2020 Ryuk Ransomware Alert: Implications, Needs, and Data Breaches
Print this Article | Send to Colleague
Ransomware Cybersecurity Advisory Alert
On October 28, 2020, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued a Joint Cybersecurity Advisory, Alert AA20-302A, indicating they had credible information related to an increased and imminent cybercrime threat against U.S. hospitals and healthcare providers. The advisory described tactics, techniques, and procedures used by cybercriminal against healthcare targets to infect systems with Ryuk ransomware for financial gain. It warned healthcare providers to take timely and reasonable precautions to protect their networks from these threats. (Detailed PDF version of the Advisory Alert).
Ransomware is a type of malware designed to deny access to a computing system or data (usually via encryption) until a ransom is paid. Ransomware and malware are the main approaches used to expose protected health information.
Ryuk, a very efficient Russian ransomware, is thought to be responsible for one-third of all ransomware attacks in 2020. It is a combination of phishing emails and infected Google documents intended to trick users into believing they are opening a harmless Google document, because the recipient or employer's name is in the subject line or body of the email. However, once the email is opened, it enables the malware to download to the victim’s computer and locks up the system within a matter of hours. Ransomware typically encrypts the data and denies access to it until a ransom is paid. Even if paid, the data is sometimes not released. Hackers may also use other malware, such as Trickbot, BazarLoader, Conti, or BazarBackdoor to distribute phishing campaigns that can lead to a ransomware deployment.
Healthcare organizations know if their general systems shut down, they will have to divert patients to other hospitals, and they do not want to do that. (Last month in Germany, a patient died because of being diverted.) Because of that, they choose to pay the ransom 80-90% of the time. The cybercriminals know this too, so that is why they are being so aggressive.
On October 29, 2020, media outlets reported that on October 26 and 27, six hospitals across the country were hit with the Ryuk ransomware with considerable ferocity. Ryuk targeted entire systems and one that consisted of hundreds of hospitals, clinics, and facilities. A large system confirmed that their systems had been taken down and said this was the “largest cyberattack ever in (their State)”. The month of October had a 71% increase in ransomware attacks against U.S. healthcare organizations.
Ryuk caused the shutdown of over a dozen hospital systems. When this occurs, hospitals typically revert to downtime procedures with paper records, but that significantly affects their ability to provide standard patient care. Some hospitals also divert ambulances and postpone elective procedures and services during downtime.
Hackers also attempted to gain access to at least two dozen other hospital systems. Since many hospitals do not report successful attacks, we do not know how many more may have been affected. Things have been quiet since then, but this could be the eye of a storm. The hackers could be changing their infrastructure to allow them to access more organizations.
Federal agencies say they have credible information of additional threats to more U.S. hospitals and healthcare providers. The New York Times reported that Russian hackers have been circulating a list of more than 400 targeted hospitals, 30 of which they claim have already been infected. They have demanded up to $1 million from some hospitals and, in one instance, $5 million in Bitcoins from a large private clinic. Some hospitals have paid the ransom.
Some hospitals and health systems across the U.S. are proactively shutting down their email to prevent an attack, while still keeping their other care systems online.
Hospital and Provider Implications and Needs
The timing of the attacks is troubling. They occurred at the end of October, when everyone was distracted with the presidential election, yet there is no evidence it is related to the election. The hospital attacks occurred at the height of the coronavirus pandemic, when hospitals were overloaded with COVID-19 cases. The attacks targeted the healthcare sector because banks, airlines, and hotels are not fully operational and not as likely to pay a ransom. So hospitals and providers are a perfect target.
One-half of hospital and provider employees are now working remotely. Hackers invest a great deal of time and energy targeting these workers. They see them as low-hanging fruit and weak links in the company defenses, because they often utilize devices, programs, and networks with subpar cybersecurity, e.g., residential routers, unpatched programs, less secure antivirus software and firewalls, and weak or inadequate login profiles. All of these make it easier to deploy the ransomware. However, a well-informed and trained remote worker can be a strong front-line defense for an organization, the same as a hospital-based employee, and a valued and active member of the team.
