Skip to main content
Sister Publication Links
  • ESG: THE IMPLEMENTATION IMPERATIVE
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Digital Health
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Transformation
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Unwell in America
  • Opinion
    • Bold Moves
    • Breaking Bias
    • Commentaries
    • Letters
    • Vital Signs Blog
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top 25 Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Video Series - The Check Up
    • Sponsored Video Series - One on One
  • Data Center
    • Data Center Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Newsletters
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Cybersecurity
January 24, 2020 11:38 AM

Ransomware targeting health systems in more 'sophisticated' ways

Jessica Kim Cohen
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    Modern Healthcare Illustration / Getty Images

    Sometimes, ransomware can feel like the flu. As soon as hospitals find a defense, a new and more sophisticated version appears—making it difficult for hospital leaders to keep up.

    Cryptic names like WannaCry, Petya and SamSam—all variants of ransomware—have become common points of discussion in healthcare. But while those ransomware campaigns targeted businesses across industries, it's becoming more prevalent to see hackers tailor their approaches within the healthcare industry, finding new technical vulnerabilities to exploit at specific hospitals and more closely customizing the phishing emails that deploy malware.

    In 2018, healthcare organizations were the fourth most-common target for ransomware attacks, comprising 7% of attacks overall, after the technology (28%), consumer goods (15%) and manufacturing (11%) industries, according to a report released last year by Cylance, a cybersecurity company that BlackBerry acquired in 2019. But the company's researchers last year noticed an uptick in the sophistication of attacks targeting specific industries, particularly in healthcare and local governments, said Josh Lemos, vice president of research and intelligence at BlackBerry Cylance.

    Because of the potential disruption to patient care, "hospitals and patient-serving environments" are more likely to pay, he added.

    John Riggi, the American Hospital Association's senior adviser for cybersecurity and risk, said he's also noticed an increase in the "sophistication and severity" of ransomware attacks against healthcare organizations.

    "They now appear to be highly targeted and highly specific attacks against specific hospitals," he said.

    In healthcare, ransomware accounted for more than 70% of all malware—"malicious software"—attacks, according to a data breach report Verizon released last year. Ransomware attacks can come with a hefty price tag for their victims, with hackers demanding thousands to millions of dollars in exchange for decrypting an organization's computer files.

    When a ransomware attack brings down a hospital's IT systems, it doesn't just disrupt internal business processes. It often hits critical medical systems like electronic health records or internet-connected medical devices, forcing hospitals to divert patients to nearby facilities. That pushes hospitals to want to pay the ransom, even if cybersecurity experts, including the Federal Bureau of Investigation, discourage organizations from doing so.

    Just last month, Hackensack Meridian Health, a 17-hospital system based in New Jersey, confirmed it paid hackers an undisclosed sum to regain access to its IT systems. The attack brought down the system's computer network for two days, during which facilities were forced to reschedule some non-emergency procedures and revert to using paper—rather than electronic—medical records.

    "Don't immediately dismiss the option of paying ransom," Hackensack Meridian Health CEO Robert Garrett wrote in an op-ed for Modern Healthcare in December. "You may not have the luxury of time to consider rebuilding your network. We believe it's our duty to ensure patient safety and protect our communities' access to healthcare."

    And ransomware isn't static. New and emerging variants of the software arise—constantly.

    "We're chasing new stuff all the time," said Sri Bharadwaj, chief information security officer at UC Irvine Health in Orange, Calif., and co-director of the leadership in healthcare privacy and security risk management certificate program at the University of Texas at Austin's McCombs School of Business.

    Keeping track of those evolving threats can be overwhelming, with healthcare leaders ranking the emergence of too many new threats as the most challenging barrier to mitigating security incidents, according to a survey the Healthcare Information and Management Systems Society released last year.

    "We're no longer in the era where a single person can humanly read everything that's happening," said Lee Kim, director of privacy and security at HIMSS. She noted hospitals will often use security information management systems, which collect data, to help manage and identify trends from that influx of information.

