As healthcare institutions grappled with the overwhelming impact of COVID-19 at the height of the outbreak, many were fighting a second battle against hackers. In early April, Interpol warned of a surge in ransomware attacks targeting hospitals. Malicious hackers know that healthcare organizations continue to be hyper-focused on addressing the pandemic, making them prime targets for ransomware.
In the midst of the pandemic, the website of Champaign-Urbana Public Health District in Illinois was hit with NetWalker ransomware that held the entire computer network hostage. The site, which was essential for communicating health information to the community, was down for three days. The district reportedly agreed to the $300,000 ransom payment.
Armis has also seen increasing use of botnets targeting IoT devices like surveillance cameras that are commonly found in healthcare organizations. These botnets can spread malware and compromise connected devices, including crucial medical devices like patient monitors, ventilators, infusion pumps and MRI machines.
Hackers look to exploit the path of least resistance, and right now they know hospitals are vulnerable. As the healthcare system begins to recover from a surge in COVID-19 patients, more must be done to safeguard them from future attacks.
A Gap in Protection for Connected Devices
The current healthcare crisis may be giving rise to more healthcare attacks than usual, but these organizations have always been under threat. Healthcare has consistently ranked among the most targeted sectors for cybercrime. The sector also sees some of the highest costs from a data breach — an average of $6.5 million per organization according to one study, which is over 60% higher than other industries.
Ransomware strains like NetWalker (previously called Mailto) have been used in recent attacks, while ongoing threats like WannaCry and NotPetya remain in use years after their discovery. In fact, Armis found that 40% of healthcare organizations suffered a WannaCry attack in a six-month span.
The increased use of internet-connected medical devices — which now number in the hundreds of thousands — has led to new vulnerabilities for healthcare organizations. Many of these devices, including ventilators, infusion pumps, MRI machines and heart rate monitors, were not developed with security in mind — which is understandable, considering patient care is a priority. Cyber criminals know that organizations are not effectively managing their IT resources and that many connected devices are “unagentable,” meaning they cannot be defended by traditional security measures. This makes it possible for hackers to break in through traditional IT, and from there attacks often flow to connected devices.
Medical Device Risk Means Patient Risk
The reality of this problem was brought to light by a hospital’s discovery that an infusion pump was affected by vulnerabilities known as URGENT/11. These vulnerabilities impact at least six real-time operating systems and put millions of medical devices at risk. By enabling hackers to take over medical devices, the networks they operate on and other devices connected to that network, URGENT/11 could disrupt critical medical devices that doctors and patients rely on, with potentially life-threatening consequences.
While connected devices are not often the intended target of cyberattacks, they can easily become collateral damage as malware or botnets spread throughout a network. While hackers are often financially motivated, the damage their attacks bring to patient safety can be severe. Patient care devices like heart monitors, ventilators, MRI machines and infusion pumps can become disrupted when infected.
Protecting Patients is Everyone’s Responsibility
Part of what makes this issue so complex is the broad range of organizations involved in mediating the risk. Device manufacturers, healthcare organizations, security companies, clinical engineers and regulatory bodies all have a part to play in addressing this issue.
The aftermath of the URGENT/11 discovery provides an example of what this coordination could look like. The full extent of these vulnerabilities was exposed when a healthcare organization using Armis’ agentless device security platform discovered that an infusion pump contained the vulnerability. The Department of Homeland Security and the Food and Drug Administration became involved to issue warnings disclosing the vulnerability and listing the affected real-time operating systems. Armis released a free tool designed to detect devices vulnerable to URGENT/11, while impacted device and software manufacturers issued their own advisories with more information. While these vulnerabilities may still exist in many devices that are in use today, these organizations worked together to spread awareness.
There is no single easy answer to this problem. The best defense is for healthcare organizations to gain visibility into all of the devices on their network and monitor their behavior to look for known vulnerabilities and active threats. From there, various sectors can work together to orchestrate mitigation efforts, as we saw with URGENT/11. Detection and response is a strong first step. From there, organizations must work in unison to come up with longterm solutions that protect medical devices, hospital networks and the patients that rely on them.