The cyberattacks will likely continue, because they are successful and the hackers know that 66% of America’s hospitals do not meet cybersecurity standards, making them more vulnerable. Organizations have been trying to find ways to fund the needed changes, but it is always a struggle.
By proactively closing potential security vulnerabilities, organizations establish a more robust defense. And by limiting network access rather than using open-ended login profiles, a hacker cannot seize control of the entire wealth of digital assets, even if they do breach the system.
Hospitals need more security defenses, but they do not have the time, resources, or money to spend on this right now, given the current critical challenges they are facing with the coronavirus pandemic. However, if hospitals get locked down with ransomware, they will not be able to care for the large volume of critically ill COVID-19 patients. The cybercriminals know that too and feel now is the time hospitals will be more willing to pay a ransom. That thinking is repulsive and lacks any compassion for the patients, but cybercriminals only care about one thing – money!
Prevention and Preparedness
Ransomware is largely preventable, but it takes time, resources, and money to invest in making sure the systems have appropriate policies and procedures in place to address threats posed by malicious cyber-attacks, e.g., automated nightly back-up routines, preventive tools, procedures for applying patches and updates, security policies, user agreements and business continuity plans. Security principles and techniques should be reviewed, as well as cybersecurity risks and vulnerabilities. The information technology team is responsible for seeing that these are reviewed and completed.
The clinical management team needs to ensure that the staff is aware of and educated about what could happen and how to prevent it. Staff education should focus on how phishing and ransomware attacks are delivered and how they can be averted. Logins and passwords should be changed, and 2-factor authentications should be implemented. Employees should know who to contact if they see suspicious activity or believe they have been a victim of a cyberattack. These actions will ensure that established mitigation strategies can be employed quickly and efficiently.
“Test” emails should also be sent to employees to see if they know which ones can be opened safely and which ones should not be opened. No one wants to be “the person” who opens up the Google Document that locks down the entire hospital system!
[NOTE: Read this previous newsletter article entitled Avoid the Phish! How to Recognize a Phishing Attack and Avert It! It contains detailed information and tips on how to recognize and avoid phishing attacks. It could be used for a staff in-service.]
Downtime policies, procedures, and processes should also be reviewed and updated. Documentation logs, checklists, and forms should be reviewed closely to make sure they are all updated and that enough hard copies are available in case they are needed quickly. A review of the downtime procedures should be provided as an in-service for the staff to ensure that they know how to continue to care for patients without the electronic and automated systems they are used to. Most of the staff is not old enough to know what it is like to work without these systems. They have never had to work that way, so practicing how to document and perform procedures without automated or electronic systems is essential. These things have to be discussed and practiced before, not after a system gets locked down.
Digital Data Production and Data Breach Statistics
Political organizations, national security agencies, businesses, financial and educational institutions, social networks, governmental agencies, and healthcare organizations have always been at risk for hacking and data breaches, but the risks continue to increase as the amount of digital data increases.
In 2012, the Computer Science Corporation predicted that by 2020 data production would be 44 times what it was in 2009 (a 4,300% increase) – about 40 trillion gigabytes of data (40 zettabytes). However, 90% of the data was already generated between 2013 and 2015 alone, meaning the other 10% was generated since the beginning of time. We met, and exceeded, the 2020 prediction in 2019 – reaching 41 zettabytes. By the time we finish 2020 our data production is expected to be 51 zettabytes and 175 zettabytes by 2025. Think about that for a moment! That’s 51 and 175 trillion gigabytes! How is that even possible? And as we continue to be even more dependent on electronics, the internet, artificial intelligence, the Internet of Things, streaming, data programs, etc., the amount of digital data will continue to grow exponentially.
