the cybersecurity situation in hospitals.
The number of cyberattacks is going up, and so we see a lot of efforts to build cybersecurity requirements into the procurement processes, O'Meara argued. It means that medical devices fall under the supervision of chief information security officers. That allows or even forces increases in budgets.
Hospitals and other organizations are starting to take cybersecurity a lot more seriously due to the cost impact and possible violations of regulations, Davidson added.
“When you have governance, regulations to comply with, and the actual events of cyberattacks, that's going to force hospitals and other organizations to start straightening on their cybersecurity posture and the defense of their networks. Having this guidance out there will at least give them some starting points to where they need to start looking to assess whether currently as far as maintaining their environments and maintaining their security posture,” he said.
More great CyberNews stories:
Subscribe to our monthly newsletter