Ransomware attacks are surging…are hospitals ready?

By Jimmy Joseph, Advisory managing director, Deloitte & Touche LLP

The digital transformation that has been taking place over the past decade made it possible for hospitals to move away from paper files and improve care and efficiencies. It may have also created a larger attack surface for cyberattacks. The threat from ransomware can sometimes be overlooked, and that can put health systems at risk.

Here are a few headlines I have seen in just the past two months: “Hackers accessed data on 270,000 patients from Louisiana hospital system¹;” “Cyberattack Hits Brooklyn Hospitals That Serve Poor New Yorkers²;” and “Russian cyber gang Killnet brings down websites of 14 top US hospitals and universities³.” Although some attacks make the news, many don’t.

On January 12, the US Department of Health and Human Services’ Office of Information Security (HHS/OIS) issued an advisory⁴ about BlackCat and Royal—two relatively new, highly sophisticated cyberthreats that seem to be targeting the health sector. Another potential threat, dubbed Clop, creates files that look like medical documents and then sends them to health care facilities in hopes that an employee will open the infected documents. Once that happens, the ransomware may seek out data and encrypt it. The data is then typically held hostage until a ransom is paid for the decryption key. Growth in virtual health, which was accelerated by the COVID-19 pandemic, helped to create an environment in which such attacks may have a greater chance of succeeding, according to a January 4 alert from HHS/OIS.⁵

While cyberthreats may be on the rise, there have been some solid wins against ransomware attacks. Some large/mature organizations seem to be investing in capabilities to detect such attacks early and often. This strategy can help to make their business and operations more resilient and help make it easier to recover/restore operations even if they get attacked. In addition, regulators and law enforcement appear to be ramping up efforts to thwart ransomware attacks. On January 26, the US Justice Department announced that it had disrupted a cybercriminal group responsible for worldwide ransomware attacks.⁶

Ransomware attacks have become almost routine

About 90% of my time is spent working with hospital and health system clients to help them prevent and respond to ransomware and other cybersecurity threats. Ransomware attacks feel like they have become almost routine and are usually detected early enough that countermeasures can be implemented. But any computer or unsecured internet-connected device could be like an unlocked door for someone with criminal intent. Sometimes an employee will click on a link and a combination of safeguards will fail. Along with having to possibly pay a ransom to get systems back up online, the health system might also face public relations challenges, which could become a larger trust issue (see Five actions C-suite leaders can take to protect digital trust in their organization).

A health system might have thousands of servers and desktop computers that could be rendered inoperable after an attack. Ransomware might take control of servers that control electronic medical records and employee information. Systems that store patient charts or that generate claims could also be rendered useless. When a system goes down, nurses might not be able to access patient charts or check patients in. Doctors might not be able to prescribe medications, and patients might have to wait longer to be discharged. It can quickly cripple an entire health system.

Why might some health care organizations be vulnerable to attack? As my colleague Tina Wheeler noted in her recent 2023 Outlook, some hospitals and health systems may be under tremendous financial pressure. This could be particularly true for not-for-profit organizations—which often have razor-thin margins and historically might not have invested enough in updating technology and controls. For example, some critical cyber controls (e.g., strong passwords/multifactor authentication, up-to-date anti-phishing tools, reliable backups, rigorous patch and vulnerability-management processes, and playbooks to detect and respond to attacks) are still only a goal for some health care systems.

Five strategies to help protect against ransomware attacks

Ransomware and cyberattacks on hospitals and health systems may be surging. They can affect any organization but could be particularly devastating for health systems and their patients. Here are five strategies hospitals and health systems may consider to help protect against ransomware attacks:

1. Map out the most critical systems and assets: Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) could identify the assets (software, hardware, OT, process, people) that may be the most critical to the organization’s mission-critical operations. At a minimum, they could implement basic cyber hygiene (password complexity, rotation, backups patch and vulnerability management, robust threat-monitoring) for this manageable universe of assets. These minimal steps could help minimize the damage if an attack happens.
2. Prevent compromised information technology (IT) from spreading to operational technology (OT): CISOs and CIOs could create a physical and logical separation of networks and data for different organizational units between IT and OT. The idea is to help protect mission-critical patient care systems from being rendered useless even if corporate IT systems become infected. While an infected IT system is not an ideal situation, it may be preferable to shutting down entirely.
3. Prioritize adoption of ‘Zero Trust’: Zero Trust is a new security paradigm where an organization commits to never trust, always verify as it relates to access. Staff may consider instituting systemwide safeguards by resisting trust for every transaction or action—even if they are recurrent or internal activities.
4. Pursue strategic initiatives for future resilience: CISOs and CIOs could review Business Continuity (BC) and Disaster Recovery (DR) processes for single points of failure (technical and human) in order to help support rapid response to an attack. Hire skilled cybersecurity leaders and staff that can provide a good balance of business acumen and the technical experience to help respond to an attack or threat. 
5. Proactively plan for a crisis: CISOs and CIOs should regularly perform cyber-simulation exercises to test incident response readiness and to help prepare for future disruptions. This may include crisis-management scenarios—with an emphasis on patient safety, internal and external communications, and quickly restoring the mission-critical operations.

Conclusion

Ransomware groups seem to be increasingly targeting hospitals and health systems.⁷ In addition, cyberattacks against pharmaceutical, medical technology/device, and other life sciences companies have disrupted supply chains, hobbled manufacturing processes, erased years of research, and resulted in hundreds of millions in damages, as my colleague John Lu noted in a blog last summer. Over the past couple of years, cyber seems to have gained board-level attention at many hospitals and health systems. It may be typically seen as a business issue and typically is no longer an issue confined to the IT department. CISOs and CIOs should provide board members with information that can help them understand potential threats and how they are being addressed.

Managed Extended Detection and Response Services (MXDR) by Deloitte is a military-grade tool to help detect and thwart ransomware attacks. It combines industry-leading technology with experienced teams to provide a modular set of threat hunting, detection, response and remediation capabilities to clients in delivery models designed to meet both their cybersecurity and business requirements. For organizations looking to expand coverage while optimizing spend, MXDR reduces the strain of recruiting and retaining large, specialized teams in a labor-constrained market.

Endnotes:

¹ Hackers accessed data on 270,000 patients from Louisiana hospital system in attempted ransomware attack, CNN, December 28, 2022 

² Brooklyn Hospital Network Battles a Cyberattack, December 12, 2022

³ Multiple US hospital and medical websites down during ongoing cyberattack, The Daily Mail, January 30, 2023

⁴ Royal & BlackCat ransomware: The threat to the health sector, HHS Office of Information Security, January 12, 2023

⁵ Clop Ransomware Analyst Note, HHS Office of Information Security, January 4, 2023

⁶ Justice Department disrupts group behind thousands of ransomware attacks, Politico, January 26, 2023

⁷ Increased Cyber Budget Calls for Healthcare to Invest in Digital Identity, Fierce Healthcare, January 30, 2023

Latest news from @DeloitteHealth

This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. 

Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.

Return to the Health Forward home page to discover more insights from our leaders.