April 22, 2022

Hospitals, ORs fear ransomware fallout from Ukraine invasion

Hospitals and health systems know they are attractive targets for cybercriminals. When lives are at stake, and the victims are often insured, ransomware gangs can expect a quick and easy payout. But since the Russian invasion of Ukraine on February 24, hospitals have had to face a new reality: The chance of finding themselves on the front lines of a cyber war.

“We’re in a very critical time,” said Dave Ring, section chief of the FBI Cyber Division outreach section. In a podcast interview with John Riggi, a former FBI official who recently became the first cybersecurity advisor for the American Hospital Association, Ring emphasized the danger posed by Russian operatives in the so-called gray zone, blurring the line between military action, online espionage, and cyber criminality.

“Nation states are using both intelligence and military officers as well as criminal proxies to carry out malicious cyber activities,” Ring said. “We’re very much concerned about potential targeting of the healthcare sector, given the imminent threat it could have on public safety.” Attacks, he warned, could come from ransomware gangs, “either in support of the [Russian] government or taking advantage of an even more permissive operating environment in Russia.”

Gray zone attacks involve unleashing forces, like ransomware gangs, that are not directly controllable by the Kremlin. The recent ContiLeaks dump of internal message traffic from a ransomware gang revealed that some in the organization continued to target healthcare, even after managers in the organization tried to impose a ban.

Martin Fisher

“Frankly this is a scary time, especially in healthcare,” said Martin Fisher, chief information security officer of the Northside Hospital System in the Atlanta, Georgia, metropolitan region. “No one wants to be collateral damage in some cyber war.”

The Biden administration in March called on vital national industries like healthcare to harden their defenses against cyberattacks through the Cybersecurity and Infrastructure Security Agency (CISA) Shields Up! Initiative, citing “emerging Intelligence” that Russian actors might be planning cyber attacks on US critical infrastructure.

And beyond the threat of an actual attack, there is always the danger of collateral damage. In 2017, a Russian cyberweapon called NotPetya, initially targeted at Ukrainian users of a tax preparation program called M.E. Doc, ended up wrecking havoc around the globe. NotPetya cost businesses worldwide as much $10 billion, according to the Trump administration.

According to a US Department of Health and Human Services analysis, there are three possible cyber impacts of the Ukraine conflict that healthcare organizations need to worry about:

• direct cyber attacks

• collateral damage from unintended fallout (eg, the NotPetya incident)

• the impact of successful healthcare cyber attacks on other critical infrastructure, like telecommunication systems or the power grid.

Those responsible for IT security in the surgical suite have to double down on cybersecurity best practices, experts say, and recognize their critical dependence on the IT systems managed by the larger enterprise.

 

The OR is not an island

Joshua Corman

“Because surgeons can operate without IT, there is in some quarters what I regard as the faulty assumption that the OR is not affected by IT issues,” said Joshua Corman, who was, until February, the chief strategist for the CISA COVID Task Force.

“In reality, the OR is not an island. The whole enterprise—all processes in which the OR is embedded—has become increasingly reliant on IT, because modernizing those processes [eg, using electronic health/medical records, or EHR/EMR] is: safer because it reduces the potential for human error; more effective because it reduces friction in the system; and more efficient because it reduces duplicate record keeping,” said Corman.

Corman is the founder of “I am the Cavalry,” a cybersecurity non-profit that was among the early voices raising concerns regarding the insecurity of hospital networks and medical devices.

As an example of the power of technology, Corman points out that a nurse at a modern nursing station is able to effectively monitor a dozen or more patients. What happens when that capability goes away in a ransomware attack?

“Yes, if it has to, the OR can operate, the surgeons can operate, without those modernized IT processes,” said Corman. “But without them, procedures will be less safe, less effective, less efficient. The IT makes us better; its absence makes us worse,” he concluded.

And beyond ransomware, there are scenarios in which IT attacks can directly impact the OR’s work processes, said Corman.

