What happened?

A few weeks ago, the university hospital Uniklinikum in the German city of Düsseldorf suffered a ransomware attack. The hospital decided not to admit new patients until it resolved the situation and restored normal operations. Because of the admissions stop, a woman in need of immediate help had to be driven to the hospital of Wuppertal which is about 20 miles further. Unfortunately, she died upon arrival. The extra 30 minutes it took to get her to the next hospital turned out to be fatal. As it turned out, the target of the ransomware gang was not even the hospital, but the university the hospital belongs to. When the attackers learned that the hospital had fallen victim as well, they handed over the decryption key for free. Despite that key, it took the hospital more than two weeks to reach a level of operability that allowed them to take on new patients. This is not only tragic because the woman might have been saved if the university hospital had been operational, but also because it demonstrates once more how one of the most important parts of our infrastructure is lacking adequate defenses against prevalent threats likes ransomware.

What are the main problems facing healthcare security?

In the past we have identified several elements that make the healthcare industry, and hospitals in particular, more vulnerable to cyberthreats than many other verticals. Here are some of those problem elements:

  • The Internet of Things (IoT): Due to their nature and method of use, you will find a lot of IoT devices in hospitals that all run on different operating systems and require specific security settings in order to shield them from the outside world.
  • Legacy systems: Quite often, older equipment will not run properly under newer operating systems which results in several systems that are running on an outdated OS and even on software that has reached the end-of-life point. This means that the software will no longer receive patches or updates even when there are known issues.
  • Lack of adequate backups: Even when the underlying problem has been resolved, it can take far too long for an attacked target to get back to an operational state. Institutes need to at least have a backup plan and maybe even backup equipment and servers for the most vital functions so they can keep them running when disaster strikes.
  • Extra stressors: Additional issues like COVID-19, fires, and other natural disasters can cut time and push aside the need to perform updates, make backups, or think about anything cybersecurity related. These stressors and other reasons are often referred to as “we have more important things to do.”

IoT security risks

Many medical devices that investigate and monitor the patient are connected to the internet. We consider them to be part of the Internet of Things (IoT). This group of devices comes with its own set of security risks, especially when it comes to personally identifiable information (PII).In every case it is advisable to investigate whether the devices’ settings allow to approach it over the intranet instead of the internet. If possible, that makes it easier to shield the device from unauthorized access and keep the sensitive data inside the security perimeter.

Legacy systems

Medical systems come from various suppliers and in any hospital you will find many different types. Each with their own goal, user guide, and updating regime. For many legacy systems, the acting rule of thumb will be not to tinker with it if it works. The fear of a system failure outweighs the urgency to install the latest patches. And we can relate to that state of mind except when applied to security updates on a connected system.

Disaster stress

Okay, here comes our umpteenth mention of COVID-19—I know, but it is a factor that we can’t ignore. The recent global pandemic contributes to the lack of time that IT staff at many healthcare organizations feel they have. The same is true for many other disasters that require emergency solutions to be set up. In some cases, entire specialized clinics were built to deal with COVID-19 victims, and to replace lost capacity in other disasters like wildfires and earth slides.

More important matters at hand?

It’s difficult to overstate the importance of “triage” in the healthcare system. Healthcare professionals like nurses and doctors likely practice it every day, prioritizing the most critical patient needs on a second-by-second basis. It should serve as no surprise that triaging has a place in IT administration, too. Healthcare facilities should determine which systems require immediate attention and which systems can wait. Interestingly, the CISO of the hospital which suffered from the ransomware attack was accused of negligence in some German media. Law enforcement in Germany is moving forward with both trying to identify the individuals behind the ransomware attack, as well as potentially charging them with negligent manslaughter because of the woman’s death. While we can hardly blame the CISO for the woman’s death, there may come a time when inadequate security and its results may carry punishment for those responsible.

Ransomware in particular

The ransomware at play in the German case was identified as DoppelPaymer and it was determined to be planted inside the organization using the CVE-2019-19781 vulnerability in Citrix VPNs.In more recent news, we learned that UHS hospitals in the US were hit by Ryuk ransomware. It’s also important to remember that the costs of a ransomware attack are often underestimated. People tend to look only at the actual ransom amount demanded, but the additional costs are often much higher than that. It takes many people-hours to restore all the affected systems in an organization and return to a fully operational state. The time to recover will be lower in an organization that comes prepared. Having a restoration plan and adequate backups that are easy to deploy can streamline the process of getting back in business. Another important task is to figure out how it happened and how to plug the hole, so it won’t happen again. Also, a thorough investigation may be necessary to check whether the attacker did not leave any backdoors behind.

There’s a problem for every solution

Security will probably never reach a watertight quality, so besides making our infrastructure, especially the vital parts of it, as secure as possible, we also need to think ahead and make plans to deal with a breach. Whether it’s a data breach or an attack that cripples important parts of our systems, we want to be prepared. Knowing what to do—and in what order—can save a lot of time in disaster recovery. Having the tools and backups at hand is the second step in limiting the damages and help with a speedy recovery. To sum it up, you are going to need:

  • Recovery plans for different scenarios: data breaches, ransomware attacks, you name it
  • File backups that are recent and easy to deploy or another type of rollback method
  • Backup systems that can take over when critical systems are crippled
  • Training for those involved, or at least an opportunity to familiarize them with the steps of the recovery plans

And last but not least, don’t forget to focus on prevention. The best thing about a recovery plan is when you never need it. Stay safe, everyone!