Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber-attack on its technology systems. The company said the incident had limited some of its operations, but that patient care continues.
Our recent research shows a surge in cyberattacks against many sectors, including healthcare. With medical staff working at fully capacity to treat patients effected by Covid-19, cybercriminals are banking on them being less wary of cyber threats, which makes them an excellent target. This attack against a hospital at the forefront of recovery efforts further demonstrates that such criminals will not discriminate in their pursuit to acquire money – and potentially also trade secrets.
In what is an incredibly testing time for our healthcare system, poor cyber hygiene that can result in major disruption is not something the industry can afford. To avoid this, organisations must take heed of the latest NCSC advice to healthcare organisations: update their passwords with three random letters and implement multi-factor authentication to provide that extra layer of security. I would also recommend that hospitals actively look into contingency plans and that they incorporate non-network backups and fallback email and archiving. This will help significantly reduce the potential losses of a ransomware attack, should the worst still happen.
There has been an enormous spike in cyber-attacks since the beginning of the coronavirus epidemic. And the healthcare industry, already stretched and now even more overwhelmed and distracted, is a prime target. The World Health Organisation has reported a five-fold increase in attacks over the last two months. It is critical that healthcare organisations prioritise security right now as a breach could have huge impacts. That means keeping all software up-to-date and making sure firewalls and security features are enabled at all times.
It\’s unfortunate that even during times of the pandemic, criminals are attacking and crippling systems belonging to hospitals and other medical facilities.
The attack serves as a reminder that criminals are not slowing down their attacks despite being in the midst of a global pandemic. In many cases, some are ramping up their activities. Therefore it\’s important for organisations to not slow down in their cybersecurity efforts. This includes a layered approach to make it difficult for attackers to target systems, providing security awareness and training to employees to identify phishing emails, and having robust threat detection and response capabilities.
As expected, the purported ceasefire on healthcare providers by ransomware operators has proven short-lived. Rather than being rooted in any sort of altruism, the attackers were simply waiting for the optimum time to strike: when Fresenius was under immense strain as it attempted to meet the demands onset by the COVID-19 pandemic. This should act as a lesson to other healthcare providers and industries.
In this climate of increased threat volume, it’s imperative healthcare organizations have a cyber resiliency strategy in place, so they can continue to operate effectively and support and provide diagnoses for their patients. Hallmarks of resilient environments include redundant componentry, rapid (or automated) response to changes in threat conditions, and an organization-wide awareness of this unpredictable and unprecedented threat landscape.
This outrageous incident is a colorful validation of the FBI’s warning not to pay ransom. Reportedly, Fresenius has already paid a 7-digit ransom in the past to recover from a similar attack. Obviously, such a generous payment did not leave unscrupulous cybercriminals indifferent. Instead they quickly exploited the windfall and perfidiously re-raided this susceptible victim amid the crisis. Being mindful of Covid-19 social challenges, some cyber gangs decisively called to abstain from any attacks against medical and healthcare organizations, but unsurprisingly not everyone follows this Robin Hood code of ethics.
Unless the details of the attack investigation are disclosed, it would be premature to make any definitive conclusions. There are, however, more questions than answers given this is a second successful and large-scale attack, as some sources report. It is unclear whether foundational security processes were and are in place, such as holistic patch management and network segregation, but it seem that even if the answer is affirmative the latter are largely insufficient.
For the moment, there is likewise no visibility whether any medical records and PHI were stolen during the attack. The worst-case scenario is if the data was extracted and now may be published in case of eventual refusal to pay ransom. Cybercriminals now took their ransomware campaigns to the next level by threatening not just to delete the data but to disclose it thereby unleashing a parade of horrors from severe regulatory sanction to lawsuits by the victims.