United States hospitals were targeted by two major cybersecurity attacks this fall: the first taking down Universal Health Services, a chain of hundreds of hospitals, and the second by a group called UNC1878 threatening hundreds of individual health care facilities all around the country. Targeting health care institutions directly marks a new approach for cybercriminals.
“We haven’t seen an incident of magnitude that actually has the potential to harm people, literally all the way up to the point of death,” says Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek. “It crosses a line that I think the entire cybersecurity community just didn’t think was going to get crossed anytime soon.”
Many large-scale cyberattacks on hospitals over the past few years have been incidental. A piece of ransomware is sent out generally and happens to get into a hospital. That’s what happened to the United Kingdom’s National Health Service (NHS) in the spring of 2017 when the WannaCry cyberattack hit organizations worldwide. But the latest two attacks were intentionally made on hospitals. They’re an appealing target during the COVID-19 pandemic because they’re so essential. Institutions can’t afford to be offline while they try to extricate themselves from ransomware, says Alan Woodward, a computer security expert and professor at the University of Surrey in the United Kingdom.
They’re also targeted because some have paid a ransom to get their systems unlocked, he says. “There’s been quite a few high profile cases where people have paid,” Woodward says. “Whereas, if you ask any law enforcement agency, they will say, please don’t pay. You’ll paint a target on your back.”
Some cybercrime groups pledged not to target hospitals during the COVID-19 pandemic, but attacks on health care facilities doubled in the second half of the year. Most health care institutions are unprepared for cyberattacks, and the pandemic could make things worse, Barlow says. “They are financially strapped because of that pandemic,” he says. “You have a perfect storm: ransomware has been hitting America’s hospitals heavily over the last few years, and almost always, they pay. You have a victim here that is weak, and if you attack them, you’ve got a high probability that you’re going to get paid.”
Thankfully, the two major attacks this fall weren’t as devastating as they could have been. The electronic health records at United Health Services weren’t directly affected, and the system was able to get back up and running in a few weeks. The second threat, from UNC1878, was flagged by federal agencies early enough for many hospitals to prepare. Advance warning may have bought many health care centers enough time to harden their defenses by blocking phishing emails associated with the attack and searching their systems for dormant, malicious files. Hundreds of hospitals were at risk, and these actions may have helped most avoid falling victim to the ransomware. They’re not nearly out of the woods, and the attack took down the computer systems of at least 20 facilities already, but the scale of the disruption could have been much larger.
“I hope that what will happen is that people will be prepared, and the warnings will be enough,” Woodward says.
That’s one difference from the WannaCry cyberattack to the NHS. That attack shut down 80 hospitals across the system, forcing them to divert patients and reschedule regular care. The system had some warning, but it didn’t respond quickly enough.
Barlow says that since the warning was posted, he’s spent “all day, every day” in conversations with leadership at various hospitals around the US, helping them make sure they’re ready to ward off attacks. He thinks, so far, facilities taking those steps have been in good shape. Those investments will also help prepare them for the future: even if the current threat fades, he says, others will pop up.
During the pandemic, hospitals will stay a target, Woodward says. “The threat will continue to exist, and the danger will be that people will drop their guard, and they’ll be back,” he says.
For cybersecurity experts, another next step is figuring out why cybercriminals are more aggressively targeting hospitals, with actions that could be deadly. There are dozens of theories floating around, Barlow says but no direct evidence for any of them. “We’re all trying to figure out the same questions you’re asking: Why has the atmosphere changed? And what is their endgame?”