Ransomware Attacks in Healthcare: Are We Seeing a Surge?New Risks Could Emerge as More Practices Reopen
Four recent cybersecurity incidents that may have involved ransomware demonstrate the ongoing threats facing the sector during the COVID-19 pandemic. They also serve as a warning that extra watchfulness is needed as physicians reopen their clinics.
The recent incidents targeted health systems in Rhode Island and Pennsylvania, an orthopedic practice in Florida and a pain clinic in Massachusetts.
Here's What Happened
Providence, Rhode Island-based Care New England Health Care System, which includes several hospitals and a medical group, described an incident last week that apparently may have been a ransomware attack. But the organization did not immediately respond to Information Security Media Group's request for information about the nature of the incident.
Several local news media outlets, including the Providence Journal, report that the healthcare system suffered a cyber incident on June 16, disrupting some patient procedures and necessitating the use paper records for several days.
On June 22, Care New England said its computer systems were restored, the Providence Journal reported.
Crozer-Keystone Health System, a healthcare system in Springfield, Pennsylvania, also apparently was a recent ransomware victim.
NetWalker ransomware operators added Crozer-Keystone to their list of victims who have not paid their ransom demands, and that the threat actors posted "as proof of claims" a few screen shots of files allegedly stolen in the incident, according to the blog Databreaches.net
Crozer-Keystone confirmed that it had recently identified a malware attack and that it "took immediate action and began remediating impacted systems," according to DataBreaches.net
"Having isolated the intrusion, we took necessary systems offline to prevent further risk," the system said in a statement. "We completed this work in collaboration with cybersecurity professionals across our healthcare system and are currently conducting a full investigation of the issue."
Crozer-Keystone did not immediately respond to an ISMG request for more information.
Meanwhile, Florida Orthopaedic Institute recently issued a breach notification stating the Tampa-based practice it was a victim of a ransomware attack in April that encrypted data stored on its servers.
"We immediately began an internal investigation to secure our environment and restore impacted data. ... On May 6, 2020, our investigation revealed that the personal information of certain FOI patients may have been accessed or taken during the incident. While we are not aware of the misuse of any information impacted by this incident."
As of Tuesday, the Florida Orthopaedic Institute incident was not yet on the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches impacting 500 or more individuals.
In yet another recent data breach, North Shore Pain Management in Beverly, Massachusetts. on June 18 reported to HHS a hacking/IT incident impacting nearly 12,500 individuals that involved a network server.
In a statement, the organization says the incident "resulted in unauthorized access to some of our patients' information." It says it become aware on April 21 that an unauthorized person gained access to the NSPM system and acquired some of its files on April 16.
"We worked with third-party experts, including the FBI, Secret Service,and privacy professionals, to investigate this incident and secure our network. The investigation determined that the acquired files contained information belonging to patients who directly paid NSPM or North Shore Anesthesia or whose insurance paid NSPM or North Shore Anesthesia between August 1, 2014, and April 16, 2020."
Potentially exposed information includes names, dates of birth, Social Security numbers, health insurance information, payment information, and clinical information including diagnoses, treatments, and in some cases ultrasound or MRI images, the pain management clinic reports.
Brett Callow, a threat analyst at security firm Emisoft, notes that 4 GBs of NSPM's data appears to be available for download on a darknet site. That makes it appear that the organization could have been the victim of a ransomware attack that involved exfiltration of data.
NSPM did not immediately respond to an ISMG request for comment and additional information about the incident.
The COVID-19 pandemic put all organizations, including healthcare entities, at high risk for cyber incidents, notes Cindy vanBree, senior security consultant at consulting firm Pondurance.
"Work from home, wherever possible, became the norm as IT staff moved quickly to roll out more telecommuting capacity. Phishing emails increased dramatically, the bait being information about the virus," she notes. "While we cannot assume to know the root causes or attack vectors for these [latest] incidents, we can draw some lessons from the experience,"
Uninformed users can be a big vulnerability, the consultant notes. "Remote access to an entity's network is a particularly risky activity, especially when the user has elevated privileges. Organizations should ensure that remote access by users is accomplished with multifactor authentication over an encrypted connection," she says.
Risks of data breaches could increase as more healthcare organizations, especially clinics, reopen and resume services, some experts note.
"While the number of successful attacks on healthcare providers declined during the early stages of the pandemic, we appear to be seeing the beginnings of an uptick, which may be linked to remote workers returning to the office," Callow says.
"Providers should ensure that endpoints which have been used remotely are not compromised prior to connecting them to the corporate network or, should that not be immediately possible, placing them on a subnet created specifically for this purpose," he advises.
Providers should ensure that they are adhering to best practices, including "using multifactor authentication everywhere it can be used, including on internal admin accounts, and disabling PowerShell when not needed and disabling or locking down RDP." Callow says. "A provider that does this will significantly reduce the likelihood of experiencing a serious ransomware incident."
Jon Moore, chief risk officer at privacy and security consulting firm Clearwater, says his firm is recommending that organizations prepare an "after action report" on their COVID-19 response.
"It is essential to understand what worked and what didn't work to improve our ability to respond to events like COVID-19," he says. "We also need to understand what changes we made to our IT infrastructure and account for those changes in our security plan. Often, necessity results in workarounds and short cuts that were justified at the time but now need to be re-evaluated."
Also, some organizations may have implemented new ways of delivering care, such as telehealth programs, he notes. "For any organization that made significant changes, it is appropriate to conduct a risk analysis as part of their review."
While healthcare entities continue to deal with the COVID-19 crisis, several key lessons are emerging, Moore notes.
"A circumstance such as COVID-19 does not change the best practices organizations should implement to protect against email-based attacks. Instead, it reinforces the importance of embedding these best practices into your organization's operations," he says.
The crisis also pointed to the importance of a defense-in-depth approach, he adds.
"For example, a vital defense to phishing attacks is the awareness of our staff," Moore says. "Unfortunately, during events like COVID-19, attackers exploit human nature, creating emails targeted towards our desire for information and purporting to be from sources from whom we expect to get that information. ... Recognizing this, it is crucial that we are not merely relying on our staff but instead have additional controls in place such as anti-malware, DMARC, spam and virus checks. "