He gave as an example an incident that occurred during a thoracoscopic cardiac surgery, in which fine wires are inserted into the heart to guide tiny implements. “The control system for the guidewire rebooted to perform a software update in the middle of the surgery. The whole surgical team was waiting for several minutes—and I’m sure it felt a lot longer than that—until the system came back online and they were able to resume the surgery.”

In an OR simulation Corman cited, run by emergency medicine physician and renowned hacker Christian Dameff, MD, “hackers changed the record of the patient’s blood type, so when they were given transfusions, their blood started to coagulate. The doctors in the simulation didn’t notice, and almost ‘lost’ their simulated patient.”

Although it was hypothetical, the simulation is important, said Corman, because it shows that, like software, the OR has dependencies—things can go wrong elsewhere that would have significant impacts.

“Again, the OR suite is not an island. It’s dependent on imaging, it’s dependent on EHR/EMR. Without all that, you can still provide care, but it’s like going back 30 years; the standard of care will go down, mortality rates will go up.”

Statistical tools exist to measure excess mortality as a result of exogenous factors like ransomware, noted Corman.

In congressional testimony last year, Dameff, who is medical director of cybersecurity for the University of California San Diego Health System, recommended they be used to develop “standardized metrics of cyberattack severity on hospitals,” so the impact of ransomware attacks could be measured and compared. He also joined calls on Congress to impose “Mandatory reporting of patient safety and care quality outcomes…for severe attacks.”

It seems lawmakers were listening. In March, as part of the FY2022 Omnibus Appropriations funding package signed by the president, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which mandates critical infrastructure owners and operators to report major cyber incidents within 72 hours.

Exactly which companies in the healthcare and other sectors will be subject to the new reporting requirement will not be clear until the rules implementing it are drafted over the next two years. But the burden is likely to be especially significant on smaller owners and operators.

“There are 5,600 hospitals in the US; 85% of them don’t have a single cybersecurity employee,” said Corman.

“In the vast majority of US hospitals, which are medium and small institutions in rural and small-town areas, there is no cybersecurity infrastructure at all,” meaning they cannot even leverage free resources, like a cyber threat intelligence feed, he added. “There’s no one to read it.”

More money not the full answer

For these institutions, throwing more money at the problem may not be the answer, said Corman. “Frankly if they had more money, they’d likely spend it on more nurses or better medical equipment.” That is understandable but not sustainable, he argued. “If you can’t afford to protect it, you can’t afford to connect it,” Corman concluded.

But there is more to it than that, said Northside’s Fisher, whose 40 strong cybersecurity team protects a network used by 27,000 employees across five hospitals every day. “It’s not as simple as ‘If you can’t protect it, don’t connect it,’” said Fisher, “These devices have to be connected to work.”

“An infusion pump might have a 10–15 year lifespan; an X-Ray machine might work for 30 years. They were bought before anyone was even having conversations [about cybersecurity]. I have devices right now that are seven years old, the software might be EOL and they have a decade more in their lifecycle before they can be replaced.”

EOL means “end of life.” Modern software requires constant updating to stay ahead of hackers. Software generally cycles through updates to obsolescence much faster than the hardware it supports, Fisher said, meaning clinical debt might accumulate more quickly than technical debt.

“The fleets of these medical devices are tens of thousands strong. The expense of replacing them [out of cycle] is unimaginable” for a nonprofit healthcare institution. When devices cannot be patched, because their software is EOL for example, they need to be protected in other ways, he said.

Daniel dos Santos

But first, points out Daniel dos Santos of cybersecurity company Forescout, they need to be identified.

“Most large organizations have very little idea what’s actually on their network,” he said, “and that’s a very pronounced issue in healthcare.”

Forescout’s technology analyzes network traffic to identify every device on the network. Hospitals and other healthcare organizations “always stand out as having the most different types of devices, supplied by the largest number of different vendors, all connected to the same network,” dos Santos said.