    One of the latest ransomware variants to target healthcare is Zeppelin, first spotted in November by researchers at Cylance. Rather than being designed to reach a wide breadth of possible victims, Zeppelin has seemingly "carefully chosen tech and healthcare companies in Europe and the U.S.," the researchers wrote.

    Zeppelin is largely distributed through spear-phishing, according to Lemos. Spear-phishing is a tactic in which cybercriminals send malware via email while posing as a trusted entity, such as the recipient's employer.

    Lemos declined to share examples of the types of healthcare organizations being targeted by Zeppelin, as Cylance only discloses information on industry verticals.

    While Zeppelin is just one recent example of ransomware in the industry, it's indicative of hackers' appetite for the healthcare sector, noted Clyde Hewitt, executive advisor at cybersecurity consulting firm CynergisTek.

    To stay up-to-date on emerging threats, many hospital CISOs will rely on alerts from federal agencies, cybersecurity companies and information-sharing groups, which help to distribute timely information about relevant cyberthreats.

    "CISOs need to be plugged into not just one source, but many sources," Hewitt said. He suggested the Health Information Sharing and Analysis Center, the Department of Homeland Security's U.S. Computer Emergency Readiness Team and InfraGard—a partnership between the FBI and the private sector—as examples.

    UC Irvine Health is a member of multiple information-sharing groups and works with outside companies that help to manage network security, Bharadwaj said. While that's proved helpful, he acknowledged that might not be feasible for smaller organizations.

    "Not everybody has the dollars to subscribe to all of the possibilities," he said. The plurality of healthcare organizations—25%—dedicated just 3-6% of their IT budgets toward cybersecurity last year, according to the HIMSS survey.

    One low-cost way to stay updated on cybersecurity threats is to develop a "good network of CISOs that you can connect with" to share information, Bharadwaj said. "It's good to get that information on a daily or weekly basis, so you know what to do."

    Sharing information peer-to-peer is "still a very powerful" way of learning about cyberthreats, even if it sounds old-fashioned, Kim said, adding that's how she first learned about a new phishing technique in which hackers break into real business email addresses and insert themselves into existing email conversations.

    But hospital leaders shouldn't get bogged down by trying to implement fixes to emerging cyberthreats piece-by-piece. While new variants of ransomware are a concern, getting basic security practices in place is a necessary first step.

    "Every time that healthcare comes up with a point defense against something, these ransomwares get modified and appear as a different variant," Hewitt said. Rather than focusing in on a specific strain of ransomware, it can be more helpful for CISOs to think about how to "protect overall against malware," he said.

    Standard practices for preventing malware infections include educating staff about how to avoid being tricked by a hacker; segmenting sensitive systems—like those storing patient data—from the broader internet-connected network to limit malware's ability to spread; and conducting risk assessments annually, if not more frequently.

    "If you don't have the basics in place, you're a very soft target," Kim said.

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    cybersecurity
    Health insurance data breach exposes Congressional members' personal info
    cybersecurity-data-hacking_2_i.png
    Following alleged cyberattack, Tallahassee Memorial resumes some services
    Most Popular
    1
    More healthcare organizations at risk of credit default, Moody's says
    2
    Centene fills out senior executive team with new president, COO
    3
    SCAN, CareOregon plan to merge into the HealthRight Group
    4
    Blue Cross Blue Shield of Michigan unveils big push that lets physicians take on risk, reap rewards
    5
    Bright Health weighs reverse stock split as delisting looms
    Sponsored Content
    Health IT Strategist (HITS) Newsletter: Sign up for the latest IT and medical technology news delivered 3 days a week (M, W, F).
     
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Advertise with Us
    • Ad Choices Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Digital Health
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Unwell in America
    • Opinion
      • Bold Moves
      • Breaking Bias
      • Commentaries
      • Letters
      • Vital Signs Blog
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top 25 Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Video Series - The Check Up
      • Sponsored Video Series - One on One
    • Data Center
      • Data Center Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Newsletters
      • Jobs
      • People on the Move
      • Reprints & Licensing