BOSTON (AP) – Federal agencies warn cybercriminals could unleash a wave of data-ready extortion attempts against the U.S. health care system, an effort that, if successful, could paralyze the hospital’s information systems, just as nationwide cases of COVID-19 are spearheading.
In a joint alarm Wednesday, the FBI and two federal agencies said they had credible information about “an increased and imminent cybercrime threat” against U.S. hospitals and health care providers. The alarm said malicious groups are targeting the sector with attacks aimed at “data theft and disruption of healthcare.”
However, the impact of the expected attack wave is difficult to assess.
It involves a special strain of ransomware that encrypts a target’s data to gibberish until it pays off. In the past, such attacks on health facilities have prevented care and in one case in Germany led to the death of a patient. But such consequences are still rare.
The federal warning itself could help avert the worst consequences, either by getting hospitals to take further action or by expanding efforts to crack down on the systems that cybercriminals use to launch such attacks.
The offensive coincides with the US presidential election, although there is no immediate indication that the cybercriminals involved are motivated by anything other than profit. The federal alarm was co-authored by the Department of Homeland Security and the Department of Health and Human Services.
Independent security experts say ransomware, called Ryuk, has already affected at least five U.S. hospitals this week and could potentially affect hundreds more. Four healthcare facilities have been reported affected by ransomware so far this week, three belonging to St. Lawrence Health System in upstate New York and Sky Lakes Medical Center in Klamath Falls, Oregon.
The Sky Lakes said in an online statement that they had no evidence that patient information was compromised and that emergency and emergency care “remains available.” St. The Lawrence system said Thursday that there did not appear to be access to or compromise on data on patients or staff. Matthew Denner, Emergency Services Director for St. Lawrence County, told the Adirondack Daily Enterprise that the hospital owner instructed the county to divert ambulances from two of the affected hospitals for a few hours Tuesday when the attack took place. Neither Denner nor the company responded to requests for comment on this report.
Alex Holden, CEO of Hold Security, who has been following Ryuk closely for more than a year, said the wave of attacks could be unique in size for the United States. In a statement, Charles Carmakal, chief technical officer of security firm Mandiant, called the cyber threat the “most significant” the country has ever seen.
The United States has seen a plague of ransomware over the past 18 months, with major cities from Baltimore to Atlanta hit, and local governments and schools walloped particularly hard.
In September, a ransomware attack prevented all 250 U.S. facilities from the hospital chain Universal Health Services, which forces doctors and nurses to rely on paper and pencil for record keeping and slower laboratory work. Staff described chaotic conditions hampering patient care, including the installation of emergency rooms and the failure of wireless monitoring equipment for vital signs.
Also in September, the first known deaths related to ransomware occurred in Düsseldorf, Germany, when an IT system failure forced a critically ill patient to be sent to a hospital in another city.
Holden said the Russian-speaking group behind the recent attacks demanded a ransom of well over $ 10 million per year. Targets, and that criminals involved on the dark web discussed plans to try to infect more than 400 hospitals, clinics and other medical facilities.
While no one has proven suspicion of links between the Russian government and gangs using the Trickbot platform that distributes Ryuk and other malware, Holden said he “has no doubt that the Russian government is aware of this operation.” Microsoft has been engaged since the beginning of October in trying to knock Trickbot offline.
Dmitry Alperovitch, co-founder and former chief technical officer of cybersecurity firm Crowdstrike, said there are “certainly many links between Russian cybercriminals and the state”, with hackers employed by the Kremlin, sometimes shining like cybercriminals.
Increasingly, ransomware criminals steal data from their targets before encrypting networks and using them for extortion. They often sow malware weeks before activating it and wait for moments when they think they can pull the highest payments, said Brett Callow, an analyst at cybersecurity firm Emsisoft.
A total of 59 U.S. healthcare providers or systems have been affected by ransomware by 2020, disrupting patient care at up to 510 facilities, Callow said.
Hospitals and clinics have rapidly expanded data collection and added Internet-enabled medical devices, many of which are poorly secured. Hospital administrators, meanwhile, have been slow to update software, encrypt data, train cyber hygiene staff and recruit security specialists, leaving them vulnerable to cyber attacks.
And as hospitals respond to the coronavirus crisis, privacy and security protocols are falling by the wayside, leaving patients open to identity theft, said Larry Ponemon, a data security expert. “The bad guys smell the problem.”
Associated Press authors Michael Hill in Albany, NY and Marion Renault in New York City contributed to this report.