In the Wake of Russian Attacks, How can Healthcare Prepare for a “WannaCry 2”?

April 4, 2022
Cybersecurity expert Richard Staynings analyzes the potential for Russian cybercriminality to ultimately impact U.S. healthcare—and what U.S. health IT leaders must to do prepare

There are growing concerns that an escalation of cyberattacks in the Russia-Ukraine war could spill over to the rest of the world. There is of course, precedence for this from an earlier Russian attack on Ukraine when in 2017 NotPetya, a Russian developed wiperware, spread to impact global businesses, wreaking havoc along the way. The concern is that this could impact healthcare and other critical infrastructure industries resulting in the cancellation or postponement of procedures, the mass inconveniencing of patients through hospitals having to “go on divert.”

This was the case when WannaCry, a North Korean ransomware, impacted many healthcare providers and effectively took down over a third of hospital systems in the United Kingdom (UK) in 2017. The concern is that we may not have done enough to shore up our defenses over the past five years to prevent another such attack or one, even more devastating. 

An elevated cyber threat landscape

The ongoing war in Ukraine continues to make global headline news. However, Russia’s offensive is not limited to threats of nuclear exchanges or the kinetic deployment of its military to foreign soil, nor did it start when Russian tanks rolled across the Ukrainian border. A Russian offensive has been underway since at least 2015 when the Ukrainian people forced out their then president, Viktor Yanukovych, a highly unpopular pro-Kremlin oligarch and close friend of Vladimir Putin in what was known as the Orange Revolution. But the roots of this conflict are much more than just about personalities or offending Putin. It’s about democracy, the will of the people, spheres of influence, buffer states between Russia and Europe, and perhaps grand ambitions to rebuild Czarist Russia or the Soviet Union. A view in which former Soviet republics are perceived by Putin, to be vassal states of modern-day Mother-Russia.

In 2014, Russian “Little Green Men” annexed the Ukrainian Crimean Peninsula. Not long after, Russian-speaking separatists in eastern Ukraine suddenly attempted to declare independence from Ukraine, and the beginnings of an eight-year kinetic war erupted with separatists armed and supplied by Russia. It was during this war that a Russian Buk 9M83 surface-to-air missile shot down and destroyed MAS flight 17, a commercial 777 airliner en route between Amsterdam and Kuala Lumpur killing all 298 people onboard. According to the Joint Investigation Team, the Buk that was used originated from the 53rd Anti-Aircraft Missile Brigade of the Russian Federation and had been transported from Russia on the day of the crash, fired from a field in a rebel-controlled area, and the launch system returned to its base in Russia afterwards. But less known to the world, was a parallel cyberwar that Russia launched against Ukraine trying to bully the Ukrainian people to avoid closer ties with Europe and the EU.

Russian cyberattacks over the past decade have targeted all aspects of Ukrainian critical infrastructure industries, resulting in power outages in the depths of winter, hospitals periodically going dark, interruptions to oil and natural gas, frequent ransomware attacks against Ukrainian businesses, and most notoriously the NotPetya attack of 2017.

NotPetya was designed to target Ukrainian businesses by injecting a highly destructive wiperware into the software supply chain of Ukrainian tax accounting application M.E.Doc. The NotPetya malware has been widely attributed to the Sandworm hacking group, part of the GRU Russian military intelligence organization, and was designed to ‘kill’ computers by destroying the boot sector of their hard drives.

Unfortunately for Russia, NotPetya quickly spread beyond the borders of Ukraine to Russia and elsewhere, to become the most costly and destructive global cyberattack of all time. It took down many of the world’s largest companies including shipping company Maersk, FedEx-TNT Express, pharmaceutical giant Merck, and leading French firm Saint-Gobain. These organizations spent hundreds of millions of dollars to restore data and systems that NotPetya had destroyed. The cyberattack wrecked tens of thousands of computer systems and resulted in global losses in excess of $10bn USD. Within a week, Russian state cyber forces had been attributed with the attack and this was verified over the following days and weeks by a number of separate governments including the Five Eyes network. Unusually, the US came out publicly with the information and accused Russia of creating and launching the attack.

"In June 2017, the Russian military launched the most destructive and costly cyberattack in history, NotPetya "quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences."  (official White House statement, February 15, 2018)

Already known internationally as a safe harbor for cyber criminals, many of whom were considered too powerful to arrest or take down due to their Russian Mafia and organized crime backing, Russia has over the past two decades become an international cyber pariah. Despite this open recognition, Russian authorities have continued to allow and encourage international cybercrime against western countries and in particular against the United States, allowing its crime gangs to target critical infrastructure such as the Colonial Pipeline with ransomware, cutting off fuel supplies for much of the country, while Russian state forces used the distraction to infiltrate many US departments of government with a software supply chain attack against SolarWinds, an almost ubiquitous network management software used by major businesses and federal agencies.

