Cyber Experts Weigh-In: Universal Health Services Hospital System Ransomware Attack
This is an exciting time for the healthcare industry but it is also dangerous. As technology-based solutions begin to flourish, so will the risks and threats accompanying them.
By Daniel Norman, Senior Solutions Analyst at the ISF
On Monday, the cyber community saw what some have deemed the largest ransomware attack in history. NBC first reported: “Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation.”
Ransomware has been rapidly on the rise for sometime now. According to Trustwave’s 2020 GSR, ransomware overtook payment card data in breach incidents for the first time this past year when comparing types of information most targeted by cybercriminals. And according to Microsoft, ransomware is the most common reason behind its incident response engagements from October 2019 through July 2020. Microsoft says, “The Department of Homeland Security, FBI and others have warned us all about ransomware, especially its potential use to disrupt the 2020 elections.”
With this week’s attack, and the recent death at a German hospital linked to ransomware, we wanted to hear what cyber experts had to say about the growing, and now deadly, threat of ransomware and lessons we can learn from UHS’ recent attack.
“The healthcare industry has been under immense pressure during the pandemic. Staff shortages, lack of medicine, hospital beds and personal protective equipment have pushed the healthcare services to breaking point. In addition to these clear operational concerns, threats from the cyber domain remain apparent, invasive, and in some cases, deadly. Over the coming years, these security threats will continue to accelerate around the world over as far more invasive and automated technology makes its way into the operating room and in some cases, the human body. Attackers will once again turn their attention to disrupting the health service by targeting poorly secured devices and systems, which will now start to have severe ramifications for human life.
The healthcare services have an outdated approach to security awareness, education and training. With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber risks and threats is urgent. In addition, the safety and wellbeing of patients has historical been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many. Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices. Privacy should also be a high priority for anyone handling sensitive information, considering the shift towards storing patient records online.
This is an exciting time for the healthcare industry but it is also dangerous. As technology-based solutions begin to flourish, so will the risks and threats accompanying them.” Daniel Norman, Senior Solutions Analyst at ISF.