While this technology and data has changed our lives immensely, it has also created concerns about how to keep the data secure and private, especially the data related to sensitive personal, financial and healthcare information. By the early 2000s, because data management and privacy had become such a big issue, HIPAA regulations were enacted to create guidelines for the handling, storage, and protection of sensitive protected health information (PHI) and financial regulations were created by the payment card industry (PCI) for safeguarding payment and financial data.
There are various organizations that track data breaches. Their statistics vary due to the type of data they receive and their goals for reporting. Reporting is typically done by sectors or categories of like-organizations or businesses. For example, the Privacy Rights Clearing House (PRC), a non-profit organization committed to protecting privacy by educating and empowering individuals and advocating for positive change, has seven sectors: Educational Organizations; Businesses-Financial; Businesses-Other; Business-Retail; Healthcare Service Providers; Government and Defense Institutes; and Non-Governmental Organizations.
The PRC began tracking data breaches reported in the U. S. by government agencies or verifiable sources in 2005. This searchable database is available for everyone to use for research purposes. It is sortable by organization, type of breach, and year and can also be downloaded as a CSV file. PRC’s database shows 4,343 reported healthcare breaches in the U.S. from 2005 through October 2019, exposing 249,095,808 records. Reporting to PRC is voluntary, so it does not capture all breaches. Therefore it is not a comprehensive compilation of data breaches, so the actual number of breaches and total records affected is obviously higher.
The following statistics from the Healthcare Data Breaches Study: Insights and Implications provides a good overview of data breaches in the U.S. from 2005 – 2019:
- Total number of breached records exposed: more than 10 billion in the past 15 years
- Total healthcare records affected in 2019: 41.2 million from 505 data breaches
- The average healthcare breach involved 25,575 records
- Total number of individuals affected by all data breaches: 249.09 million, with 157.40 million (63.19%) of those affected in just the last five years
- Healthcare breaches are the highest among the seven sectors
- Accounted for 61.55% of all breaches; Education was the next highest at only 10.55%
- Five sectors have decreased breaches over the last five years, while healthcare has increased by 15.04% to 76.59%; Financial only increased from 6.45% to 9.36%
- The average cost of a U.S. data breach was much higher compared to other countries ($15 million in the U.S. versus $8.19 million worldwide)
- Healthcare data breaches were far more costly than other data breaches:
- Healthcare breaches accounted for $4 Billion in losses
- The average breach in 2019 was $6.45 million versus $3.92 million for other sectors
- The average cost per record in a healthcare breach increased 45.91% from 2005-2019 ($294 to $429), while the average cost for all breaches was $150
- Healthcare data is highly susceptible and targeted most frequently by hacking attacks
- Healthcare and financial sectors had the most breaches; Healthcare was usually the highest and accounted for 25-30% of all breaches
- Phishing, malware, and/or ransomware were the key types of attacks using Email and network servers
- Almost one in four Americans has had their medical information compromised
- Hacking attacks were responsible for exposing the records of 161.05 million individuals from 2005 - 2019, which accounted for 64.65% of all breaches
- Hacking in the past 5 years increased from 64.65% to 92.59%, an increase of 27.94%
- Hacking incidents exposed more than 92% of records in the last five years
- Hacking increased by 73.4% from 2018-2019, mostly related to Email and network server attacks
It is obvious that even though a lot of time and effort has been spent on trying to maintain confidentiality and data privacy, the number and size of healthcare breaches continue to rise. This is a serious concern, especially in healthcare, because tampering with the data can lead to poor patient outcomes or fatalities.
Hackers have identified that this data is valuable, because of the personal, financial and medical data. It is worth roughly 50 times more than credit card or Social Security data, since it can be used for Medicare fraud – the most profitable type of identity theft. So hackers are finding various ways to gain access to systems to review and steal the data. The number of data breaches have increased drastically over the past few years as the volume of data has increased.