But the Russian state has been using cyber weapons for many decades. Russia’s invasion of the Chechen Republic of Ichkeria, used cyberattacks alongside military incursion of the republic in both the 1994 to 1996 First Chechen War and the Second Chechen War of 1999 to 2009.

In 2007 the Kremlin is believed to have launched a massive botnet denial of service attack against hundreds of Estonian websites following the Estonian government’s decision to remove a soviet era statue from the central business district of the capital Tallinn. It was accompanied by a Kremlin backed protests of Russian diaspora transplanted to Estonia during Soviet times.

In 2008 the Russian government links to politically motivated cyberattacks was becoming more apparent, in this case against Georgia. This time however cyberattacks were accompanied by the Russian military invasion of the country. As the military advanced on a city, so cyber-attacks would precede a military advance. The 2008 Georgian war was perhaps the first real hybrid war in which conventional military and cyber forces were combined. To this day Russian military forces still control South Ossetia and Abkhazia, occupied parts of Georgia.

Russia has used cyberwarfare to shore up Russian hegemony across international boundaries and ethnicities. Cyber is considered a powerful weapon of grey warfare by the Kremlin to bully, intimidate, and weaken its opponents. Russia has employed cyberattacks to blow up oil pipelines of neighboring states and has been accused of over-pressurizing the Baku-Tbilisi- Ceyhan pipeline in Turkey, resulting in its destruction, seemingly to maintain reliance upon Russian oil. This cyber-kinetic attack of critical infrastructure is most worrying and is cause for alarm.

A few hours before Russian tanks began rolling into Ukraine, Microsoft raised the alarm warning of a never-before-seen piece of “wiper” malware that appeared aimed at the country’s government ministries and financial institutions it named the malware FoxBlade. ESET Research Labs, a Slovakia-based cybersecurity company, said it too had discovered another new ‘wiper’, while security experts at Symantec’s threat intelligence team said the malware had affected Ukrainian government contractors in Latvia and Lithuania and a financial institution in Ukraine. ESET has called the malware which renders computers inoperable by disabling rebooting, HermeticWiper. As part of its offensive against Ukraine, Russia combined military and cyber weapons to engage in a multi-front hybrid war. It’s as if cyber-attacks against critical infrastructure is now being used as part of the softening up process, a process used in prior wars by massive bombing raids or naval bombardment prior to troops being sent ashore. 

However, in response to the cyberattack, Ukraine unleashed its own cyber warriors who were quickly joined by others from the international community and most notably by Anonymous. Various Russian and in particular Kremlin systems, were quickly reported to be down as both sides went head-to-head in battle from their keyboards. Russia has reported attacks originating from all across the world and has threatened to escalate further. It claims to have been attacked from IP addresses assigned to various US government agencies which is highly doubtful given those networks reportedly being geo-blocked to traffic to and from Russia. This suggests that the Kremlin is spoiling for a flight with the USA – dangerous in the extreme. This is perhaps a lesson in the brinkmanship that Putin is willing to go to dissuade the west for closer involvement in this war. He has become the ultimate gambler in a high stakes game of global peace.

So could we be on the cusp of the world’s first full scale cyberwar? As tit-for-tat cyberattacks escalate and more and more critical Russian IT systems go down, the Kremlin could be tempted to launch devastating attacks against those it perceives as its enemies – in this case much of the liberal democratic western world. While the United States and Great Britain may be priority targets, Putin risks retaliatory strikes equally as devastating to Russia. Far more likely are major cyber campaigns against weaker neighbors of Ukraine such as Poland, Czechia, Hungary, and Romania which Russia regards as wayward vassal states that need to be taught a lesson and brought back under Russian control.

Could another cyberattack similar to WannaCry take down U.S. healthcare providers?

The global WannaCry ransomware attack in 2017 was devastating to the British NHS and many of its hospitals and clinics. The cyberattack caused critical healthcare IT and IoT systems to be unavailable to caregivers resulting in hospitals being unable to treat patients and causing the diversion of emergency ambulances, the postponement of scheduled procedures, and the inconveniencing of the general-public. It was also a major patient safety scare, as those in need of medical intervention were in many cases denied immediate treatment.

