Federal Authorities, Patient Safety Experts Warn of RisksCyberattacks Persist as a Danger to Health Sector, Patients
Cyberattacks remain a critical security concern - and a top patient safety hazard - for the healthcare and public health sector in 2022, federal authorities and other experts warned this week.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in a bulletin Friday warned the healthcare and public health sector that ransomware operators "continue to evolve their techniques and weapons for increasing extortion pressure and maximizing their payday."
Also, nonprofit patient safety organization ECRI in a report released on Tuesday identified cyberattacks as the number one health technology hazard in 2022.
The 15th annual list was compiled based on analysis by ECRI experts, including clinicians, clinical engineers, technology managers, purchasing staff, health and systems administrators, says Juuso Leinonen, principal project engineer at ECRI.
Cyberattacks such as ransomware incidents have resulted in "demonstrable impact to patient safety," says Chad Waters, senior cybersecurity engineer at ECRI. "We've seen hospitals go on divert, and that delay of patient care has impacted outcome."
"We're seeing more and more clinical workflows rely on various connected technologies … and the disruption to the availability of some of these systems … can delay care, and in worst-case scenarios, can lead to harm," Leinonen tells Information Security Media Group.
In its bulletin, HHS HC3 says that during the fourth quarter of 2021, the agency observed a continuation of ongoing trends related to cyberthreats to the healthcare and public health community - and that the activity will likely continue.
"Ransomware attacks and data breaches often both together continued to be prevalent attacks against the health sector … Vulnerabilities in software and hardware platforms, some ubiquitous and some specific to healthcare, continued to keep the attack surface of healthcare organizations wide open."
During the fourth quarter, vulnerabilities in Apache’s Log4J logging library/framework affected many industry verticals, including the health sector, HC3 says. "Efforts to patch the recently discovered vulnerabilities associated with it continue into 2022," says HC3, which issued a separate advisory on Thursday warning the healthcare sector of the rise in Log4j attacks.
HHS HC3 says in its Friday bulletin that despite various recent law enforcement takedowns targeting some cybercriminal gangs, the healthcare sector continues to face concerning threats from related attackers.
For instance, "Emotet is back," HC3 says, referring to a malware variant that has been in operation since 2014, whose criminal botnet's infrastructure was interrupted by international law enforcement authorities in early 2021 (see: Law Enforcement Operation Disrupts Notorious Emotet Botnet).
Despite that takedown, the criminal group behind Emotet - which had prolifically targeted healthcare and other industries - "appears to be attempting to reconstitute the infrastructure behind it," HC3 warns.
Security researchers have been releasing "small indications of [Emotet] activity on social media and are reporting that it has updated capabilities," it says.
HC3 says that includes "changes to the loader - new commands are available for it as well as for the dropper. There is a new command and control infrastructure operational - there are reportedly already 246 systems that are part of it."
Last week, authorities in Russia charged at least eight individuals with crimes tied to the REvil ransomware operation (see: Russia Charges 8 REvil Ransomware Suspects After Raids).
That group has victims in many sectors, including healthcare. Organizations hit by REvil cybercriminals included the University Medical Center of Southern Nevada, as well as IT managed service software vendor Kaseya and meat processing giant JBS - which paid it an $11 million ransom - among many others.
Meanwhile, a report issued this week by security firm Emsisoft says that the number of healthcare providers it tracked as being affected by ransomware in 2021 was lower than the number in 2020.
But the potential effect of the attacks in 2021 appeared more widespread at some of the organizations hit.
"In 2021, at least 68 healthcare providers were impacted by ransomware, including multiple hospitals and multi-hospital health systems. The impacted organizations operated a total of 1,203 sites between them," Emsisoft says. “In 2020, 80 providers operating 560 sites were impacted."
Emsisoft says one of the healthcare providers hit by ransomware in 2021 was Sanford Health, which operates more than 600 locations, including 46 hospitals, and Scripps Health, which operates 24 locations, including five hospitals.
“The cost of the incidents will be significant. Scripps Health, for example, put the cost of its attack at $112.7 million," Emsisoft says.
Benjamin Denkers, chief innovation officer at privacy and security consultancy CynergisTek says: "Ransomware is a massive business and compromising a larger healthcare organization provides attackers with more leverage, especially when there is precedence they pay. It also wouldn’t surprise me if many incidents went unreported."
What Comes Next?
So far, the actions taken by law enforcement agencies to disrupt ransomware operations in recent months do not seem to have resulted in a reduction in the number of incidents, says Brett Callow, an Emsisoft threat analyst.
"But that’s not surprising, as it’s still early days," he tells ISMG. "The ransomware problem cannot be solved overnight. We are, however, finally heading in the right direction and the measures that the government is now taking, both offensive and defensive, will hopefully have an impact in the longer term.
"But for now, attacks against the healthcare sector are, unfortunately, likely to continue at much the same rate as ever."
Denkers is hopeful that any disruption of ransomware infrastructure "will help buy time" for potential targets in the healthcare sector. "The question then becomes what is next," he says.