A far-reaching cyberattack on 140 hospitals within a nonprofit health system likely began with one tiny misclick.
In May, ransomware threat actors hit national hospital operator Ascension, leaving healthcare professionals to deal with consequences like system downtime, delayed lab results, and handwritten orders for medications, according to a May 23 report from NPR.
In a company statement on June 12, Ascension said that the unauthorized access began with an “honest mistake” after an employee downloaded “a malicious file that they thought was legitimate.”
But take comfort, unnamed Healthcare Brew reader, in the fact that this type of mistake is common in all sorts of industries.
Cybersecurity company Sophos’s The State of Ransomware 2024 study, conducted in January and February, found that 23% of respondents who reported cyberattacks cited a “malicious email” (aka a message with a link or attachment that downloads malware) as the starting point. The survey polled respondents from across industries, including healthcare, financial services, and higher education.
Fast and spurious. Ryan Patrick, VP of adoption at security framework provider Hitrust and a former healthcare cybersecurity consultant, has experienced the fast pace of hospitals—and their employees—firsthand. And since these healthcare pros see “hundreds of patients per day,” he said, it leaves little time for reflection when a malicious email arrives.
According to a May 4 report from the American Hospital Association, economy-wide inflation grew by 12.4% between 2021 and 2023, while Medicare reimbursement for inpatient care grew by 5.2% over the same period. As a result, the trade group said hospitals have struggled “to maintain access to care and invest in cybersecurity and cutting-edge treatment.”
Chief information security officers therefore require executive support, Patrick said, to provide the right defenses for the slipups that lead to cyberattacks.
“Executives are doing a better job, but they still don’t understand security, and they are not focused on it. They’re focused on hospital operations. So there needs to be much more education that happens at that level in order for them to understand how security is an enabler for profits and revenue, even though it’s a cost center,” Patrick said.
Sophos’s study found that 34% of its 5,000 global IT/cybersecurity leader respondents identified email as the main attack approach (another leading cause 32% of orgs hit by ransomware cited: vulnerability exploits in devices).
From whoops to ’ware. So, how does an accidental malicious download lead to ransomware?
- While downloaded code can lock access to the machine’s data, sometimes an attacker can gain remote access and establish communication to a command-and-control (C&C) server, which then sends commands (like exfiltrating data) to the malware-compromised machine.
- Eventually, an attacker may try to use the compromised machine’s existing access to gain even greater admin-level access, which allows capabilities like accessing confidential data, modifying systems configurations, or deleting logs (the security-specific records that alert IT teams to signs of compromise).
Navigate the healthcare industry
Healthcare Brew covers pharmaceutical developments, health startups, the latest tech, and how it impacts hospitals and providers to keep administrators and providers informed.
A Check Point Research study of the first three quarters of 2023 found that global cyberattacks overall have increased by 3% year over year, with the healthcare sector witnessing an 11% surge in attacks that averages out to 1,613 attacks per week.
Patrick stressed the importance of preparing for the potential of a hospital cyberattack.
Encrypt data when possible, he said, by using the built-in tools available on a device, and have a data backup that can be accessed if a system’s locally stored data disappears. For facilities with “unlimited resources,” he suggested using a cloud, which automates the backup storage in a separate, isolated location.
Roger Grimes, a data-driven defense evangelist at the security training platform KnowBe4 with previous experiences as a healthcare IT admin, advised training healthcare employees to not automatically download files, even if they appear from trusted sources.
“A big part of it is education, telling people, ‘Never download anything.’ Let them know: ‘We don’t send you emails telling you to download updates. You should never install updates; we take care of all updating,’” Grimes said.
Tim Rawlins, director and senior advisor at cybersecurity consulting firm NCC Group, sees increasing craftiness among today’s phishers, which challenges awareness training.
Rawlins recommended a variety of security controls:
- Network scanners. These products look for a network’s connected assets and ensure each has appropriate patches and anti-malware protections.
- Email gateways. Ideally, a trusty server can filter out malicious messages and prevent phishing lures from reaching staff in the first place.
- Firewalls. Keeping them configured helps safeguard against outbound connections to, say, a C&C server.
“If they really want to get into your system, they will, so make sure that you have layers of technical controls that don’t rely on that human not clicking,” Rawlins said.