Casey Study:
INTERNOVA TRAVEL GROUP
Discover how Avertium helps unburden Internova Travel Group's security team to have the space to start focusing on more strategic cybersecurity priorities.
Executive Summary
Ransomware attacks can disrupt healthcare operations by encrypting or rendering medical records and systems inaccessible, leading to delays in accessing vital patient information or critical medical services. This disruption can potentially impact patient care and treatment. In some cases, hospitals may need to divert patients to other facilities, causing delays in receiving necessary medical attention.
In 2020, a woman who needed immediate medical attention, died because the hospital where she was seeking treatment, was under a ransomware attack. In 2022, a three-year-old at a hospital in Des Moines, Iowa, was prescribed five times his prescribed medication due to a ransomware attack on the hospital’s computer systems.
While the healthcare sector is ideally one that should be spared from ransomware attacks, threat actors do not hesitate to target it when seeking financial gain. Unfortunately, recent trends indicate a surge in attacks on the healthcare industry, raising significant concerns. Let’s explore how ransomware has caused patient deaths and how disrupted care impacts neighboring Emergency Departments.
patient deaths and tragedies
Ransomware has emerged as a significant and challenging issue in cybersecurity, posing a threat to industries globally. However, its impact becomes particularly devastating when it infiltrates hospitals, resulting in widespread repercussions that adversely affect patient care throughout the entire country.
SPRINGHILL MEDICAL CENTER
In 2019, an unfortunate incident occurred at Springhill Medical Center when it fell victim to a ransomware attack, which tragically led to the death of a newborn baby. The baby's life was endangered during delivery as their umbilical cord was wrapped around their neck, causing oxygen deprivation. Normally, a vital signs monitor would alert hospital staff to such life-threatening situations, but the monitor failed to notify staff due to the system being compromised by a ransomware attack. The delivering doctor expressed that had she been able to see the monitor's readings, she would have opted for a cesarean section, emphasizing that the situation could have been prevented.
As a result, the baby suffered severe brain damage and died nine months later. The hospital had to defend itself in a trial related to the attack, which took place in September 2021. Although the ransomware gang Ryuk was suspected as the responsible party, given their history of targeting medical facilities between 2019 and 2020, the exact culprit behind the ransomware attack has not been confirmed.
DUSSELDORF UNIVERSITY CLINIC
In 2020, a ransomware attack, which appears to have been misdirected, caused the IT systems of a major hospital (Duesseldorf University Clinic) in Düsseldorf, Germany to fail. As a result of the attack, a woman in need of urgent medical attention had to be transferred to another city for treatment but died before she could receive treatment.
This incident is extremely disturbing, as it appears to be the first case where a death is indirectly linked to a ransomware attack. After the attack, disruption to Düsseldorf University Clinic's systems persisted for a week. According to the hospital, investigators determined that the root cause of the issue was due to an attacker targeting a vulnerability in "widely used commercial add-on software," which the hospital did not specify. Consequently, the hospital's systems experienced a gradual crash, rendering data inaccessible. Emergency patients had to be redirected to other medical facilities, and scheduled operations had to be postponed.
ST. MARGARET'S HEALTH
In 2021, St. Margaret’s Health in Spring Valley, Illinois, was the victim of a ransomware attack. After the attack, the hospital was unable to submit claims to Medicare/Medicaid, or insurers for months. This incident, in addition to St. Margaret’s being a rural hospital, resulted in a financial crisis. Sadly, the hospital had to close its doors in June 2023 because they could not financially recover for the ransomware attack.
ransomware groups and attacks on healthcare
Since the beginning of the year, the most disruptive ransomware attacks have been at the hands of five groups – LockBit, BlackCat (ALPHV), Royal, Vice Society, and Medusa Blog (also known as Medusa Locker). LockBit kicked off 2023 as January’s most prolific ransomware-as-a-service (RaaS) group. BlackCat, Royal, Vice Society, and Medusa were close behind with ransomware attacks and also showed no signs of letting up. Vice Society experienced a remarkable surge of 267% in their activity, primarily targeting victims within the Education sector. Three of those groups have caused the most heartache for the healthcare sector: Royal, BlackCat, and Medusa.
ROYAL AND BLACKCAT
In December 2022, the Department of Health and Human Services Cybersecurity Coordination Center (HC3) warned healthcare organizations about Royal ransomware. Royal is a fairly new ransomware group and was initially observed in early 2022. Their top targets are within the U.S. The ransomware operation uses unusual techniques to breach networks before encrypting them with malware and demanding ransom payments.
