After a fatal incident in the Düsseldorf hospital due to a ransomware attack, Malwarebytes security researchers recommend more prevention and more cybersecurity in the healthcare sector.
The ransomware attack that was carried out in late September 2020 and is believed to have contributed significantly to the death of a woman in hospital dramatically brought the importance of cybersecurity in the healthcare sector into focus. In the following, the security researchers at Malwarebytes analyze the cybersecurity situation at healthcare facilities and give specific advice for more security in this special area.
What happened in the Düsseldorf hospital
At the end of September 2020, the University Hospital of Düsseldorf University was the victim of a ransomware attack. The hospital was therefore forced to refrain from admitting new patients until the situation was resolved and normal operations could be resumed. Because of the admission freeze, a woman who urgently needed help had to be driven to a hospital in Wuppertal that was much further away. She passed away on arrival there. The extra 30 minutes proved fatal. The ransom demand was based on malware from the DoppelPaymer family. As the security researchers analyzed, it was placed in the organization by exploiting the CVE 2019-19781 vulnerability in Citrix VPNs.
The goal was the university - not the hospital
As it turned out, the target of the cyber criminals wasn't even the hospital itself, but the University of Düsseldorf, to which the hospital belongs. When the attackers learned that the hospital had also been killed, they handed over the decryption key free of charge. Despite this key, it took the hospital more than two weeks to achieve a level of functionality sufficient to allow it to re-admit new patients.
This is tragic not only because the woman's life could possibly have been saved if the university hospital had been in operation, but also because it once again shows how one of the most important parts of our public infrastructure needs to be adequately defended against far common threats such as ransomware attacks are absent.
Where are the security risks in healthcare?
Malwarebytes security researchers have identified several security risks that make healthcare, and especially hospitals, more vulnerable to cyber threats than many other industries.
- Internet of Things (IoT): Many medical devices that examine and monitor the patient are connected to the Internet. This group of IoT devices poses a number of security risks, especially when it comes to personally identifiable information (PII). For example, a large number of the devices run on different operating systems and require specific security settings in order to successfully shield them from the outside world.
- Legacy systems: Medical systems come from different vendors, and each hospital has many different types. Each has its own goal, user guide, and update system. For many legacy systems, the devastating rule of thumb applies that nothing is changed as long as it works. This means that software will no longer receive patches or updates, even if there are known problems. The fear of a system failure outweighs the urgency to install the latest patches. And that is exactly a mistake.
- Lack of adequate backups: Even if a problem is resolved, it takes far too long for an attacked target to be operational again. Healthcare facilities often do not have a backup plan and maybe even backup devices and servers for the most important functions to keep them running in the event of a disaster.
- Additional stress factors: Challenges such as the COVID-19 pandemic, fires or other natural disasters leave healthcare facilities with little time for security measures and the need for updates, backups or general considerations about cybersecurity into the background. Factors like these often become more important and urgent than cybersecurity measures.
Why is it important to rethink healthcare?
The planned attack on Düsseldorf University fatally hit the attached hospital.
It is certainly difficult to discuss priorities in the health system. Nursing staff and doctors prioritize every day, of course in favor of the most urgent and important patient needs. But IT administration also has to be prioritized. Healthcare facilities should determine which systems require immediate attention and which are less important in emergencies.
Ransomware attacks come with significant costs
Ransomware attacks on healthcare facilities are a global problem. In the United States, UHS hospitals were recently hit by Ryuk ransom demands. It is important not to forget the enormous costs a ransomware attack can cause. There is a tendency to only look at the amount of ransom demanded, but the additional costs involved are often much higher. It takes many man hours to restore all affected systems in an organization and return them to a fully functional state. Recovery time will be less in an organization prepared accordingly. An important task after an attack is to find out how it happened and how the corresponding security gap can be fixed. A thorough investigation is also required to see if the attacker left any backdoors for further cyberattacks.
An emergency plan is essential
There will be no complete cybersecurity in the health sector either. It's about thinking ahead and preparing appropriate plans for dealing with a security problem. Regardless of whether it is a security breach or a cyber attack that paralyzes important parts of the security system, a plan is required. Knowing what to do and the order in which all stakeholders are involved can save a lot of time in disaster recovery.
The Malwarebytes security researchers recommend the following (preventive) measures
- Prepare recovery plans for various scenarios such as data breaches, ransomeware attacks, etc.
- File backups that are up-to-date and easy to implement should be on hand at all times.
- Set up backup systems that can quickly take over when critical systems are paralyzed.
- Introduce preventive measures at different levels, e.g. training for employees to familiarize them with the concrete steps of the emergency plans.
More on this in the blog at Malwarebytes.com
Via Malwarebytes Malwarebytes protects home users and businesses from dangerous threats, ransomware and exploits that are undetected by antivirus programs. Malwarebytes completely replaces other antivirus solutions in order to avert modern cybersecurity threats for private users and companies. More than 60.000 companies and millions of users trust Malwarebyte's innovative machine learning solutions and its security researchers to avert emerging threats and eliminate malware that antiquated security solutions fail to detect. You can find more information at www.malwarebytes.com.