Health System Cyber Attacks Put Individuals at Risk

Cyber criminals went on a spree during the pandemic and launched ransomware attacks across many industry sectors, and hospitals and health systems were not spared.

Cyber criminals went on a spree during the pandemic and launched ransomware attacks across many industry sectors, and hospitals and health systems were not spared. Not all attacks, however, have an equal impact on individuals. The Colonial Pipeline attack, for example, caused the company business interruption losses and disrupted gas distribution when it shut down its 5,500-mile pipeline servicing the East Coast, but it had little impact on individuals other than a brief gas shortage caused by a run on the pumps. The healthcare attacks, however, have had a disproportionate impact on individuals.

The newer forms of ransomware being used in these attacks not only encrypt data; they delete data and exfiltrate it. The cyber criminals then demand a ransom payment to get the key to decrypt the data, and they demand an extortion payment in return for a promise that they will delete the data that was exfiltrated and not post or sell it. If the extortion payment is not made, the criminals will often post the data on the internet, sell it on the dark web, and send it to customers.

The healthcare ransomware attacks involved personal medical records, interrupted treatment programs and appointments, and in some instances shut down entire health systems. In a May 20 press release, the Federal Bureau of Investigation issued an alert regarding Conti ransomware attacks targeting U.S. healthcare, emergency medical services, 911 dispatch centers, and law enforcement agencies. More than 400 healthcare entities had been targeted by the gang, with more than 290 of them in the United States.

The FBI alert noted that attacks targeting emergency services “can delay access to real-time digital information,” increasing safety risks to the public relying upon these services. The alert warns that, if the ransom is not paid to get a key to decrypt files, “the stolen data is sold or published to a public site controlled by the Conti actors.” It warns that ransom amounts have been as high as $25 million. In fact, they have been higher. As the media was reporting on Colonial Pipeline’s $4.4 million ransom payment, it also noted that CNA paid a $40 million dollar ransom to get its systems back up and running.

Hospital Association Calls for Action

The day after the FBI alert, the American Hospital Association (AHA) issued a press release noting that both the Conti and Darkside (the ransomware that hit Colonial Pipeline) attacks were “emanating from criminal networks operating from a non-cooperative foreign jurisdiction.” Translated, that means a nation-state is not cooperating with cyber-criminal investigators. Essentially, the country is protecting the criminals. Does that mean these attacks are nation-state sponsored? Perhaps. Or perhaps they have a state patron or are in a state like Russia, which is famous for looking the other way as long as the cyber criminals leave Russian organizations alone.

The AHA press release was really an expression of frustration and a call to action. The AHA stated that it “believes that a ransomware attack on a hospital or health system crosses the line from an economic crime to a threat-to-life crime.” Although the AHA commended the U.S. government’s information sharing efforts, it issued an SOS call when it said, “Relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat.” And it summed up the problem neatly in its statement:

The vast majority of these attacks originate from outside the United States, often beyond the reach of U.S. law enforcement, where ransomware gangs are provided safe harbor and allowed to operate with impunity, sometimes with the active assistance of adversarial nations.

The AHA has called upon the U.S. government to “embark upon a coordinated campaign…to disrupt these criminal organizations and seize their illegal proceeds, as was done so effectively during the global fight against terrorism.”

The AHA’s analysis is spot on and comes within days of an attack on Ireland’s Health Service that caused the entire health system to shut down. A similar attack hit Ireland’s Health Service Executive the following day, causing cancelations to outpatient services. The Financial Times reported that a sample of medical and personal data about the Irish patients was released online by the “Conti-Locker Team.” The hackers claim they stole nearly a terabyte of patient data, staff employment and payroll data, and financial statements and reportedly were asking for a $20 million ransom.

Hospitals in New Zealand’s Waikato District Health Board suffered a similar attack in mid-May. The New Zealand Health Board received an email from the hackers containing personal data on patients and staff, but the Health Board decided not to report this to the media and turned the email over to authorities. Holding their ground, the Health Board has reportedly refused to pay the cyber criminals and has moved to manual procedures and asked patients to find alternative treatment for non-life-threatening conditions.

The global attention from law enforcement and media regarding the Colonial Pipeline and health services attacks apparently scared the cyber criminals, at least temporarily. The Darkside ransomware attackers announced they were closing shop, and the BBC reported on May 21 that the Conti criminals handed over the decryption key to the Irish Health Service for free, even though it was accompanied by a threat to post the exfiltrated data if the $20 million payment was not made. The Financial Times reported that the criminals made good on the threat and posted samples of medical and personal data online.

This is a global problem. All computer systems supporting government operations, private enterprise, and civilian life are at the mercy of cyber criminals. And all too often it is the individuals who are left to singlehandedly try to recover their identity and protect their privacy, with little or no assistance from the government. The attacks on health organizations illustrate the domino effect of these attacks on individual lives and the serious consequences they can have.

The hard truth is ransomware will end only when:

• Companies have comprehensive cyber-security programs tailored to counter the current threat environment
• Cyber crime laws are harmonized globally to enable law enforcement to effectively and efficiently investigate cyber crimes
• Governments provide adequate support and assistance to private sector companies under attack.

Cyber-security professionals have called for these actions for two decades. Time has run out. The bad guys are winning, and we can no longer tarry and bumble around on this. Companies have to get their cyber-security act together. Agents and brokers have an important role to play here. They need to work with their clients to ensure they perform cyber risk assessments, understand their vulnerabilities, have an action plan to improve their cyber-security maturity, and present an accurate picture to carriers during the underwriting process. These actions will help ensure that their clients can better protect against such attacks and that, in the event they do suffer a cyber attack, claims get paid.

Buying an insurance policy is not a substitute for cyber-security preparedness, and insurance companies cannot be expected to pay for incidents caused by poor cyber-security practices. Insurance is a transfer of risk, not a transfer of the responsibility to do what is necessary to protect systems, data and overall operations. Agents and brokers can play a valuable role in helping their clients bring together risk managers and IT/cyber-security personnel to share the responsibility of cyber risk management.