As the year comes to an end, it only feels natural to reflect upon the 2022 landscape overall regarding cybersecurity and look ahead at what may come in 2023. The year had its ups and downs, and frankly, due to the increase in bad actors there were more downs than ups. The healthcare industry was consistently named a prime target for cyberattacks, which is no surprise due to the nature of the business. Yet, senior leaders at hospitals and health systems kept their chins up and encouraged others to heed their advice when it comes to foundational cybersecurity practices, remaining resilient, practicing proactive strategies vs. reactive, and more.
Things started off in 2022 as heated as ever. On Feb. 23, the American Hospital Association (AHA) published a cybersecurity advisory warning that Russia may use cyberattacks as a form of retaliation due to the economic and military sanctions placed on the country by the U.S. government and NATO allies.
The advisory states that “The AHA is closely monitoring the potential for increased cyber risks to the U.S. health system stemming from the ongoing military operations in the Russia/Ukraine region. The Russian military has previously used cyberattacks against Ukraine to disrupt the electrical grid, communications capabilities and financial institutions. For example, it was reported last week that cyber denial-of-service attacks, attributed to the Russian military, were launched against Ukraine’s Ministry of Defense, as well as its financial institutions.”
That said, “In light of previous attacks and potential threats, the Cybersecurity and Infrastructure Security Agency last week issued a related-and-rare cyber ‘Shields Up’ warning to the U.S. private sector, including healthcare, based upon the increased cyberthreat posed by the Russian government.”
In March, during the HIMSS22 conference in Orlando, Fla., as part of the Healthcare Cybersecurity Forum, a Leadership Panel titled “CISO State of Mind” focused on what to expect in the industry during these turbulent times and set the tone for the year to come. The panel featured speakers Erik Decker, CISO at Intermountain Healthcare; Anahi Santiago, CISO at ChristianaCare; and Vugar Zeynalov, CISO at the Cleveland Clinic. The panel was moderated by Daimon Geopfert, principle of cyber, risks & regulation implementation & operations, PwC.
Geopfert kicked off the panel by asking the speakers, “What’s keeping you up at night?” Zeynalov said that he sleeps like a baby, “waking up every two hours to cry.” He then seriously commented that building resiliency and agility keep him up along with three other areas. “How do we do business to keep up with constantly changing and, often, competing priorities?” he adds. “The second thing is enabling the organization to grow both physically and digitally. And the third area is attracting top talent.”
Decker added that “Selling and evangelizing cybersecurity is a way of the past.” He went on to say that the demands and competing priorities are akin to a car needing to drive faster and, therefore, needing better brakes. When it comes to cybersecurity, when an organization wants to push through better innovation, it needs better cybersecurity.
In April we reported that the Department of Health and Human Services (HHS) issued a warning regarding insider threats when it comes to healthcare and the public health (HPH) sector. “An insider threat in the HPH Sector is potentially a person within a healthcare organization, or a contractor, who has access to assets or inside information concerning the organization's security practices, data, and computer systems,” the warning says. “The person could use this information in a way that negatively impacts the organization.”
The warning adds that, “While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common." According to Ponemon’s ‘2020 Insider Threats Report,’ 61 percent of data breaches involving an insider are primarily unintentional, caused by negligent insiders.
In June, we reported on a global survey of healthcare IT executives that found that 44 percent of healthcare organizations that suffered an attack in the last year took up to a week to recover from the most significant attack, and 25 percent of them took up to one month.
“The State of Ransomware in Healthcare 2022” survey from cybersecurity solutions provider Sophos polled 5,600 IT professionals from 31 countries, including 381 in healthcare. In the survey, 66 percent in healthcare said their organization was hit by ransomware in 2021 compared to 34 percent who responded to the survey the previous year.
Among the report’s other troubling findings are that healthcare organizations are more likely to pay the ransom than those in other fields, with 61 percent of organizations paying the ransom to get encrypted data back. Healthcare organizations that paid the ransom got back only 65 percent of their data in 2021, down from 69 percent in 2020; furthermore, only 2 percent of those that paid the ransom in 2021 got all their data back, down from 8 percent in 2020, the report said.