Conclusion
While the information technology team may be responsible for managing the overall cybersecurity of an organization, each of us has an individual responsibility to be aware of cybersecurity, how it impacts healthcare and the privacy of our patients, and what procedures we need to follow to assure safe security practices. While nurses may not have an in-depth understanding of the intricacies of cybersecurity, it is important for us to understand the evolving role of cybersecurity in healthcare today and how that affects our role. Threats like these are becoming more sophisticated, while organizations struggle to prioritize and implement more effective security requirements. Unfortunately, the threats usually evolve more quickly than the security measures, so organizations are striving to assure that their measures are dynamic, up-to-date, and include commonly accepted practices.
Over the last 20 years, as computer systems and the internet have become an ever-increasing integrated part of healthcare, the need for protecting patient information has become much more complex. It used to be rather easy, since records and reports were in hard copies and contained in the patient’s chart, which was in a protected area in the physician’s office, hospital, or healthcare facility, and only accessible by a limited number of people. Things are very different now. The number of people who have access to patient information is much larger. The information can be sent to multiple people by email, fax, or text, and it can be accessed by multiple people from computers, laptops, mobile devices, and smartphones. It can also be stored in numerous places, such as laptops, mobile devices, network drives, CDs, DVDs, thumb drives, and smartphones. While we have security procedures to limit access to only those who have a need to know, ensuring the privacy of patient information is a huge challenge.
Given these widespread incidents of cyberattacks such as these, the cost of breaches, the business disruption, and the effect on patients, what can we do to stop them? General Michael Hayden, former Director of the National Security Agency (NSA), said “Cybercrime isn’t going away any time soon. It’s not a war with a defined end — it’s an ongoing, rigorous grind that requires diligence, care, and expertise.”
While there may be no way to eliminate cyberattacks, the risk of cyberattacks can be significantly reduced if organizations: are diligent about continually reassessing their HIPAA compliant infrastructure; implement HIPAA compliant guidelines and best practices; and continually educate and monitor the employees’ role in cybersecurity.
Hackers are becoming more aggressive and are able to continually adjust their infrastructure to capitalize on small cracks in security. Healthcare organizations have a challenging uphill battle to modernize systems and reduce risks to prevent attacks, but it can be done. We have had almost 15 years of data breach research, which has increased our knowledge of the causes, how to identify potential problems, and what needs to be done to reduce or avert risks. Organizations need to assure that IT teams are provided with dedicated staff that has the resources, time, and money to develop, maintain, monitor, and enforce stringent cybersecurity policies and practices. Employee education is also a critical aspect of reducing risk. Continuous education of all system users needs to be done, so they are aware of their responsibilities in maintaining cybersecurity.
Remember, anyone can be targeted almost anywhere online, so you need to keep an eye out for “phishy” schemes. I’m sure you don’t want to be “the person” responsible for allowing a malware, virus, spyware, or ransomware to gain access to your organizations computer system, or worse yet, “the person” responsible for a data breach that results in fines for the organization from your phishing attack.
Additional Ransomware Resources
2020 Incident Response & Data Breach Report – A report by The Crypsis Group conducted in 2019 that provides an assessment of today’s cybersecurity threats and the countermeasures companies can employ to better protect themselves. It ranges from ransomware, business email, payment card breaches, nation state attacks, and inadvertent data disclosure incidents and insider threat investigations. The intent is to offer rich, deep insights into real-world cybersecurity risks and, importantly, provide practical advice on how organizations can protect themselves.
Ransomware Hostage Rescue Manual – This manual is packed with actionable info that you need to prevent infections, and what to do when you are hit with ransomware. You will also receive a ransomware attack response checklist and ransomware prevention checklist.
The Healthcare Factbook: For Cyber Security Professionals – A comprehensive and authoritative review of current healthcare IT practices, cyber preparedness, and statistics. This factbook should give hospital administrators a good sense of where they stand and how they stack up in the industry on matters of technology investment and cyber preparedness. More important still, we trust this will provide administrators with specific steps to take to shore up their security posture.
The State of Ransomware 2020 – A free 7-Day ransomware assessment and a review of ransomware attacks that have occurred in 2020.
Pat Stricker, RN, MEd
Former Senior Vice President
TCS Healthcare Technologies