Читать книгу Do No Harm - Matthew Webster - Страница 12

Ransomware is essentially software that prevents systems from running. Criminals require that the owners pay to be able to gain access to their own systems. Imagine you had pictures of your family on your home computer and you could no longer access them unless you paid a fee. Now imagine critical medical systems rendered inoperable instead of family pictures. To make matters worse, once attackers are inside of systems, they often leave behind a way to gain access to them over and over again—meaning they are more susceptible to future attacks. This trend has only increased in the time of COVID. Obviously, the attackers do not care about the lives of others enough to not do the attacks.

Ransomware has been evolving tremendously over the last few years, and the number of the ransom demands has gone up significantly from a few years ago. In 2019 alone, 764 healthcare providers in the United States were hit with ransomware.² One might be tempted to think that the attackers would not go after hospitals in a time of a global pandemic, but while this is the case for some attackers, the reality is that ransomware attacks are on the rise since COVID-19 hit.³ What is worse is that while ransom demands used to be a few hundred dollars, now they are growing and are often more than a million dollars. With so much to gain, it is no wonder that ransomware demands are on the rise. Clearly, hospitals have a great deal of risk related to ransomware.

The effect that ransomware has had on hospitals is crippling. The attackers are well aware that COVID-19 has severely stretched the resources at hospitals. They know that this is a life-and-death situation, which makes hospitals even more likely to pay the ransom,⁴ especially the smaller hospitals that may not have as mature of an IT and/or security program in place to protect their environments from the ravages of ransomware.⁵ Essentially, they are easier targets. Sadly, even larger, more mature organizations are susceptible to ransomware attacks, but can sometimes respond to them more effectively.

September 10, 2020, unfortunately marks a grim milestone for ransomware—the first indirect death. A patient was rerouted from Duesseldorf University Hospital in Germany as 30 of its internal servers were hit with ransomware. As a result of the subsequent delay getting the much needed medical treatment, the patient died.⁶ This particular attack was aimed at Heinrich Heine University and mistakenly hit the hospital because it is part of the same network. In this case, the perpetrators provided the keys to decrypt the systems and withdrew their extortion demands, but despite that, the hospital's systems were disrupted for a week.⁷

That was not the only death associated with ransomware in September 2020, unfortunately. Universal Health Services (UHS) was hit with a massive ransomware attack. UHS is a Fortune 500 company with more than 400 healthcare facilities in the U.S. and the UK. It provides services to more than 3 million patients yearly. In many cases whole hospitals were shut down and services were rerouted to other hospitals. Because of this rerouting of services, four people died.⁸ With the frequency of ransomware growing, these kinds of problems will not only continue, but will likely become worse before they get better.

It is important to note that medical devices are not the only avenue for ransomware attacks, but they are, arguably, the most egregious vector due to the gaps in their fundamental security, inability to patch cybersecurity flaws in some circumstances, and the volume of problems they have—especially in the long run. One report shows that malware against internet-connected devices (not just medical devices) is up 50% from 2019.⁹ That being said, they are a unique avenue due to the kinds of flaws they have. For example, the range of flaws in today's internet-connected medical devices is staggering. Take medical imaging devices: 70% of the devices are based on retired operating systems or systems that are under limited support.¹⁰ The potential for vulnerabilities is extremely high. In many cases internet-connected medical devices run on Windows XP, which is no longer supported. There continues to be new vulnerabilities found—many of which allow complete compromise of the whole system. Associated with a compromised system is a whole host of risks, including everything from the system not functioning to data being exfiltrated. Either way, these are risks to both patients and to hospitals.

Now let us think about connectivity. Today's world is also much more connected than ever before. Many systems connect back to something referred to as “the cloud.” While I will go into greater depth in later chapters about the cloud, it should be noted here that the cloud aggregates and correlates data in one location. It also comes with a whole new set of risks that adds an extra layer of complexity for IT and cybersecurity teams.

Let's take a ransom in another direction—from a personal perspective. If you had a pacemaker, what would you be willing to pay to save your own life if someone threatened you with turning off the pacemaker? If attackers do not care about the lives of multiple people, they will not care about the life of one person. Attackers typically go for the easiest targets that offer the most reward. If they started targeting the rich who had internet-connected medical implants, that could be a lucrative route going forward. Of course this is not as lucrative as having a hospital pay a ransom.