On July 6, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) issued a joint cybersecurity advisory providing information on Maui ransomware. Maui ransomware has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.
The advisory explains that the FBI has observed and responded to various Maui ransomware incidents at HPH Sector organizations and that North Korean state-sponsored cyber actors used this ransomware in these incidents to encrypt services that are responsible for healthcare services, including electronic health records, diagnostic services, imaging services, and intranet services. The advisory adds that in some cases the incidents disrupted services provided by the HPH Sector organizations for extended periods and the initial access vector(s) for these incidents is not known at this time.
In August we reported that the FBI issued a press release warning those employed in the healthcare industry of scammers that are impersonating law enforcement or government officials in attempts to extort money or steal personally identifiable information (PII).
The release states that “Scammers, as part of a large criminal network, research background information of their intended targets through a medical practice’s website and/or social media and supplement this information with information found on common social media websites such as Facebook, Instagram, LinkedIn, etc., to make themselves appear legitimate.”
Further, “Scammers will often spoof authentic phone numbers and names and use fake credentials of well-known government and law enforcement agencies to notify the intended target they were subpoenaed to provide expert witness testimony in a criminal or civil court case. The healthcare professional is notified since they did not appear in court, they are in violation of the subpoena, have been held in contempt, and an arrest warrant has been issued for them.”
On Sept. 22, we reported that the Health Sector Cybersecurity Coordination Center (HC3) published a threat brief on the Chinese state-sponsored threat actor APT41. Members of APT have been actively tracked since 2012, and APT has been tracked as two separate groups, depending on operation. APT41 has a malicious history of targeting healthcare, as well as several other industries including high-tech and telecommunications, and uses methods like spear phishing, water holes, supply chain attacks, and backdoors.
According to the brief, APT 41 has been active in one or more of 14 countries that includes the U.S. Specifically regarding healthcare, the years the industry was targeted beginning in 2014. In 2014 and 2016 APT 41 was interested in IT and medical device software through supply chain attacks and targeting medical device information. In 2016, a biotech company was targeted for HR data, tax information, acquisition information, and clinical trial data. In 2018, the goals of the campaign were unknown. In 2019, APT 41 targeted a U.S. cancer research facility with malware dubbed “EVILNUGGET” and CVE-2019-3396 was exploited.
In October, we reported that Chicago-based CommonSpirit Health, which has 140 hospitals across 21 states and more than 1,000 facilities, has been experiencing an “IT security issue," as mainstream media outlets have been reporting. Journalists began reporting the incident on Monday, Oct. 3, and updated information categorizes the incident as a ransomware attack. CommonSpirit is the second-largest nonprofit health system in the U.S.
According to an Oct. 6 article by Jessica Lyons Hardcastle in The Register, CommonSpirit had a short statement on its website saying it took some systems offline, including “electronic health record (EHR) and other systems.” As of Oct. 13, the statement was updated saying that “We have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees, and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created.”
Healthcare Innovation spoke with cybersecurity expert and former Stanford Children's Health CISO Chad Wilson, to get his perspective on the incident. Wilson says his initial thought is that “It’s a disaster. And an unfortunate one. As a CISO, this is something you don’t want to see happen”
Wilson adds that “A larger organization [like CommonSpirit] has more patients and families to take care of vs. a smaller organization.” He says that an incident like this at a larger organization also impacts more staff (than a smaller organization) that now have to do their jobs without the tools are resources they are accustomed to.
Healthcare Innovation had the pleasure of speaking with Richard Staynings, who teaches postgraduate cybersecurity and health informatics degrees at the University of Denver University College, and is a retained advisor to a number of governments and private companies, as well as the chief security strategist at the New York City-based Cylera, about the year overall and his thoughts for what’s to come in 2023.
Staynings says that “Cybercrime and attacks against healthcare have continued to rise at almost an exponential rate this year. There was a massive increase between 2019 and 2020, and an even bigger increase between 2020 and 2021, and I fully expect that when the 2022 figures come in, they be on that same trajectory, if not worse!”
