Sometimes, ransomware can feel like the flu. As soon as hospitals find a defense, a new and more sophisticated version appears—making it difficult for hospital leaders to keep up.
Cryptic names like WannaCry, Petya and SamSam—all variants of ransomware—have become common points of discussion in healthcare. But while those ransomware campaigns targeted businesses across industries, it's becoming more prevalent to see hackers tailor their approaches within the healthcare industry, finding new technical vulnerabilities to exploit at specific hospitals and more closely customizing the phishing emails that deploy malware.
In 2018, healthcare organizations were the fourth most-common target for ransomware attacks, comprising 7% of attacks overall, after the technology (28%), consumer goods (15%) and manufacturing (11%) industries, according to a report released last year by Cylance, a cybersecurity company that BlackBerry acquired in 2019. But the company's researchers last year noticed an uptick in the sophistication of attacks targeting specific industries, particularly in healthcare and local governments, said Josh Lemos, vice president of research and intelligence at BlackBerry Cylance.
Because of the potential disruption to patient care, "hospitals and patient-serving environments" are more likely to pay, he added.
John Riggi, the American Hospital Association's senior adviser for cybersecurity and risk, said he's also noticed an increase in the "sophistication and severity" of ransomware attacks against healthcare organizations.
"They now appear to be highly targeted and highly specific attacks against specific hospitals," he said.
In healthcare, ransomware accounted for more than 70% of all malware—"malicious software"—attacks, according to a data breach report Verizon released last year. Ransomware attacks can come with a hefty price tag for their victims, with hackers demanding thousands to millions of dollars in exchange for decrypting an organization's computer files.
When a ransomware attack brings down a hospital's IT systems, it doesn't just disrupt internal business processes. It often hits critical medical systems like electronic health records or internet-connected medical devices, forcing hospitals to divert patients to nearby facilities. That pushes hospitals to want to pay the ransom, even if cybersecurity experts, including the Federal Bureau of Investigation, discourage organizations from doing so.
Just last month, Hackensack Meridian Health, a 17-hospital system based in New Jersey, confirmed it paid hackers an undisclosed sum to regain access to its IT systems. The attack brought down the system's computer network for two days, during which facilities were forced to reschedule some non-emergency procedures and revert to using paper—rather than electronic—medical records.
"Don't immediately dismiss the option of paying ransom," Hackensack Meridian Health CEO Robert Garrett wrote in an op-ed for Modern Healthcare in December. "You may not have the luxury of time to consider rebuilding your network. We believe it's our duty to ensure patient safety and protect our communities' access to healthcare."
And ransomware isn't static. New and emerging variants of the software arise—constantly.
"We're chasing new stuff all the time," said Sri Bharadwaj, chief information security officer at UC Irvine Health in Orange, Calif., and co-director of the leadership in healthcare privacy and security risk management certificate program at the University of Texas at Austin's McCombs School of Business.
Keeping track of those evolving threats can be overwhelming, with healthcare leaders ranking the emergence of too many new threats as the most challenging barrier to mitigating security incidents, according to a survey the Healthcare Information and Management Systems Society released last year.
"We're no longer in the era where a single person can humanly read everything that's happening," said Lee Kim, director of privacy and security at HIMSS. She noted hospitals will often use security information management systems, which collect data, to help manage and identify trends from that influx of information.
One of the latest ransomware variants to target healthcare is Zeppelin, first spotted in November by researchers at Cylance. Rather than being designed to reach a wide breadth of possible victims, Zeppelin has seemingly "carefully chosen tech and healthcare companies in Europe and the U.S.," the researchers wrote.
Zeppelin is largely distributed through spear-phishing, according to Lemos. Spear-phishing is a tactic in which cybercriminals send malware via email while posing as a trusted entity, such as the recipient's employer.
Lemos declined to share examples of the types of healthcare organizations being targeted by Zeppelin, as Cylance only discloses information on industry verticals.
While Zeppelin is just one recent example of ransomware in the industry, it's indicative of hackers' appetite for the healthcare sector, noted Clyde Hewitt, executive advisor at cybersecurity consulting firm CynergisTek.
To stay up-to-date on emerging threats, many hospital CISOs will rely on alerts from federal agencies, cybersecurity companies and information-sharing groups, which help to distribute timely information about relevant cyberthreats.
"CISOs need to be plugged into not just one source, but many sources," Hewitt said. He suggested the Health Information Sharing and Analysis Center, the Department of Homeland Security's U.S. Computer Emergency Readiness Team and InfraGard—a partnership between the FBI and the private sector—as examples.
UC Irvine Health is a member of multiple information-sharing groups and works with outside companies that help to manage network security, Bharadwaj said. While that's proved helpful, he acknowledged that might not be feasible for smaller organizations.
"Not everybody has the dollars to subscribe to all of the possibilities," he said. The plurality of healthcare organizations—25%—dedicated just 3-6% of their IT budgets toward cybersecurity last year, according to the HIMSS survey.
One low-cost way to stay updated on cybersecurity threats is to develop a "good network of CISOs that you can connect with" to share information, Bharadwaj said. "It's good to get that information on a daily or weekly basis, so you know what to do."
Sharing information peer-to-peer is "still a very powerful" way of learning about cyberthreats, even if it sounds old-fashioned, Kim said, adding that's how she first learned about a new phishing technique in which hackers break into real business email addresses and insert themselves into existing email conversations.
But hospital leaders shouldn't get bogged down by trying to implement fixes to emerging cyberthreats piece-by-piece. While new variants of ransomware are a concern, getting basic security practices in place is a necessary first step.
"Every time that healthcare comes up with a point defense against something, these ransomwares get modified and appear as a different variant," Hewitt said. Rather than focusing in on a specific strain of ransomware, it can be more helpful for CISOs to think about how to "protect overall against malware," he said.
Standard practices for preventing malware infections include educating staff about how to avoid being tricked by a hacker; segmenting sensitive systems—like those storing patient data—from the broader internet-connected network to limit malware's ability to spread; and conducting risk assessments annually, if not more frequently.
"If you don't have the basics in place, you're a very soft target," Kim said.