Some Royal ransomware campaigns distribute the malware via malicious attachments, and some distribute the malware via malicious advertisements. Ransom demands from the threat actor range from $250,000 to more than $2 million. HC3 stated that Royal should be considered a threat to the health and public health sectors due to the ransomware group victimizing the healthcare community.
The group utilizes phishing attacks, including callback phishing, where they send deceptive emails resembling subscription renewals from food delivery or software providers. These emails provide phone numbers for victims to contact in order to cancel the alleged subscription. When victims call these numbers, they are directed to threat actors who use social engineering techniques to convince them to install remote access software. This software is then used to gain initial access to corporate networks.
Unlike ransomware-as-a-service (RaaS) operations, Royal does not work with affiliates and instead collaborates with carefully selected team members. The group maintains a relatively low profile and does not actively promote their attacks like some other groups. Since Royal emerged, the ransomware operators have evolved their delivery methods to include:
- Using Google Ads in a campaign to blend in with normal ad traffic.
- Making malicious downloads appear authentic by hosting fake installer files on legitimate looking software download sites.
- Using contact forms located on an organization’s website to distribute phishing links.
BlackCat (ALPHV) is another ransomware group that the U.S. Department of Health and Human Services warned healthcare organizations about. BlackCat ransomware is a versatile ransomware that targets various corporate environments. It is capable of attacking both Linux and Windows systems. Notably, BlackCat is coded in the Rust programming language, making it the first known instance of a ransomware group utilizing Rust to develop a ransomware strain, according to security researchers.
In January 2023, the group allegedly attacked NextGen Healthcare, a company that clinicians use for electronic health record and practice management software. Although the healthcare organization could not find proof that data was stolen at the time, BlackCat did list the organization as a victim on their data leak site before swiftly deleting the listing. It is not unusual for a threat actor to breach an organization, and the organization finds out later how much damage was done. NextGen Healthcare has over 2,800 employees and had revenue of $600 million in 2022.
MEDUSALOCKER/BLOG
Having emerged in 2019, MedusaLocker (also known as MedusaBlog) has successfully infected and encrypted systems in various sectors, with a particular focus on the healthcare industry. MedusaLocker operates as a RaaS, sharing payment proceeds with its affiliates. Typically, the affiliates receive 55% to 60% of the earnings.
MedusaLocker employs phishing and spam email campaigns to infiltrate victim networks, attaching the ransomware directly to the emails. To bypass security tools, MedusaLocker restarts the targeted machine in safe mode before executing the ransomware. By avoiding the encryption of executable files, the ransomware prevents rendering the system unusable, ensuring the victim can still access the system to pay the demanded ransom.
Since May 2022, the threat actors have focused on exploiting vulnerabilities in Remote Desktop Protocol (RDP) to infiltrate their targets' networks. Once the data is encrypted, MedusaLocker leaves a ransom note with explicit instructions in the folders where encrypted files are located.
disrupted care & the impact on neighboring emergency departments
Despite the absence of precise statistics linking fatalities to cyberattacks, it is evident that hospital breaches have reached alarming levels, significantly disrupting patient care. In 2022, an incident targeting CommonSpirit Health, the second-largest non-profit health system in the U.S., resulted in the compromise of sensitive information belonging to more than 600,000 patients. This included electronic medical records, allegedly leading to a devastating incident where a three-year-old was mistakenly administered a medication dosage five times higher than necessary.
Similarly, a November 2022 attack on three hospitals in New York forced healthcare professionals to resort to paper charts, causing care delays and potential complications. These examples highlight the pressing need for healthcare organizations to prioritize cybersecurity measures to protect patients and prevent disruptions that can have grave consequences.
Based on data provided by the CyberPeace Institute, it has been found that, on average, a cyberattack on a healthcare system results in 19 days of patients being unable to access certain types of care. In a specific instance, a cyberattack caused disruptions in medical services for approximately four months.
NEIGHBORING EMERGENCY HEALTHCARE FACILITIES
In a recent study conducted by Christian Dameff, MD, Jeffrey Tully, MD, and Theodore C. Chan, MD, it was discovered that ransomware attacks at one emergency healthcare facility can impact neighboring emergency healthcare facilities, even if they are not directly suffering from a ransomware attack. The findings of the study indicate that cyberattacks targeting healthcare, including ransomware incidents, result in significant disruptions to regional hospitals.
In the study, researchers examined data from emergency department (ED) visits during different phases: before, during, and after a cyberattack. The study included a total of [1]19,857 ED visits.
