In response to reports that the Center Hospitalier Sud Francilien, a 1000-bed hospital located outside of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center sending patients to other establishments and postponing appointments for surgeries, cybersecurity experts offer the following comments.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
As in this case, hospitals are a prime target for ransomware because the efficacy of operating systems often means the difference between life and death, meaning that victims will be highly motivated to pay the ransom and get their systems back online. Hospital staff are typically unprepared to deal with a cyberattack and are not likely to have a dedicated cyber response team.
Isolating and identifying the issue is crucial, but in this case it seems to already be too late. Aside from liaising with the proper authorities, there is little the hospital can do. The CHSF hospital has done well to report the issue as promptly as it has, but it’s out of their hands for the moment.
Given the fact that the number of cyber-attacks on hospitals is increasing, efforts should also be directed towards cyber security training for staff.
Of course, paying the ransom could mean the hospital gets its systems back online, but this isn’t guaranteed. Cyber criminals aren’t exactly renowned for honouring their word and may refuse to decrypt operating systems. What’s more, this would be funding a cybercriminal group, which not only raises serious ethical concerns, but will likely bankroll future ransomware attacks, making it counterproductive. It’s encouraging that this particular hospital is refusing to pay the ransom.
Risk reduction is either achieved via reduction of probability or impact, acceptance of the risk or transfer of the risk. The later is achieved via insurance.
If the reduction in risk is to small, and the premium to high, the benefits of risk transfer is decreased – investing more into preventive security, or a good relationship with incident management specialists, or even better a combination thereof, would then have the greater risk reduction per spending. Ransomware is a business risk, and its managed as such. Getting insurance rather than prevention has been a trend observable in some cases, and that drives premiums up to unmanageable levels. It should be noted that the risk premium is often based on the preventive measures in place, and hence organizations can themselves often affect the premium they are subjected to by preventive work.
Many mistake ransomware attacks against healthcare providers as efforts to steal Protected Health Information (PHI) and other critical data. The truth is: healthcare organizations are easy targets and cybercriminals are opportunists. After all, it’s much more efficient and profitable to extort these businesses into paying a multi-million dollar ransom to regain access to their operations than it is to exfiltrate and sell hundreds of thousands of individual health records on the black market.
Healthcare systems are still recovering from the surge of the pandemic. With strained budgets, these provider’s cybersecurity postures are being weakened in the tradeoff that’s forcing business and IT leaders to make the tough decision to reallocate funds to areas believed to have the most direct impact on patient care. The unfortunate reality is, however, that ransomware does impact patient care as well. This disconnect is what’s widening security gaps, only worsening the issue across the board.
Take connected devices, for example. Hospitals rely on these devices to monitor patients and provide critical care. As such, these assets have become essential to the patient journey, but are the weakest security link in healthcare and serve as an attack vector for ransomware. In fact, according to a Forrester Consulting study, 63 percent of healthcare delivery organizations have experienced a security incident related to unmanaged and IoT devices. And, 64 percent of healthcare delivery organizations estimate that at least half of all devices on their network are unmanaged or IoT devices, including medical devices. Yet, many hospitals lack the deep contextual visibility needed to secure these assets. In most cases, they are not even sure how many assets are on the network.
To mitigate these risks, business and IT leaders need to change their perspective, acknowledge, and invest in cybersecurity as a key element of ensuring patient safety. With the help of cybersecurity specialists offering converged solutions specifically designed to mitigate their unique areas of risk, healthcare business and IT leaders can ensure they’re checking all of the boxes when considering the key elements impacting patient care.
Healthcare repeatedly tops the charts as the industry with the largest number of publicly disclosed breaches. And the cost of those breaches continues to rise according to IBM, which reported in its annual Cost of a Data Breach report that the average breach cost hit a record high of $10.1 million in 2022. While these statistics make it clear that security deserves utmost priority in the healthcare industry, there is a dramatic push for “anywhere, anytime” healthcare models that require healthcare organizations to extend their services beyond clinic walls using a combination of video, mobile, cloud, and Internet of Things (IoT) technologies. This has pushed the healthcare technology stack out to the edge, presenting new security concerns and broader risk that makes the industry particularly vulnerable to attacks.
It’s a common misconception that healthcare organizations need the latest and the greatest technology stack to withstand the latest and most advanced attacks. While that may be true theoretically, most companies struggle to fully use the basic features of their security controls, let alone take full advantage of the advanced capabilities these controls purport to have. So, it’s important for organizations to ask themselves a few questions before investing in new security controls. Am I using my current controls to their full potential? Is there something that is a real gap it can’t address? Also, will there be an operational cost to switch to new technology? Can I prove I really have that gap?Organizations can get clear answers to these questions by using breach and attack simulation (BAS) technology. BAS platforms safely execute breach scenarios across the entire cyber kill chain to provide visibility into how their ecosystem responds at each stage of the defense process. SafeBreach also recommends healthcare organizations invest in a solid backup strategy that includes frequent (i.e., at least monthly) recovery testing to ensure the backups are viable. Healthcare organizations should also take all precautions to segment their networks and isolate environments to prevent the lateral spread of ransomware. While we do see healthcare organizations improving their cybersecurity mesh, many fail to take these basic cyber-hygiene steps that can help them prepare for a ransomware attack. This, unfortunately, means that if ransomware makes it past their security controls, they will not have a proper backup, and the malicious software will be able to spread laterally through the organization’s networks.
I agree with most recommendations to avoid paying the ransom. There is a real risk that malicious actors will not provide the decryption key once the ransom has been paid. And, if they exfiltrated any of the data, there is no guarantee that they won’t share it with the dark web. Rather than investing in a pool of Bitcoins in advance of a ransomware attack, healthcare organizations should consider investing in breach and attack simulation technology that can help them proactively validate security controls, identify gaps, and take remedial actions before attacks occur. They should also invest in a solid backup and network segmentation strategy that will help prevent lateral spread if ransomware makes it past security controls.
Hospitals are potentially more vulnerable due to the nature of medical operations. Rather than being just a matter of financial risk, disruptions of medical services can cost lives. This is not just apparent when it comes to ransomware incidents, but also through the technology and security life-cycle of medical organizations. IT and Security practitioners must balance security to create a strong posture while preventing disruptions to doctors and staff that can interfere with patient care. Most doctors are resistant to security measures they see as unnecessarily complex, for example increasing the amount of time it takes to login to a device by adopting MFA is something most doctors would push back on. Additionally, many healthcare organizations rely on specialized systems that may be difficult to update or modernize, creating additional security gaps.Healthcare is a critical component and should be treated as such. More broadly, organizations are moving to protect systems and access with holistic platforms that improve experience for users while eliminating security gaps.
As with all critical infrastructure, healthcare organizations should spend time strategizing holistic security investments, to prevent incidents while prioritizing the experience of their doctors and staff and reduce point product investments that create additional technical debt while interfering with day to day operations. A more cohesive strategy can disrupt attacks while streamlining the performance and connectivity required by users and locations.
Paying the ransom is never recommended and often funds other illicit or terrorist activities around the globe. While it’s appealing to pay in order to resume operations, keep in mind that organizations may have to pay several times: once to decrypt their data and again to keep their data from being published on the dark web. Additionally, organizations that pay may be re-targeted by attackers if they do not take other steps to deter and disrupt attackers. Organizations should make investments to close security gaps and backup sensitive data rather than paying a ransom when possible.