Hospitals brace for more cyberattacks as coronavirus cases rise

Hospitals and health care institutions preparing for a fall wave of coronavirus cases are bracing for more cyberattacks after hackers seeking to take advantage of the pandemic launched several successful attacks this year that severely disrupted patient services.

The attacks have been widespread around the world, hitting health care groups during the worst public health crisis in a century. Experts say the attacks have involved both cyber criminal groups and nation states looking to target COVID-19 research and sow chaos.

“I’ve been describing this as a cyber gold rush, the bad guys of all shapes and sizes recognize that there is an opportunity here,” said Marc Rogers, executive director of cybersecurity at software group Okta who also helps lead the COVID-19 CTI League that tracks cyberattacks against health groups.

The organization is made up of around 1,500 professionals in more than 80 countries from sectors including information technology, telecommunications and law enforcement who have volunteered their time to fight cyberattacks and track threats against health care groups and other critical sectors.

“We see everything from emails that have no payload at all, through to complex new malware that has been specifically compiled to go after that target at that time,” Rogers said.

Hackers have targeted governmental organizations such as the World Health Organization and the Department of Health and Human Services (HHS), as well as specific hospital chains. Other state-sponsored attacks backed by Russia, China and Iran have gone after groups involved in COVID-19 research.

A recent attack on Pennsylvania-based hospital chain Universal Health Services (UHS) temporarily disabled systems in hundreds of hospitals in the U.S., potentially delaying treatment and possibly exposing the data of millions of customers.

Some of the cyber incidents during the pandemic have been deadly, with a ransomware attack on a German hospital in September being linked to a woman’s death after the hospital was forced to turn away emergency patients due to its servers crashing.

André Pienaar, founder of the firm C5 Capital, said that many more deaths attributed to cyber incidents that have gone unreported.

“There are hundreds of cases we have now seen where we can draw a direct line between the cyberattack and deaths,” said Pienaar, whose firm helped form the Cyber Alliance to Defend Our Healthcare, a group of nearly 40 major cybersecurity companies that defend health organizations.

Rogers, who helps lead the CTI League, told The Hill that around 51 percent of cyberattacks targeting health groups and other critical sectors during the pandemic have originated in the U.S. or Europe, but many are part of global campaigns that have infrastructure worldwide, making them difficult to track.

“Majority are groups of organized criminals looking to make money, and second to that is individuals looking to make money,” Rogers said. “The third group, nation states, is actually pretty hard to pin down … their goal is more or less silent, if they compromise a lab and steal intellectual property, they aren’t going to splash it all over the dark web, they are going to take it home.”

The U.S. and allied countries including Canada and the United Kingdom have publicly attributed the targeting of health care groups to Russian and Chinese state-backed hackers, particularly the targeting of organizations involved in vaccine research and development.

The rising number of cyberattacks seven months into the pandemic have sparked an unprecedented level of scrutiny from governmental organizations, law enforcement and the private sector, which have worked in tandem to defend these critical institutions in their hour of need.

Peter Maurer, head of the International Committee of the Red Cross, urged the world to come together to defend against cyberattacks on hospitals, testifying to the United Nations in August that a “broad collaboration among states, as well as between states, the private sector, and academia is essential” to address these threats, according to The Associated Press.

“Nation states who over the course of the pandemic have attacked civilians in other countries or health care workers clearly should be pariahs, these cannot be acceptable behaviors,” Pienaar said. 

He said that if the attacks took place in the context of a conventional war, they would be considered war crimes, noting they have targeted patients in distress and health care personnel.

Authorities at all levels in the U.S. and around the world have taken notice of the attacks.

Experts particularly warn about attacks involving ransomware viruses, which have become an increasing headache for governments and private sector groups. Ransomware involves an attacker gaining access to a system, encrypting it and preventing access, then demanding payment to restore the system.

According to Pienaar, some hospitals have opted to pay hackers in order to more quickly restore critical services during the pandemic, which experts say only emboldens criminals to use the tactic.

“Ransomware will continue to be a sectoral nuisance,” Greg Singleton, the director of HHS’s Health Sector Cybersecurity Coordination Center, said during a virtual appearance at CyberScoop’s CyberTalks conference on Friday.

“As long as they are being able to monetize it, as long as facilities are paying the ransom, actors will continue to go after it, so I expect moving forward, it’s really troubling and unfortunate, but we will see the ransomware continue on.”

Still, hospitals and health care groups themselves are far more zeroed in on the threats posed by hackers than before the pandemic, and overall efforts to address threats have increased significantly.

In the U.S., groups including the Department of the Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the nonprofit Health Information Sharing and Analysis Center have mobilized to defend the health care sector, helping prevent potentially much graver attacks.

“We are nearly a year into probably the most major global cyber event we have ever seen, and yet you’re only hearing of a few significant compromises,” Rogers said. “The fact that compromises of organizations like UHS stand out shows that there is a meaningful impact being made by all the different groups working to protect health care.”

Connections made during the pandemic to defend health care systems could also lead to a far stronger cybersecurity posture for the sector after the pandemic has abated, helping to combat threats during future public health crises.

Rogers said he and other leaders of the CTI League were already developing plans to transform the group into a more permanent “fixture” to protect vulnerable critical organizations during crises.

Pienaar said that under his organization’s umbrella, chief information security officers (CISOs) of major hospitals and health care groups would meet with CISOs from smaller hospitals this week as the first of a series of closed-door meetings to help promote “collective defense and stepping up cooperation.”

“This is a long war, it’s not a short war,” he said.