The American Hospital Association on Friday called on the U.S. government to play a bigger role in responding to ransomware attacks against the healthcare industry.
The AHA's advisory comes on the heels of an alert from the Federal Bureau of Investigation last week warning about "Conti," a new ransomware variant. At least 16 U.S. healthcare and first responder networks have been hit by Conti, including hospitals, law enforcement agencies, emergency medical services and 911 dispatch centers in the last year, according to the FBI.
"Targeting healthcare networks can delay access to vital information, potentially affecting care and treatment of patients including cancellation of procedures, rerouting to unaffected facilities, and compromise of protected health information," the FBI's alert reads.
More than 400 organizations worldwide have been hit by Conti ransomware, an estimated 290 of which were located in the U.S., according to the FBI's alert.
The FBI didn't list specific healthcare organizations that had been targeted with Conti ransomware.
Earlier this month, Scripps Health experienced a malware attack that forced the San Diego health system to take a portion of its network offline for three weeks. Scripps has not shared details on what type of malware caused the attack, although the California Department of Public Health has described the incident as a ransomware attack.
Abroad, a cyberattack at Ireland's health system last week has been linked to Conti ransomware.
The AHA in its advisory said it is urging the government to create a "coordinated campaign" against ransomware gangs, many of which operate outside of the U.S.
That should involve bringing in diplomatic, financial, law enforcement, intelligence and military cyber capabilities to work against ransomware gangs and seize money they've made by extorting hospitals and health systems, in a similar fashion to what was "done so effectively during the global fight against terrorism," according to the AHA.
"Defense against cyberattacks is only half the equation," John Riggi, senior adviser for cybersecurity and risk at the AHA, told Modern Healthcare. "We call on the government to really use all elements of national power as they successfully did in the fight against terrorism to go after the bad guys."
Healthcare is the most targeted industry in the U.S. for ransomware attacks, according to data from cybersecurity company Check Point Software Technologies. One in every 39 U.S. healthcare organizations was hit by at least one ransomware attempt during the past nine months.
Riggi said some ransomware gangs, particularly those operating outside of the U.S. with backing from adversarial nations, view attacking hospitals and health systems as highly profitable.
"It's low effort, high profitability and low probability of apprehension or any negative consequence," Riggi said. "We need to change that calculus."
Riggi also urged the federal government to collaborate with the private sector to investigate ransomware attacks.
The U.S. government's system for addressing ransomware attacks today involves sharing cyber-threat information with industries.
However, while threat intelligence is helpful, "relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat," according to the AHA.
The AHA also argued that, since ransomware disrupts patient care, such attacks on hospitals or health systems should be considered threat-to-life crimes, not economic crimes.
"These ransomware attacks have delayed or disrupted the delivery of patient care and pose significant potential risks to patient safety and the communities that rely on hospitals' availability," the AHA wrote, repeating an argument the trade group has made repeatedly, including at a Senate hearing in December.
In a Conti ransomware attack, a hacker will deploy malware that encrypts a victim's computer files and only releases files in exchange for payment. Hackers will typically break in to a network and "observe" the organization for four days to three weeks on average before deploying the Conti ransomware, according to the FBI's alert.
If the ransom isn't paid, hackers may sell or publish the stolen data on a public website. Ransom amounts have varied, but have been as high as $25 million, according to the FBI.
"Conti is reflective of the changing methodology that many ransomware gangs are using," Riggi said. "The objective is not only encryption of the data and demand for ransom payment, but they're also exfiltrating and stealing data before they encrypt the networks. They are then, in effect, conducting double-layered extortion."
The FBI in its alert discouraged organizations from paying ransoms to hackers, noting paying ransomware gangs doesn't guarantee files will be recovered.
"It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities," the alert reads. "However, the FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers."
The FBI in its alert asked organizations who had been hit by Conti ransomware to share information with the agency that could help identify and track ransomware gangs, such as logs that show communication to foreign IP addresses, Bitcoin wallet information—if a ransom demand was paid with Bitcoin—and decryptor files.