Ransomware attacks are causing panic and chaos at overwhelmed hospitals struggling with COVID-19, and it may be about to get worse
- Organizations from the World Health Organization to little clinics across America are being hit with malware that locks up their computer systems.
- As COVID-19 peaks, this could fuel public panic because hospitals may not be able to process patients' paperwork or provide test results.
- New Hampshire Senator Maggie Hassan tells Business Insider that is an urgent concern and DHS admits it must do more to help local agencies.
- Hospitals often have no good option in responding to attacks, as ransomware gangs threaten to publicly post documents or extort patients.
- Visit Business Insider's homepage for more stories.
As COVID-19 overwhelms healthcare, ransomware - the cybercrime that locks up organizations' computer systems while demanding payment - is increasingly hitting agencies from the World Health Organization to little clinics across America. Experts say that could lead to panic at a key time.
More than 750 healthcare providers were hit with ransomware last year, according to Emsisoft, a New Zealand cybersecurity company offering free help to hospitals hit with ransomware. "We may be looking at a near-perfect storm in which healthcare providers are disrupted at the very time they are needed the most," the company says in a blog post.
The attacks hit the largest and smallest of healthcare facilities. The World Health Organization has been attacked with multiple ransomware attempts, but has been able to deflect them with protective cybersecurity software, the giant medical organization's security chief told The Wall Street Journal this week. At the other end of the spectrum, Wood Ranch Medical, a clinic in Simi Valley, California, closed in December after ransomware damage was significant enough that the little clinic found "we cannot rebuild our medical records."
Ransomware is often unleashed when an employee clicks on a "phishing" link in an email, or downloads an attachment. Malware can then be released into an organization's computer systems that encrypts data, making it inaccessible.
Ransomware gangs offer to provide a software "key" that decrypts the data for a fee paid in cryptocurrency - but the keys sometimes don't work. If organizations turn to law enforcement, the gangs can increase the pressure by publicly posting sensitive data online, or approaching patients mentioned in the data. There is no good option, experts say. And the costs of computer downtime to large organizations can be staggering. Emsisoft says the cost of ransomware last year may have reached $7.5 billion.
Paralysis of hospitals could fuel panic
During a pandemic, the paralysis of a hospital's basic operations could fuel panic, says Allan Liska, a ransomware expert at the cybersecurity research firm Recorded Future. "What gets disrupted is the ability to schedule new cases, handle calls, test results can't get processed." Liska predicts that will have an emotional impact. "The overreaction from the populace will be bad."
Liska notes that LabCorp, one of the large medical companies providing COVID-19 testing, was hit by ransomware two years ago. The North Carolina company reported no loss of data, but struggled for a week to resume full functionality, according to Information Security Media Group. Labcorp did not immediately respond to a request for comment.
The threat of hacks into healthcare is already causing stress. The American Medical Association says half of doctors are "very or extremely concerned about future cyberattacks."
FBI says it can help, but criminals turn up the heat
The FBI says that level of concern is similar to stress crime victims report in previous national emergencies, such as hurricanes or other natural disasters. The bureau has been working to prepare for ransomware attacks on healthcare, says its security chief, Herb Stapleton. "It's really important to report that as soon as possible, so we can do everything in our power to assist that victim, to get help to mitigate that attack. There are ways to assist victims in those situations."
But ransomware gangs threaten organizations, telling them not to go to law enforcement or they will release private information, or even extort patients directly, a tactic seen recently by Protenus, a healthcare analytics company. In a Florida incident last year, Protenus says the hackers also sent ransom demands to a number of the affected patients, which threatened "release of their photos and personal information unless unspecified ransom demands are negotiated and met."
"It is horrible," says Bill Siegel, chief executive of Coveware, a Connecticut cybersecurity company that helps organizations respond to ransomware. "For a hospital ER it can mean life-saving surgery can't be performed because radiology images are not available. For an oncology ward it can mean radiation or chemotherapy treatment can't be administered because proper dosage is not available. Extended downtime means people die."
US senator says more must be done to help hospitals
The threat has the attention of lawmakers and federal agencies. "As the COVID-19 pandemic continues to spread, hospitals across the country are facing enormous challenges as-is, which is why it is more important than ever that they have the support that they need to protect themselves from crippling ransomware attacks," Sen. Maggie Hassan, a New Hampshire Democrat, told Business Insider.
At a hearing earlier this month Hassan told acting secretary of Homeland Security Chad Wolf that "we must do more to protect our state and local partners - and specifically health care facilities - against ransomware."
Wolf agreed that DHS needs to continue outreach to state and local officials to help guard against ransomware attacks, and Hassan said she is persevering. "My office continues to be in close touch with the agency to ensure that it is doing everything that it can to help prevent criminal hackers from upsetting the operational capacity of our hospitals during this critical time," she told Business Insider.
But with no good options when their computer systems are locked up and COVID-19 overwhelming them, healthcare providers may be forced to do the very thing that empowers ransomware gangs: Pay up.
"The answer should always be: 'don't pay,'" says Liska, the ransomware expert for Recorded Future. "But realistically, if you are in the middle of a crisis and it's interrupting patient care, they may pay the ransom every time."
Featured Health Articles:
- Telehealth Industry Explained
- Value-Based Care Explained
- Senior Care & Assisted Living Market
- Smart Medical Devices & Wearable Tech
- AI in Healthcare
- Remote Patient Monitoring Explained- AI in Medical Diagnosis Systems