They found that during the attack phase, there were significant increases in various factors compared to the preattack phase. These factors included the daily number of patients in the ED, the number of patients arriving by emergency medical services (EMS), the number of admissions, the number of patients leaving without being seen, and the number of patients leaving against medical advice.
There were also increases in waiting room times and the total length of stay for admitted patients. Additionally, there was an increase in stroke code activations and confirmed strokes during the attack phase compared to the preattack phase. Overall, the study suggests that cyberattacks on healthcare systems can cause disruptions in ED operations, leading to longer wait times, delays in care, and increased risk for certain medical conditions like strokes.
The study also found that that when healthcare organizations are attacked by ransomware, nearby hospitals can face challenges. They might have more patients to care for and struggle with limited resources, which can impact timely treatment.
[1] Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US | Emergency Medicine | JAMA Network Open | JAMA Network
defense
Ransomware attacks can disrupt critical healthcare systems, such as electronic health records and medical devices, jeopardizing patient safety and delaying timely access to life-saving treatments. By implementing robust cyber security measures, healthcare organizations can mitigate the risk of ransomware incidents, safeguard patient data, and ensure uninterrupted access to essential medical services.
Proactive measures, including regular system updates, network segmentation, employee training, and incident response planning, are vital in preventing ransomware attacks that could have life-or-death consequences for patients. Prioritizing cyber security best practices is a fundamental step toward preserving patient well-being and maintaining the highest standards of care.
Following best practices helps safeguard sensitive patient information, maintain operational continuity, protect the organization's reputation, and ultimately ensure the delivery of safe and high-quality healthcare services. To increase cyber resilience in ransomware response, consider the following:
- Evaluate the strategic ransomware preparedness of endpoints by identifying essential controls, such as anti-virus/anti-malware, endpoint protection, and endpoint detection and response solutions, as well as device management tools.
- Enable ransomware cyber hygiene measures across endpoints by implementing application resilience policies that ensure that critical security applications and device management tools are installed and functioning as intended.
- Evaluate the security posture of devices by continuously detecting and reporting on the status of anti-malware, detection, and response software installed on endpoint assets.
- Accelerate the recovery process by collecting accurate insights, executing customized workflows, and automating commands for device recovery. This can be achieved by leveraging a library of custom scripts to facilitate tasks such as identifying infected and encrypted machines, quarantining endpoints by disabling networking or unlocking specific device ports or supporting device re-imaging.
- Identify sensitive data by scanning devices for financial information, social security numbers, personally identifiable information (PII), protected health information (PHI), and intellectual property. This process enables organizations to locate at-risk devices and ensure that proper backup measures are in place using existing tools.
- Implement a data protection program that includes policies, classification, encryption/DLP, and proactive monitoring across all sensitive data.
MITRE MAP
BlackCat
Royal
Medusa Blog/Locker
how avertium is protecting our customers
- Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts.
- Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. See every threat in your attack surface, every device, every entry point, and every vulnerability. Our Attack Surface Management services include:
- Risk Assessments
- Pen Testing and Social Engineering
- Infrastructure Architecture and Integration
- Vulnerability Management
- Minimizing the impact of a successful ransomware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior
INDICATORS OF COMPROMISE (IOCs)
Related Resource:
SUPPORTING DOCUMENTATION
Ransomware Causes Patient Death | Critical Insight
Patient dies after ransomware attack paralyzes German hospital (gizmodo.com)
The latest cyberattack on health care shows how vulnerable the sector is - The Washington Post
HHS: Ransomware groups continue to target U.S. health sector | AHA News
Lehigh Valley Health Network targeted by BlackCat ransomware (malwarebytes.com)
The mounting death toll of hospital cyberattacks - POLITICO
Ransomware attacks on hospitals take toll on patients (nbcnews.com)
German hospital hacked, patient taken to another city dies | AP News
Studies show ransomware has already caused patient deaths | TechTarget
Dameff C, Tully J, Chan TC, et al. Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. JAMA Netw Open. 2023;6(5):e2312270. doi:10.1001/jamanetworkopen.2023.12270
Hospitals say cyberattacks increase death rates and delay patient care - The Verge
pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf (proofpoint.com)
The untold story of a cyberattack, a hospital and a dying woman | WIRED UK
MercyOne hospital's parent company confirms ransomware attack (desmoinesregister.com)
Playing with Lives: Cyberattacks on Healthcare are Attacks on People (cyberpeaceinstitute.org)
Cyber Incident Tracer #HEALTH (cyberpeaceinstitute.org)
St. Margaret Health links closing to ransomware attack (newsnationnow.com)
APPENDIX II: Disclaimer
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.
Chat With One of Our Experts