Could a Digital Red Cross Protect Hospitals From Ransomware?International Committee Calls for Criminals to View Red Cross Symbol as Off-Limits
The internationally recognized Red Cross symbol has marked people and facilities off-limits to attack across a century of wars, but security experts are skeptical about a recent proposal to create a digital Red Cross marker to protect healthcare and humanitarian groups from cyberattacks. The reason? You can't trust cybercriminals.
In a report released Thursday, the International Committee of the Red Cross proposed applying a digital Red Cross marker to websites, systems and endpoints used for medical and humanitarian purposes.
"The red cross and red crescent emblems - a simple red cross or red crescent painted on the roof of a hospital or vehicle - have long served as a sign of protection,” says Robert Mardini, ICRC director general. "I experienced the protective power of the emblem firsthand in many sensitive situations: For example, when we facilitated the evacuation of civilians from besieged rural Damascus, Syria, in 2018, when we went into the besieged city of Taiz, Yemen, in 2017, or over the course of my many visits to the Gaza Strip."
The Red Cross recommendation comes on the heels of rising ransomware attacks against medical facilities, as well as the heightened role of cyberwarfare following the Russian invasion of Ukraine. The proposal calls for making the symbol easy for cyberattackers to find without being detected by cybersecurity teams and easy for healthcare and helping agencies to deploy.
The problem is that the project would require the cooperation of the vast array of threat actors who are attacking healthcare. While nation-states reciprocally recognize the Red Cross symbol on the battlefield, that relationship does not exist between victims and criminals, says Michael Hamilton, CISO at Critical Insight.
"Their intent is to create the analogy to the symbol used on battlefields, but in my opinion, this will do little as a deterrent," Hamilton says. "Hospitals are specifically targeted because of their criticality and therefore willingness to pay extortion demands."
The Red Cross says a digital emblem should mark a variety of digital components such as servers, computers, smartphones, IoT devices and network devices, as well as digital services such as FTP servers and VPNs, cloud infrastructure, and communication equipment.
In addition, the system must be set up so that attackers can probe for the digital emblem without being identified as threat actors. "In other words, if cyber operators are concerned that probing for a digital emblem will identify them, they will not probe for it," the report says.
Unfortunately, says Errol Weiss, chief security officer of Healthcare-ISAC, most attackers use a shotgun approach with emails that can reach millions of people, and once anyone falls victim to a phishing attack, their priority is gaining a greater foothold and searching for ways to monetize the breach.
"Maybe once they realize what they've gotten access to, maybe they will unwind the attack, but I don't think so," Weiss says, adding that cybercriminals publicly declared a truce against healthcare during the height of the COVID-19 pandemic. "Of course, we saw that last all of about zero minutes. They were attacking hospitals, and we saw hospitals being ransomed, so I don't see them living up to this at all."
The Red Cross report explores three ways to deploy the markers: a DNS-based emblem associated with the domain name, an IP address-based emblem that would require embedding semantics in IP addresses to identify both protected digital assets and protected messages, or an authenticated digital emblem based on a distributed approach that leverages certificate chains and self-signed emblems that link to public keys.
The emblem should not be a substitute for investments in cybersecurity systems and practices. "Because ICT security requires investment and expertise, there is a risk that some entities might opt to rely entirely on a digital emblem instead of taking other basic security measures," the report says. "Thus the digital emblem could create a false sense of protection or security."
Hamilton of Critical Insight says security needs to be the top priority. "The industry knows what it needs to do to protect itself but can't do it alone when revenue and margins have been hurt so badly," he says. "The federal government should continue the efforts to sanction crypto exchanges used for ransomware payments, defend going forward using Department of Defense resources, apprehend and prosecute with the Department of Justice, and use rhetorical constructs like calling the use of ransomware against critical infrastructure terrorism rather than crime, and treat it as such."
Cybercriminals have shown their willingness to avoid healthcare attacks that could endanger lives, such as the 2021 ransomware attack against the Irish Health Service, in which criminals gave the hospital group a decryptor to restore infected systems. But Padraic O'Reilly, co-founder of CyberSaint Security, points out that criminals also planned to attack Boston's Children's Hospital.
"I do not put much faith in the scruples of the ransomware gangs," O'Reilly says. "The more valuable the data to the affected org and the patients it serves, the more likely the payday. In 2021, over half of healthcare orgs that were hit paid the ransom, but many did not retrieve their full data. There is really no magic bullet here outside of truly hardening systems and making sure that the gangs do not get access to systems in the first place."