When the dust finally settled, an investigation determined that a large amount of the IT and IoT systems across the NHS were end-of-life and needed to be replaced, while other systems had not been updated or patched with critical security updates in accordance with recommendations from Microsoft and other vendors. The British government intervened, making new finances available for equipment replacement, while NHS trusts and NHS Digital put in place improved practices around patching of IT systems and security in general. But addressing the security vulnerabilities in highly regulated IoT equipment like medical devices was, and still is, another matter.

Medical and other healthcare IoT (HIoT) devices comprise systems that are used to diagnose, monitor, manage, and treat patients. They are more than often connected directly to the patient on one side and to hospital networks on the other side. They include everything from infusion pumps used to administer drugs to patients, to large imaging systems used for diagnosis, to radiological cancer treatment systems used to shrink tumors. Many of these systems if compromised by cyberattack could result in significant damage to patients and those treating them. The risk impact therefore is high.

HIoT devices are heavily regulated and undergo a 5 to 6 year test and approval process from initial design to gaining FDA certification for patient use. This makes them out of date from the start. They are designed to perform discrete tasks only. Most are not designed to be upgradable like a PC is, and limited CPU, RAM, and storage capacity mean that supplicants like an anti-virus application or a firewall, cannot be installed. Many cannot support an operating system upgrade resulting in a large number of systems running highly vulnerable out-of-date operating systems.

As an example, many of these devices today run an embedded version of Windows XP. Throwing out millions of dollars of perfectly working medical equipment is not feasible for any health system simply because they are a cybersecurity or patient safety risk. However, the likelihood is high that many of these systems could be compromised, exposing patients to clinical risk. This would also place hospital networks at risk to the possibility that a medical device could be used as a foothold by perpetrators from which the rest of the healthcare network could be attacked. The risk likelihood is therefore also high.

HIoT devices therefore demand special security considerations and compensating security controls such as isolation and network segmentation. But before that can happen, security administrators need to accurately identity, profile, and risk assess each device connecting to the network so that segmentation doesn’t break the functionality of devices. They do this with HIoT security tools like Cylera and with existing network access control (NAC) tools such as Cisco Identity Services Engine (ISE) already built into hospitals network switches. Especially risky devices can be seamlessly micro-segmented by ISE such that they are maintained and run in their own virtual enclave and are much safter from cyberattack and compromise. The Cylera medical device profile is also used as a baseline such that anomalous behaviour can quickly be identified by SIEM tools and the security operations center (SOC) alerted.

Given very long lifespans and depreciation schedules, it will be many years before healthcare IoT and other devices are designed for security. In the meantime, we need to do what we can to secure this growing and already dominant component of the healthcare network. To be secure, administrators need good visibility into what and who is connected to hospital networks and what each of those systems and users is doing.

While HIoT and other medical devices present the greatest risks to healthcare security, there are many legacy insecure HIT systems and a large sprawling healthcare workforce many of whom have inadvertency clicked on links and caused their hospital network and IT systems to be taken out by ransomware and other cyber-attacks. Inadequate security education, training and awareness and inadequate investment in security tools, secure processes, and security teams, leaves the industry wide open to attack.

Governments worldwide saw a 1,885% increase in ransomware attacks in 2021, and the health care industry faced a 755% increase in those attacks according to the SonicWall 2022 Cyber Threat Report. Of the victims, the United States came out on top and most of these attacks have been found to have originated in Russia.

Even if Putin holds back on GRU and FSB cyber-attacks against U.S. healthcare, the Russian criminal gangs are still inflicting massive levels of damage—damage that impacts patient care and patient safety.

Richard Staynings, an internationally renowned expert in the field of healthcare cybersecurity, is an Adjunct Professor of cybersecurity and health informatics at the University of Denver, and serves as Chief Security Strategist for Cylera, a pioneer in the space of medical device security. Richard has served on various government committees of Inquiry into some of the largest healthcare breaches and is a regular presenter at healthcare and security conferences across the world. 

Sponsored Recommendations

Data-driven, physician-focused approach to CDI improvement

Organizational profile Sisters of Charity of Leavenworth (SCL) Health* has been providing care since it originated in the 1600s in France as the Daughters of Charity. These religious...

Luminis Health improved quality and financial outcomes with advanced CDI technology and consulting from 3M

In the beginning, there were challengesBefore partnering with 3M Health Information Systems (HIS), Luminis Health’s clinical documentation integrity (CDI) program faced ...

Case Study: Intermountain Healthcare - AI-powered physician engagement to drive quality care

Health System profile Intermountain Healthcare is a Utah-based, nonprofit health system composed of 24 hospitals, 225 clinics, a medical group with 3,000 employed physicians and...

10 Reasons to Run Epic on Pure

Gain efficiency & add productivity to your Epic data center. Download now to learn more!