“That tends to complicate the cybersecurity issue a little bit,” because for example different vendors might have different patching cycles.

Another complicating factor, he added, is that “hospitals, clinics, and other healthcare facilities are a mixture of private and semi-public spaces,” with employees, contractors, vendors, patients, guests, and more occupying the same critical environment, which makes it very difficult to secure. At the same time, there are lots of interactions between patients and IT systems via removable media like flash drives, DVDs, or CD ROMs that may contain medical data like imaging or test results.

“You also have customer portals for billing or scheduling, which are another entrance into the network,” dos Santos said. “And there are connections with insurance systems, patient record systems, and other things that might be in a cloud or in another facility that is part of the same enterprise and is sharing a network.”

“So all of that makes healthcare very challenging to secure,” he concluded. Forescout provides technology that not only identifies all the devices on the network, but can help set policies like network segmentation to keep them secure.

 

Culture is the key to success

Fisher agreed that the job was challenging, especially in the nonprofit world, where healthcare institutions are operating on “razor thin” margins of 2% or less. “You have to have those difficult conversations with leadership,” said Fisher, “There’s a balancing act” when it comes to the allocation of resources.

The key to success, he added, is internal relationships. “You have to have the confidence of the key physicians, the key managers. They have to believe that you’re completely aligned with their goals in regard to patient care.”

And he is. “Our number one goal is not protecting information, our number one goal is patient safety,” said Fisher. The reason is simple, “If patient information is compromised, I send a letter to Mrs Smith saying your [PII] data was compromised, here’s 3 years of credit monitoring. If patient safety is compromised, that letter might be a condolence letter.”

Because in a non-profit, the institutional drivers are metrics reflecting care quality and patient outcomes, security leaders have to frame their objectives around those metrics, too.

“It’s not about getting them on my side, it’s about getting them to realize that I’m on their side. Security leaders need to be healthcare leaders, too. As a security team, it’s vital to think about everything we do, to express everything we do, in the language of patient safety and quality of care.”

Prioritizing patient safety means putting medical devices ahead of record keeping in the list of security concerns, he said.

“If patient safety is my number one goal, then my number one worry is the medical devices: The infusion pumps, the X-ray cameras and CT scanners, the telemetry in the ICU,” Fisher said. The problem that presents is that these devices have decade-plus lifespans that far exceed the viability of the software O/Ss that run them.

Corman believes that patient safety framing is the way forward for healthcare cybersecurity. “I think the hygiene model for cybersecurity is a great one to use in healthcare because everyone understands it. You’d never do surgery without scrubbing in, you shouldn’t run unsupported, unpatched, vulnerable connected technology in support of life and death care delivery. We have to make that kind of association.”

 

— Shaun Waterman is a freelance journalist based in DC covering cybersecurity, space and defense technology, and federal IT.

 

References

An Analysis of the Russia/Ukraine Conflict. US Department of Health and Human Services, Health Sector Cybersecurity Coordination Center. March 17, 2022.

 

Cybersecurity Report: FBI & AHA discuss Russia, Ukraine and Cybersecurity in U.S. Health Care Sector. American Hospital Association. Podcast. March 2022.

 

Desai S, Roberson J, Serafino M, et al. Cyber Incident Reporting Requirements for Critical Infrastructure Sectors Signed into Law. Holland & Knight. March 16, 2022.

 

Fact Sheet: Act Now to Protect Against Potential Cyberattacks. The White House Briefing Room. March 21, 2022.

 

Greenberg A. The Untold Story of NotPetya, the Most Devastating Cyberattack in History. Wired. August 22, 2018.

 

Shields Up. Cybersecurity & Infrastructure Security Agency. 2022.

 

Testimony of Dr. Christian Dameff MD; Stopping Digital Thieves: The Growing Threat of Ransomware. U.S. House of Representatives. July 20, 2021.

 

Waterman S. Inside the Conti leaks rattling the cybercrime underground. README. March 12, 2022.

Live chat by BoldChat