December 05, 2019//Tony HowlettLast Updated: January 28, 2020
Normally, the only types of epidemics that healthcare organizations fight are the microbial kind. But lately, they have been hit with a rash of ransomware attacks, crippling their IT systems and demanding payments to unlock the encrypted system. Many of these attacks have leveraged third-party vendors and Managed Service Providers (MSPs) to magnify and amplify the damage, both inside each victim organization and across multiple entities. Just like the organically based breakouts they seek to contain, these virulent versions of malware use the connections and privileges of vendors who have access to many customer networks as a force multiplier to spread their devastation to as many victims as possible. These attacks are growing both in scale and number as the hackers realize they have a fertile field in healthcare to sow their profitable seeds of chaos and destruction. And recently, 110 nursing homes were impacted by a ransomware infection that spread through a records management provider and locked up all their patients’ medical records, making it difficult to treat their residents.
The dangers are real, and not just to the health providers’ pocketbooks, but to our health.
A recent study actually tied these artificial digital outbreaks to declines in actual patient care. This was demonstrated acutely when a ransomware attack took down the EHR system of Great Plain Health in Nebraska and caused appointments to be rescheduled and other delays in patient care.
Given that more and more mission-critical medical devices are being attached to networks, including infusion pumps and defibrillators, it is only a matter of time before the first ransomware related, real-world death occurs. What is the cause of his sharp uptick in attacks on healthcare institutions? It is simply a matter of the criminal hacker gangs going where the money is. They are concentrating their efforts to get the greatest impact, and therefore drive desperate hospitals and clinics to pay the ransoms demanded. Because, unlike many other businesses, healthcare organizations have patient care as their primary directive and that trumps all when it comes to systems being down.
Along with this, hackers have realized that many healthcare networks are less protected than other corporate targets. This is due to their reliance on technology providers, many of whom are hesitant to patch their technology and devices for fear of causing outages and downtime. These devices are often running obscure or proprietary operating systems that don’t support typical countermeasures, such as antivirus software. The FDA also imposes strict rules on medical device certification status and doing frequent patches and updates can cause a device to go out of compliance with regulators. This creates an ideal situation for hackers so they can exploit poorly protected or unpatched devices to establish a foothold in a network and spread.
Because of all these drivers, many healthcare providers have not traditionally given security as high a priority in their IT management strategies as they should. However, this latest spate of attacks may be the wake up call for them to start to vet vendors more closely, applying technical controls to those vendors to prevent and limit the effect of attacks and monitoring and auditing vendor remote access with the use of technologies such as Privileged Access Management (PAM) and Vendor Privileged Access Management (VPAM). Otherwise, “death by ransomware” may soon become a checkbox on the coroner’s report.
To learn more about how you can protect your healthcare facility from a ransomware attack, check out our brochure specifically for healthcare and managing the privileged access given to vendors.