Death by Ransomware: Poor Healthcare Cybersecurity

Death by Ransomware: Poor Healthcare Cybersecurity
Babur Khan, Technical Marketing Engineer at A10 Networks

If hackers attack your organization and you’re in an industry such as financial services, engineering, or manufacturing your risks are mostly monetary. But when it comes to healthcare cybersecurity, not only is there significant financial jeopardy, people’s health and wellbeing are also at risk so the stakes are much, much higher.

According to the Department of Health and Human Services, there has been an almost 50 percent increase in healthcare cybersecurity data breaches between February and May 2020 compared to 2019. This is thought to be a result of the COVID-19 pandemic distracting the industry due to the sweeping changes required, putting extra pressure on already inadequate healthcare cybersecurity measures. 

Why Are Hackers Attacking Healthcare?

If there’s one thing hackers like, it’s a target that’s “soft” and large, complex organizations in industries that have been slow to adopt and then secure digital technologies are precisely that, soft targets. These organizations usually have broad and mostly poorly defended “attack surfaces,” which provide hackers with many routes to enter and through which they can not only exfiltrate data but also compromise services and hardware.

Healthcare, in general, is one of the most visible and softest targets. Successful hospital cyber-attacks usually cause significant disruption of patient data and routine workflows such as scheduling patient medication, resources management, and other essential services. These hospital cyber-attacks can easily result in what is euphemistically called in healthcare “bad outcomes” … these “bad outcomes” include injury and death.

How Does Healthcare Think About Cyber Risks?

A study by the security consulting firm Independent Security Evaluators concluded:

One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective … In summary, we find that different adversaries will target or pursue the compromise of patient health records, while others will target or pursue the compromise of patient health itself.

The report argues that protecting patient records has been most of the focus of healthcare cybersecurity planning, and organizations often view threat actors as being “unsophisticated adversaries” such as individual hackers and small hacker collaborations. ISE argues that this framework ignores the potential of far more sophisticated hospital cyber-attacks from political hacktivist groups, organized crime, terrorists, and nation-states who are all highly motivated and well-funded and “As a result, a multitude of attack surfaces are left unprotected, and attack strategies that could result in harm to a patient are not considered.”

The Universal Health Service Hospital Cyber-attacks

In September 2020, Universal Health Services a hospital and health care network with more than 400 facilities across the United States, Puerto Rico, and the United Kingdom, found itself under attack by the Russian “Ryuk” ransomware. This wasn’t the first hospital cyber-attack on UHS. Security firm, Advance Intel’s Andariel intelligence platform, reported that trojan malware-infected Universal Health Services throughout 2020.

UHS has not officially confirmed the details of the attack but reports by UHS employees indicate the attack was the result of a successful phishing expedition. The attack disabled computers and phone systems and forced the hospitals to revert to using paper-based systems to continue operations. Affected network hospitals also had to redirect ambulances and move surgical patients to other unaffected facilities.

As is usually the case with large, complex organizations, cleaning up and restoring the system was neither simple nor quick and a UHS press release on October 12, 2020, announced: “… we have had no indication that any patient or employee data was accessed, copied or misused.” It also stated that operations were mostly back to normal after a total of 16 days. Given that downtime for enterprise security breaches cost upwards of $1,000,000 per day or more this attack will have dealt a serious blow to UHS’ bottom line. Whether UHS paid the ransom is not known.

Cyber Attacks and Murder

When a cyberattack happens to any organization, there are always consequences but when healthcare ransomware is involved there’s a real risk of loss of life. In the case of UHS, there were unconfirmed rumors of four patients dying because doctors had to wait for lab results delivered by couriers instead of by electronic delivery. While those, so far, appear to be just rumors, there is one known case of a patient dying directly due to a hospital ransomware attack.

The University Hospital Düsseldorf (UKD) in Germany suffered a ransomware attack on September 10, 2020. The attackers exploited a vulnerability in the Citrix ADC that had been known since January but the hospital, unfortunately, had not got around to implementing the fix.

As a result of the attack, the hospital immediately announced that “The UKD has deregistered from emergency care. Planned and outpatient treatments will also not take place and will be postponed. Patients are therefore asked not to visit the UKD – even if an appointment has been made” and patients were routed to alternative medical facilities.

The demand note delivered by the hospital ransomware showed that the intended target was not in fact the University Hospital Düsseldorf but rather Heinrich Heine University. The German police contacted the hackers via the instructions in the ransom note dropped by the malware and explained the mistake after which the hackers withdrew their demand and provided the decryption key.

Unfortunately, one patient with a life-threatening illness was diverted to a distant hospital after UKD was deregistered as an emergency care facility. The additional hour’s travel may have been the cause of the patient’s death. On September 18, 2020, German prosecutors launched an official negligent homicide investigation which, if confirmed, would make the patient’s death the first known case of death by hacking.

Protect Critical Systems from Malware

The key to defending your systems from malware and phishing is monitoring and examining all network communications. Now that encryption is becoming the norm for all internet communications, looking “inside” of message streams requires new approaches and technologies so that embedded threats are caught and handled before they can escalate into disasters.


About Babur Nawaz Khan
Babur Nawaz Khan is a Technical Marketing Engineer at A10 Networks, a leading provider of secure application services and solutions. He primarily focuses on A10’s Enterprise Security and DDoS Protection solutions and holds a master’s degree in Computer Science from the University of Maryland, Baltimore County.