What happens behind the scenes during a hospital ransomware attack

The healthcare industry is under attack. One of the nation's largest health systems, Chicago-based CommonSpirit Health, has been dealing with a ransomware incident that has led to EHR outages and canceled appointments at its hospitals around the nation. Some facilities are just now starting to get their systems back online.

While the hospital chain has released few specifics about the attack that began in early October, cybersecurity experts told Becker's what goes on behind the scenes at one of these events.

Hackers may have access to a company's systems weeks or months before it knows it's been breached, these experts say. The organizations either discover the attack themselves via suspicious activity, or are notified in not-so-subtle ways.

"You receive that deadly scary warning slide that comes up and says you're under a ransomware attack and your data is now held hostage and access to that data is not possible," said Vikki Kolbe, a cybersecurity advisor based in the Boston area. "Or you don't even get a message but one day come in as a privileged user and try to go about your business and can't pull up your data."

But that doesn't mean your entire system will be affected. At CommonSpirit, which operates more than 140 hospitals, some facilities went unscathed from the incident. That's likely because of "the nature of their network architecture and how they share the use of systems across their organization," said Jon Moore, chief risk officer and senior vice president of consulting services for cybersecurity firm Clearwater.

Hackers often get in through relatively simple ways, like phishing emails. These breaches used to be called malware, but are now referred to as ransomware because money is demanded, in the form of untraceable cryptocurrency. Healthcare organizations are now stocking up on the digital currency just in case, said Patrick Angel, a cybersecurity consultant based in Dallas.

The hackers might also "ping" a public-facing or visible server to find out whether it's using an outdated operating system or has unpatched vulnerabilities, Mr. Angel said.

"The older the physical server, the older their operating system and therefore the more likely it has very few if any security features available," he said. "Healthcare is one of the industries notorious for having some of the oldest technology around."

The hackers may sit quietly on the network for months, seeing how many systems or how much data they can access, a technique referred to as "mining," Mr. Angel said.

The cyberattackers often encrypt the data so organizations can't access it, and regularly lock up the companies' backup databases as well. The hackers also sometimes steal the data then threaten to release it publicly unless the ransom is paid.

While the FBI has advised organizations not to pay the cyber ransoms — and it's technically illegal if it involves a sanctioned individual or country — anywhere from 30 percent to 80 percent of companies end up forking over the money, estimates show. The businesses might conclude it's the quickest — and cheapest — way to get the data back and prevent any further breaches.

The average payment is $228,125, according to cybersecurity researcher Coveware's analysis of 2022 second quarter data. Last year, insurer CNA Financial Corp. reportedly paid $40 million to stop an attack, according to Bloomberg.

Organizations typically have cybersecurity insurance, but the quality depends on whether they can withstand "white hat" hackers hired by the insurers, Ms. Kolbe said. There are also now companies and experts that act as go-betweens between ransomware groups and the hacked businesses.

The average downtime caused by the attacks is 24 days, according to Coveware. CommonSpirit's IT issues, which are still ongoing, started being reported Oct. 3.

Some of these events never become public. One health system chief information security officer declined to comment to Becker's because doing so would be an acknowledgement that one admits to a ransomware attack.

However, more than 90 percent of ransomware events are avoidable, a 2019 Gartner report found. "Following the simple basics of IT hygiene is very valuable," Mr. Angel said. That includes "hardening," patching, deleting inactive or unused accounts, regularly backing up data, inventorying devices and data, and having data classification standards. 

The acronym for incident response is PICERL — or preparation, identification, containment, eradication, recovery, lessons learned — Mr. Moore of Clearwater said.

"Preparation comes before the incident," he said. "Once the organization identifies that they have an incident, they will move to try to contain the attack. This might include taking services offline to prevent further spread. Next, they will try to eradicate any malicious software or alterations that the attacker may have made. Finally, they will try to recover their systems and collect lessons learned."

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars