How Healthcare Organizations Can Protect Themselves Against IoT Ransomware

Healthcare delivery organizations are increasingly deploying medical devices, IoT, and other medical platforms to improve connectivity and support patient care. Weak cybersecurity evaluations, inappropriate network segmentation, and legacy devices expand the healthcare threat landscape. Exercising a sound cybersecurity strategy has to consider the nature of the healthcare profession where human life is a top priority.

The coronavirus pandemic introduced many stressful conditions for healthcare providers – treating an ever-increasing number of COVID-19 cases, while providing high quality and accurate services to remote patients. The provision of high-quality healthcare services was always impaired when patient and doctor were distant. Even in today’s hyper-connected world, isolated communities are lacking access to competent healthcare. The proliferation of connected healthcare devices is promising to put an end to this inequality.

Collecting real-time patient data is transforming the way doctors monitor and provide their medical services. Mobile Health (mHealth) and the proliferation of smartphones, apps, and IoT technology have had disruptive impacts on healthcare provision.

Connected healthcare brings enormous benefits for both the doctors and the patients. Connecting doctors to their patients remotely and accelerating the diagnosis of a patient in distress can be life-saving.

Despite their enormous benefits, mobile healthcare introduces novel challenges. The sector has always been a lucrative target for malicious actors, but the pandemic emergency has been a great vehicle for adversaries to launch an increasing number of ransomware attacks against hospitals. By September 2020, bad actors compromised over 9.5 million patient records in a series of 88 breaches in Q3 alone. In the last few months, we’ve seen rising hospital ransomware attacks.

In September, a chain of hospitals operating under the Universal Health Services (UHS) were hit with Ryuk ransomware. According to their official statement, they successfully continued to provide patient care despite not being able to access their IT applications, thanks to well-established incident recovery procedures. However, this is not always the outcome.

In Germany, Uniklinikum hospital was a victim of ransomware and stopped admitting new patients due to its systems behaving abnormally, resulting in a woman in need of serious medical attention being transferred to another hospital 20 miles away. The delay in her receiving treatment led to her death. . This is the first recorded case of death attributed to  a cyber-attack. Cyber-attacks can have real life and death implications.

Due to the increased imminent cybercrime threat to U.S. hospitals and healthcare providers, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the US Department of Health and Human Services (HSS) released a joint alert on ransomware activity. The malware families named are TrickBot, BazarLoader, Ryuk, and Conti, often leading to ransomware attacks, data theft, and the disruption of healthcare services.

Several factors leave the healthcare industry open to increased cyber threats.

The explosion of the Internet of Medical Things (IoMT)

There are 10 million to 15 million medical devices in U.S. hospitals today with an average of 10 to 15 connected medical devices per patient bed. The integration of connected medical devices across healthcare poses significant cybersecurity risks. Due to their heterogeneous nature, these devices run on different operating systems and require specific security settings to protect them from cyber threats.

Legacy systems

Hospitals have specialized medical equipment that have constrained resources and cannot run properly with up-to-date operating systems. These systems operate on an outdated OS and even on software that has reached its end-of-life, without being able to be patched against known vulnerabilities.

Lack of adequate incident recovery plans

It usually takes many people-hours to restore all the affected systems and return to a fully operational state. The time to recover will be lower if the affected hospital has a well-tested incident recovery plan. Having a recovery plan and adequate backups that are easy to deploy can streamline business continuity processes. Another important task is to figure out how the incident evolved, locate any gaps in policies and practices and make sure it won’t happen again. During this investigation, it is also recommended to look for any backdoors that the attacker might have left behind.

Health emergencies are a higher priority

Medical emergencies, COVID-19, and other natural disasters take precedence and push aside security teams from implementing policies and practices that may disrupt surgeries or the operation of ICUs. Saving human lives are always a top priority. However, as the incident in Germany demonstrated, cybersecurity has real life and death implications and must be treated accordingly.

CISA, FBI, and HHS have developed a thorough list of security practices to address current threats posed by malicious cyber actors.

Hospitals and other healthcare organizations should review and align their security plans to these recommendations and they can commence by evaluating their cybersecurity posture to identify gaps that need to be addressed sooner than later.

To eliminate the impact of cybersecurity breaches and incidents and minimize service interruptions, healthcare industry organizations must develop and maintain business continuity plans. Without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations.

Assessing the risks that are impediments to continuity and capability will help identify critical gaps. Identifying and addressing these gaps can assist healthcare organizations to establish a viable continuity program that will help keep them functioning during cyberattacks or other emergencies.

Sucindran Ramachandran is VP at Ampcus Cyber. He has over 18 years extensive industry experience including leadership positions with a Big 4 consulting firm. As client partner and practice lead, built and managed the delivery of over 500 engagements in Cyber Security, Cloud, Governance Risk & Compliance, Access Management, PCI, Data Privacy, Third-Party Vendor Management, and IT Advisory services


Article Rating