H-ISAC Hacking Healthcare blog 10-8-19

Written by website@neigerdesign.com on October 8, 2019. Posted in Hacking Healthcare, Health-ISAC.

TLP White: In this edition of Hacking Healthcare, we begin by reviewing the troubling news that 10 hospitals were impacted by ransomware last week. Next, we briefly explore why ransomware, despite constant presence in news headlines, is not as well understood as might be hoped. Finally, we examine a survey that strongly ties an organization’s cybersecurity maturity to favorable valuations in mergers and acquisitions.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

1. Ransomware Hits Hospitals Again.

Ransomware hit the healthcare sector again last week, affecting hospitals in both the United States and Australia. Multiple hospitals in Alabama were forced to turn patients away a day after numerous Australian hospitals were impacted by ransomware that wreaked havoc on a regional computer network. In total, seven hospitals in Australia and three in Alabama had services severely limited. There has been no reported link between the attacks at this time.

The three hospitals hit in Alabama were forced to turn away new patients with non-critical conditions after their computer systems were effectively paralyzed by the attack.[i] While operations were shifted to manual and paper based methods, efficiency was impacted, and the disruption forced the re-routing of non-critical patients to other nearby hospitals.[ii] It is important to note that patients in this instance were lucky to be in an area with access to other healthcare providers. Individuals in more rural areas may not have had access to alternative healthcare options. Consequently, those populations may be at greater risk when it comes to cyberattacks on healthcare systems.[iii]

Recent reports on the incidents in Alabama have stated that Ryuk Ransomware, which has seen prolific usage in attacks this past year, is the malware behind the disruptions.[iv] Furthermore, it was reported on October 5^th that the Alabama hospitals paid the currently undisclosed ransomware demands to unlock their systems, but they expected to continue re-routing new patients throughout the weekend as they attempted to recover. There appears to be little sign of abatement in the ransomware epidemic hitting the United States. News of the Alabama hospital incidents came on the same day that anti-malware and anti-virus software provider EMSISOFT released their State of Ransomware in the U.S. report, which indicated that in the first nine months of this year at least 621 U.S. entities have been impacted by ransomware.[v]

The news was equally grim in Australia. Seven hospitals in Gippsland and southwest Victoria were impacted by ransomware that “blocked access to several systems by the infiltration of ransomware, including financial management” and forced them to “[isolate] and [disconnect] a number of systems… to quarantine the infection.”[vi] The incident led to delays for non-critical operations, but authorities from the country’s Department of Premier and Cabinet were quick to allay fears that patient data had been compromised.[vii] No new updates were available at the time of writing.

While there have not yet been any reports of loss of life resulting from the attack, the seriousness of cyberattacks impacting hospital operations cannot be overstated. While many hospitals are able to continue essential operations through such disruptions, efficiency and capacity are significantly reduced. The unfortunate side effect of being part of a critical industry sector like healthcare is the incentive for malicious actors to target you, expecting a quick pay day. Ten hospitals hit in quick succession, even if proven unrelated, is a disturbing confluence of incidents that at best represents a single actor knowingly targeting the vulnerable, and at worst, represents a trend of malicious actors openly normalizing such actions.

2. Who wants to Report Ransomware?

One key to solving any problem is to have as close to a complete understanding of that problem as possible. Unfortunately, such a level of understanding is proving to be incredibly difficult when it comes to collecting data on how ransomware impacts the healthcare industry. Without a reliable data set to track ransomware trends, both generally and in healthcare specifically, formulating effective policies and ensuring proper resource allocation often becomes guesswork.

Allan Liska from the cybersecurity company Recorded Future is making one of the first attempts to fill this void.[viii] Liska dissected the Unites States’ Health and Human Services (HHS) public database on breach notifications to find healthcare ransomware incidents between January 2015 and September 2019. In total, he found 117 incidents, averaging around 30 per year.[ix] This finding is significantly less than was expected. Additionally, “69 of the incident reports (61%) confirmed the victim did not pay a ransom, 17 of the tracked incidents (15%) confirmed payment, and the rest were unknown.”[x] This is noteworthy because it illustrates that, even when an incident is reported, basic information such as whether a payment was made is often lacking. This insight is noted in Liska’s conclusion that healthcare ransomware incidents are likely underreported and official records are often incomplete.[xi]

Liska’s efforts, which are available in a downloadable appendix on Recorded Future’s website, are a useful first step in quantifying the issue, but the underlying causes of underreporting remain. The healthcare industry is well aware of the scrutiny regulators place on them and the financial and reputational costs associated with cybersecurity incidents. These realities provide hefty incentives to only disclose what is required by law, which often discounts ransomware incidents where patient data is not compromised. This paradoxical situation makes it difficult to measure if ransomware attacks on healthcare are on the rise, if payments are increasing, or if investment in tackling this issue is effective.

3. Organizational Cybersecurity Maturity Impacts Monetary Value.

A new survey conducted by (ISC)2, the International Information System Security Certification Consortium, concludes that cybersecurity readiness is a key factor that is assessed during merger and acquisition (M&A) negotiations.[xii] According to the ISC(2) survey, increased attention is being paid to all aspects of an organization’s cybersecurity posture and history, and organizations need to be wary of overlooking warning signs that could lead to a devaluation after being purchased or merged.[xiii] A few key takeaways are listed below.

Cybersecurity audits appear to be standard practice at this point, with 100% of survey respondents claiming that they expect to see them during an M&A process.[xiv] Additionally, failing to be forthright with a potential buyer when it comes to cybersecurity can lead to negotiations breaking down completely, with 49% of participants indicating they had seen such a lack of openness derail negotiations.[xv] A further 77% of respondents claimed that they had “made recommendations on whether to proceed with an M&A deal based on the strength of the target company’s cybersecurity program.” And finally, a resounding 95% of survey participants consider cybersecurity programs to be tangible assets, with 82% asserting that robust cybersecurity infrastructure and policies raised the value of an organization.[xvi]

This survey represents yet another example of why cybersecurity programs must receive adequate resources and attention. By calling out the importance of cybersecurity in the M&A process, and by outlining how a strong cybersecurity posture can increase the valuation of an organization, the ISC(2) survey shows that cybersecurity must be thought of as an important component of the whole business. Organizations should already be in the habit of conducting internal cybersecurity audits, but if you need another reason to budget for one, the potential to raise your organization’s value may be a compelling one.