Doctors an Easy Mark for Hospital Cyberattackers

— Fake emails from bosses, messages about COVID, PPE, vaccines: "Doctors have fallen for it multiple times"

MedicalToday
A doctor looks at his computer monitor which reads: YOUR PERSONAL FILES ARE ENCRYPTED

As healthcare systems cope with a surge in COVID-19 patients, they're also dealing with an onslaught of ransomware attacks.

In late October, the FBI and the U.S. Department of Health and Human Services issued an alert that hackers using the "Ryuk" ransomware, , were targeting hospitals during the second COVID-19 surge.

While healthcare systems have worked to strengthen their defenses against such attacks, cybercriminals are still finding a way in, often via healthcare workers who fall for sophisticated spear phishing attacks. These aren't Nigerian prince scams; fraudulent emails are targeted, going so far as to spoof a boss' email address or pretend to share information about COVID-19.

"Both our strongest link and our weakest link are our people," said Rich Temple, chief information officer of the Deborah Heart and Lung Center in New Jersey, who added that phishing attacks their organization have "kicked up with a vengeance" since April.

Attacks Ramping Up in Healthcare

These kinds of strikes on healthcare systems aren't new for a simple reason: the potential payout for hackers if they get inside. Patient files often includes information such as Social Security numbers that can be sold for big money on the dark web.

Hospitals have also typically trailed other sectors, like finance, in fortifying security measures. Healthcare systems spend , compared to 15% in other sectors, according to research from the law firm Bass, Berry and Sims.

"It's the ease of getting to this information as well as the value of the data," said Chris Sherman, security and risk analyst at the consulting firm Forrester.

Ransomware is profitable, too. In a ransomware attack, hackers infect and shut down a hospital's IT system by doing things like making data impossible to read, stymieing communication between employees and shutting down email systems. They then demand a ransom to return things back to normal. Ransomware attacks have cost the U.S. healthcare system , according to a February study by research firm Comparitech.

These kinds of attacks have been on the rise since that report. According to NBC News, , a figure that includes multiple facilities within the same hospital chain.

Stakes Are Rising

Bad actors can cause more problems than just monetary losses. While concerns about attacking patients directly by doing things like or are still only theoretical, shutting down hospitals is real and does real harm.

When University Health Services -- which has 400 facilities in the U.S. and U.K. -- was hit with a suspected Ryuk attack in September, they . Officials told the Wall Street Journal that no patients were harmed, but employees told the Associated Press that their ability to communicate about patients .

During the 2017 " on Britain's National Health Service, "emergency departments were shut down. Patients had to have surgeries stopped mid-procedure and ambulances had to rush these patients to other hospitals," said Ryan Witt, cybersecurity strategy director of healthcare at Proofpoint, a cybersecurity company.

An found no mortality associated with that attack, but a German woman died during a September ransomware event at the Dusseldorf University Clinic. Emergency room patients had to be taken to other hospitals, , delaying her care by an hour.

Caregivers Seen as a Way In

The switch to at least partial virtual care has created potential points of access for criminals, said Sherman. "Just using a personal device that may or may not have out-of-date security, or weak passwords" opens up possible attack vectors. Home Wi-Fi networks and routers may also be less secure than those within a physical healthcare setting, which means it's more likely that criminals can sneak into a healthcare organization's IT infrastructures through work devices attached to those environments.

However, phishing is still a preferred attack. According to the , phishing was involved in 69% of security incidences at hospitals last year. It works, said Witt, because it relies on humans making mistakes, something that's exacerbated by pandemic-related exhaustion.

Today's phishing attacks also work because they're sophisticated. Hackers scrape information from hospital websites and social media platforms to make them personal. They'll often impersonate members of a hospital executive team, and direct their victims to do things they normally wouldn't do if a stranger asked, like clicking on a link that lets ransomware in, or giving up passwords and usernames, or even sending money to a criminal's bank account masquerading as a legitimate vendor or fund.

In a 2019 survey of , Proofpoint found that targeted healthcare companies received 43 imposter emails in the first quarter of 2019, up 300% over the same quarter in 2018. Within affected healthcare companies, 65 people were targeted by spoof email, and 95% of those companies saw emails spoofing their own domains.

Proofpoint found that subject lines of attack emails included "payment," "request," "urgent," and related terms in 55% of all imposter email attacks. In addition, 77% of attacks on healthcare companies used malicious URLs.

Those most likely to be attacked were people with access to critical data or systems, with a publicly available email. Popularity may hurt too, said Witt. "There's a correlation between your overall prowess and your area of specialty and if you're going to be a target," he said.

Hackers shifted during COVID, too. "As the news story evolved, the lures evolved," Witt said. At the outset of the pandemic, criminals pretended to be from groups like the World Health Organization, and asked doctors to click on links about COVID FAQs and protocols.

Attacks then moved to PPE, with hackers pretending to be vendors selling things like face masks and shields, and asking victims to approve purchase orders. Later, emails turned to being about stimulus funding. Fake vaccine trial emails have been constant throughout.

"We're seeing that attackers are getting more sophisticated and more devious," said Temple, regarding what his organization has seen in the last year. "That means impersonating leaders and sending orders to do this and do that."

He said their best line of defense is educating employees, which includes raising awareness about what bad emails look like but also running fake phishing campaigns, where they phish their own employees.

"You see if people click on things they shouldn't, and take it one step further to see if they reveal their username and password," he said. "We know who those people are and need a little extra attention."

This is a common practice. That same HIMSS Cybersecurity Survey found that 82% of healthcare organizations run fake phishing campaigns. They also found that 40% of organizations said they have click rates lower than 10%, which they call "a significant, positive achievement."

While Temple wouldn't share how many employees were tricked by fake phishes, he did say that "it's people in all different ranks in the organization who fall for it, not just entry-level people. Doctors have fallen for it multiple times."

They will let employees know they fell for the fake email, and contact their managers, too. He knows that sounds harsh, but "it's so dangerous. Out staff are our last line of defense from what can be a catastrophe."