Ransomware attacks can be devastating to healthcare providers, especially during the COVID era, and the crimes seem unsettling easy to perpetrate.
The average ransom enterprises paid in Q2 of 2020 was $178,000 — up 60% from Q1 says a recent Coveware report.
“Ransomware is quickly becoming a national emergency,” Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales testifies in a Senate hearing on cybersecurity threats amid the coronavirus pandemic.
Testifying before a subcommittee of the Senate Homeland Security and Governmental Affairs Committee on Wednesday, CISA Acting Director Wales and other expert witnesses warned that ransomware attacks coming from foreign adversaries and other bad actors pose an immediate threat to healthcare facilities and the lives of patients.
Cybercriminals use ransomware to gain access to an organization’s network and hold it for ransom while denying the owners access under the threat of publishing or deleting the stolen data. According to a CISA report, ransomware incidents can severely impact business processes and leave organizations without the data they need to operate and deliver mission-critical services.
Why is Healthcare a Priority Target?
These types of attacks can wreak havoc on healthcare delivery systems, deny access to medical records, and even affect medical devices that patients’ lives depend upon. According to The US Health and Human Services, Cyber-attacks against healthcare organizations have risen by over 53% since July 2020. Data security needs to be one of healthcare’s biggest concerns. Hospitals store a massive amount of valuable and confidential data which hackers can easily sell.
In the testimony, Wales says, "From the very beginning of the pandemic, foreign nations were targeting vaccine research and development efforts across the country [...] we need to provide cybersecurity deep into the supply chain. Ransomware has rapidly emerged as the most visible cybersecurity risk playing out across our nation’s networks during the pandemic."
Data breaches and ransomware attacks last year alone cost the healthcare industry an estimated $4 billion. Recovery for one successful attack can cost up to $1,400,000 per institution. At a time when the healthcare industry is struggling with its finances, this is a price many HDOs cannot afford.
The increased use of devices connected to the internet has created new risks. It is estimated that by the end of 2020 there will be 20 billion smart devices, and by 2050, 1 trillion. Many of these devices, such as ventilators, MRI machines and heart rate monitors, were not developed with security in mind. Hackers know that and will use it to their advantage. These attacks could disrupt patient care, deny access to critical electronic medical records and devices resulting in canceled surgeries and the diversion of ambulances, plus putting patient lives and the community at risk.
“We are doing what we can to raise awareness, share best practices, and assist victims, but approving defenses will only go so far. We must disrupt the ransomware business model, and we must take the fight to the criminals.” — Brandon Wales.
Where Are These Attacks Coming From?
The most common way that both state and non-state actors gain access to hospitals is by phishing employees, according to John Riggi, Senior Advisor for Cybersecurity and Risk at the American Hospital Association.
“Phishing remains the primary method to introduce malware and ransomware into hospitals, requiring dedicated, diligent hospital staff to monitor and educate workforces that are already strained due to the pandemic”
“We believe a ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime, and therefore should be aggressively pursued as such by the government,” Riggi testified.
If a state-sponsored hackers or a criminal organization were to gain access to a medical device used by a high-profile target, the hackers could simply switch it off and murder their target.
As Richard Staynings, chief security strategist at Cylera, once told The Sociable, “We’re talking about cyber assassination. You no longer need to be MI6 and issued a Walther PPK in order to assassinate someone; you just need to gain access to the medical devices that are keeping that individual alive.”
But it’s not just the work of some lonely hacker living in a basement somewhere. Foreign militaries and intelligence agencies are increasingly employing hackers to steal health data and research. Riggi explains that foreign intelligence services from China, Russia, and Iran have all launched cyber campaigns targeting health care to steal COVID-19-related data and vaccine research.
Since most attacks originate from “foreign adversarial safe havens” beyond the reach of US law enforcement, Riggi told the Senate Committee that the combined use of military and intelligence capabilities, along with economic sanctions to augment law enforcement efforts, can reduce cyber threats to the nation.
“By defending forward, the government can deter and disrupt these foreign-based cyber threats before they attack,” Riggi says.
Understand the Numbers; Why Ransomware is Lucrative
In order to not feed the ransomware business model, Wales recommends that organizations don’t pay the ransom. And what lucrative business ransomware is, with a profit margin of up to 99% that only requires 12 hours of labor, according to testimony from Bill Siegel, CEO at cyber incident response firm Coveware. Enterprises paid out an average of $178,254 to ransomware criminals in Q2 of 2020, up 60 percent from the previous quarter, according to the report by Coveware. This without even accounting for the business loss and post-attack recovery expenses.
“The current profit margins of the cyber extortion industry is the fundamental problem we need to address,” Siegel testified.
Applying some arithmetic to the ~$180,000 average ransomware payment, Siegel submitted that when you deduct the average cost of about $350 that a cybercriminal invests up-front per job, they can rake in anywhere from $44,150 and $177,650, taking into account whether they are successful just 25 percent of the time versus every time, among other variables.
“The threat actors' profit margin is over 99% (this is before cashout, which may reduce total proceeds through the laundering process),” Siegel calculated in his written testimony.
“They probably invested a grand total of 12 hours in the attack across all phases. They have also taken virtually NO risk as all activity was conducted remotely over the internet and via proxies. The extortion negotiation was done over encrypted email or TOR chat service that is untraceable. The proceeds of the extortion are in cryptocurrency and may be moved anonymously through well-established cash out channels,” he added.
That’s quite the financial incentive for just one day of work.
With these factors in play, it shouldn't be difficult to see why cybersecurity and defense against ransomware must be prioritized more than ever before.
Read more on Ransomware attacks