Hospitals around the world have a lot on their plate, dealing with life-threatening emergencies and illnesses on a minute to minute basis. Increasingly hospitals also now have to fend off another kind of virus, that of malware and in particular trojans. Due to the incredibly sensitive patient information stored on a hospital's network, they have become juicy targets for hackers, with some trying their utmost to gain access to those networks. Malwarebytes recently released a report titled Cybercrime tactics and techniques: the 2019 state of healthcare which paints a pretty worrisome picture of the battle raging on hospital networks.
Some of the report's key takeaways have been highlighted in a blog post for those not wanting to read the entire report. What researchers have determined is that the increase in attacks on hospitals is been driven by numerous factors, with one such factor being that hospitals are often guilty of not securing sensitive data correctly making it easier for hackers to steal. Other factors include exploiting vulnerabilities found on legacy software which remains unpatched and the effective use of social engineering to get hospital staff to unknowingly download malware. Researchers also found that no matter the size of the healthcare institution it would be targeted, whether small private hospitals to far larger healthcare enterprises.
The figures presented in the report confirm this. Malwarebytes stated that threat detections went from about 14,000 healthcare-facing endpoint detections in the second quarter of 2019 to more than 20,000 in the third quarter, a growth rate of 45 percent. Further, it was seen that hospitals were overwhelming targeted by trojans with an 82 percent increase in detections from the second to the third quarter. Overall looking at the entire year till September, a 60 percent increase in trojan detections was seen over the entirety of 2018.
Hackers seem to content with attempting to infect hospital networks with TrickBot and Emotet with these two trojan families been used for the majority of attacks. Interestingly, at the start of the year, it was Emotet which was the favored malware child, only to be replaced by TrickBot halfway through.
It was also noted by Malwarebytes that,
“The healthcare industry is a target for cybercriminals for several reasons, including their large databases of EHRs, lack of sophisticated security model, and a high number of endpoints and other devices connected to the network…Consequences of a breach for the medical industry far outweigh any other organization, as stolen or modified patient data can put a stop to critical procedures, and devices locked out due to ransomware attack can result in halted operations—and sometimes even patient death.”
The Scourge of Ransomware
Both TrickBot and Emotet have been seen in the past also distributing other types of malware. Most worryingly for hospitals both the trojans have been seen distributing ransomware. This presents another security issue for hospitals as file-encrypting malware can cause complete shutdowns of the network which in many cases can impact patient care. In instances such as this, the often the hospital’s administrative staff feel that they have to pay the ransom so that they can return to the business of helping the sick. This added leverage is attractive to hackers as it may secure more ransom payments than by targeting businesses. This is not an unproven threat, already hospitals in Victoria Australia have been hit. In another incident, Handcock Health paid a ransom of 55,000 USD or 4 Bitcoins at the time of the incident.
Hospitals obviously feel that they are between a rock and a hard place when it comes to ransomware running rampant on hospital networks. By paying the ransom it also places law enforcement in a tricky situation. The advice given by law enforcement is not to pay the ransom, however, as hospitals are parties to Service Level Agreements (SLA) they may be further forces to pay the ransom as fines for failing to meet those agreements can cost far more than the ransom itself. This means that advice given by law enforcement is undermined by legal frameworks and no one but hacker wins.
The report not only deals with current concerns facing hospitals but also future concerns. Hospitals are often at the forefront of medical technology. Often to facilitate improvements large databases are created. This is particularly true for genetic research that requires a large DNA database. Currently, DNA records do not fetch top dollar on the dark web but increasingly DNA markers may be used to verify identity. DNA has proved a pivotal resource for convicting criminals. If such databases fall into the wrong hands it is feared that a new level of impossible to correct identity theft may occur. Even scarier is the thought that DNA databases could be used to place innocent people at the scene of the crime. For security researchers, developments in medical science present security concerns it appears hospitals and their administration departments do not seem ready to protect against. Given the current track record, such fears and concerns appear warranted and demand a solution.
In summarising the current and potential threat faced by hospitals Malwarebytes concluded,
“Cyberattacks against healthcare organizations are increasing as we head into 2020, especially those leveraging dangerous threats such as TrickBot and ransomware. Meanwhile, healthcare as an industry suffers from a weak cybersecurity profile, despite being covered by regulations such as HIPAA. Budgets are diverted to research, patient care, and technology innovation, while ignoring necessary staff training and solutions for endpoint and network security. Add to this the proliferation of electronic health records and IoT, and you have a prescription for cyber chaos. This is especially concerning when you consider the consequences of a breach on healthcare institutions: disruption of care could ultimately cost patient lives.”