“We have seen a massive collapse and re-alignment of organized crime groups since the Russian invasion of Ukraine in February. Prior to the war, these groups consisting of perpetrators located right across the Commonwealth of Independent States (CIS) were united predominantly by their use of the Russian language. During the invasion, Ukrainian and other non-Russian members pulled out of many of these Russian led groups, and some even turned on their former gangs exposing their inner most secrets and the identities of leaders. This break up caused a dip in attacks in March and April and was further hampered by many global ISPs cutting off their Internet pipes into Russia and thus their connectivity.”
“Since the onset of war, many of the leaders of these crime gangs, who operate under the eye of the Russian Mafia, who in turn operate with impunity under the oligarchs and ultimately the Kremlin, have quit the profession, scared that Russia will collapse along with Putin’s protective umbrella. Many are worried that they might be identified, caught, and prosecuted. Most have taken their millions and ran, going deep underground. This has left a power vacuum in Russian cyber gangs where the young, fearless, and ruthless have taken over. This has led to reckless attacks including the targeting of healthcare providers. A ‘live today die tomorrow’, ‘get rich quick’ mentality now persists as many of those involved are scared of being conscripted by the Russian Army and being sent off to die in Ukraine. Some of these cybercriminals have even turned their disdain for the Putin dictatorship in cyberattacks against the Kremlin, a very risky proposition indeed.”
“At the same time, the affiliates of many of these ransomware-as-a-service (RaaS) groups have gone rogue, distancing themselves from Russia and from RaaS providers. With re-alignment complete, the gloves have been taken off and affiliates are hunting freely by themselves and are prepared to take much higher risks than previously allowed. Again, this includes the targeting of healthcare and other national critical infrastructure industries.”
“Unsurprisingly this has piqued the attention of the FBI, Homeland Security, and other law enforcement groups and this is one of the reasons behind the recent FBI warning about one of these groups in particular, Daixin, following recent cyberattacks against the second largest US healthcare provider.”
“If we thought that the threat landscape was bad in 2021, 2022 is turning into the wild west with rogue gun slingers on every corner and dead bodies mounting up on every street! For an easy target like healthcare, prospects don’t look good. With its collection of out-of-date weapons, no money to buy new ones, and very small ill-equipped teams, it stands almost no chance defending against an increasingly out-of-control and rabid gang of adversaries.”
“But the Russian and other CIS gangs aren’t the only things that healthcare needs to be concerned about. Increased offensive activity against providers has been seen coming from both China and Iran. With Iran recently appearing to side with Putinist forces. With threats of further sanctions from Europe and the USA and rising internal revolt against the theocratic dictatorship that runs the country, Iranian forces are on the offensive. So too is China, and now that Xi has unchecked power over the CCP and the country for life, it is likely that China’s massive PLA cyber army will launch new offensives against western critical infrastructure providers, as China increasingly uses cyber weaponry against its perceived enemies.”
“Any healthcare CEOs that still have their heads buried in the sand, thinking that a cyberattack is unlikely to impact their hospitals had better find a deep cave in which to hide, because the noise of collapse next year will be omnipresent.”
“We are seeing 2 to 3 ransomware attacks against US healthcare providers each and every day at the moment,” Staynings added. “That is not about to go down any time soon, so long as hospital boards and CEOs keep paying the ransoms. Instead of paying the criminals holding them to extortion, they need to invest properly in security and IT which is totally underfunded, especially if you analyze the risks or compare the healthcare industry with other industries such as financial services. It’s somewhat analogous to crime victims paying protection money to the mafia, while refusing the properly fund the police or the FBI.”
Staynings concludes by saying that “I wish that I had a more positive prediction for 2023 but that would be putting lipstick on a pig.”
“Are we doing a better job today of defending against attacks than we were a few years ago? I'm not sure that we are. I think some health systems have prioritized cybersecurity, but I think most have a long way to go. And that comes back to governance, leadership, and the prioritization of cybersecurity. It's not where it needs to be right now.”
“Nor unfortunately is the level of cyber protection being provided by Homeland Security, the FBI and others. Governments are never quick to act but plainly, expecting small critical access facilities to protect themselves against highly sophisticated nation-state actors and organized crime syndicates is ridiculous. It’s not even analogous to David and Goliath. It’s more akin to a lone Maasai warrior armed with a spear going up against an entire regiment armed with machine guns. The Maasai warrior stands almost no change at all!”