The Hospitals’ Other Invisible Enemy

When we think about hospitals under attack, we immediately focus on the pandemic and health care workers. But they have another battle on their hands at the moment. There’s a growing wave of ransomware attacks that, like the virus, seems to be intensifying. With no sign of a flattening curve.

The medical troops, of course, have community, professional, and government support behind them. And knowledgeable experts like Dr. Anthony Fauci, director of the National Institute of Allergy and Infectious Diseases, to advise them.

What about the brigade fighting the cyber war? Not so much.

They do have support, of course. Like all of the industries victimized by the explosion of attacks in which criminals lock up a company’s data and demand payment in exchange for the key, hospitals can turn to lawyers, law enforcement, and cyber security vendors for help. The hospitals also have John Riggi.

Riggi is their Anthony Fauci. He’s not a doctor. He’s the senior adviser for cyber security and risk at the American Hospital Association (AHA). For nearly three years he’s been guiding member hospitals through the unpredictable weather of this turbulent world. His 25 years in the FBI, including a lengthy stint focused on cyber crimes, have given him a solid grounding. His communication skills are equally clear in presentations at conferences and in the articles he writes.

But unlike Dr. Fauci, there’s no clear formula he can offer. In cyber security, there’s nothing comparable to: “Follow the science.” Updating and patching software won’t protect a hospital when an employee opens an email and clicks on a link. Managing these risks is more of an art than a science.

He’s had plenty of practice plying that art. When hospitals are under attack, they call. And he counsels. Not just AHA members, he emphasized. “We provide that to any hospital,” Riggi said. “Simply as a public service, to help guide them through the event.”

He can help them get in touch with government agencies. He’s often a “sounding board.” He offers an outside perspective, based on lots of experience. But he doesn’t tell them what to do.

Like the FBI, the hospital association “highly discourages the payment of a ransom,” Riggi noted. He ticked off some of the reasons. It rewards and encourages the attacks. It funds the criminal organizations that perpetrate them. And there’s no guarantee that the encrypted data will be decrypted after the payment is made.

It’s not a coincidence that the AHA’s policy aligns with the FBI’s. “I actually helped write the FBI policy,” Riggi said. But the decision is not up to the AHA. “We would never want to come out and say that the hospital should pay or not pay. That has to be left to an individual decision for the hospital, based on the circumstances.”

A Problem that Only Grows

Ransomware has been the bane of the industry for some time. Verizon’s Data Breach Investigations Report found that more than 70 percent of malware attacks on health care organizations in 2018 and 2019 were ransomware.

Early in the pandemic, it seemed as though the hospitals had caught a break. Cyber criminals recognized the desperate need for medical care. In March, some said they would seek other targets.

Did they keep their word? “They did not,” Riggi said. “The proclamation was noble, but their actions have not been. The attacks soon continued.”

In September, the hospital chain Universal Health Services (UHS) was hit. More than 250 hospitals and clinics in the United States were crippled by the attack. With digital data unavailable, employees were forced to rely on paper backups.

There aren’t great statistics in this area, Riggi said. Some hospitals would just as soon keep these things quiet. But from September 1 to November 10, U.S. hospitals reported 104 breaches, he said. Not all of them were ransomware attacks, he added, but many of them were.

The onslaught seemed to come to a head in October. There was the threat of another wave of attacks. “Hundreds of hospitals” were being targeted by criminals believed to be based in Moscow and St. Petersburg, according to The New York Times. They were said to be the same group that had earlier attacked the UHS chain.

Defending Forward

But the news wasn’t all bad. The Russians had suffered a big setback themselves in September. They were associated with Trickbot, a giant botnet used to launch ransomware attacks that drew intense attention as the U.S. election approach. The authorities feared ransomware might be used to disrupt or even sabotage the vote.

But public and private defenders emerged to thwart the effort. Apparently working independently, the United States Cyber Command hacked into the botnet’s infrastructure in an effort to disable it, and Microsoft Corporation managed to secure federal court orders to take down a vast number of Trickbot servers. Together they succeeded in putting it out of commission—at least temporarily.

Riggi was heartened by these efforts. He’d already seen real improvement in the sharing of threat information among government agencies. The increased frequency and greater specificity of the intelligence, and the coordination among the FBI, Homeland Security, Health and Human Services, and the National Security Agency underscored their determination to assist hospitals before, during, and after attacks, he said. But the actions of Cyber Command took it to another level.

He applauded the government’s willingness to “defend forward,” using the phrase that Paul Nakasone, NSA director and commander of the U.S. Cyber Command, used to describe the strategy in a recent article (in which he acknowledged that it originated with the Department of Defense). The election was the apparent justification for the aggressive actions in September. Could protecting hospitals justify future action by Cyber Command?

“In my opinion, yes it would,” Riggi said. “Because there is a threat with real physical impact, physical harm resulting. And I think it was even acknowledged that the collateral benefit of going after the Trickbot botnet was that it would also help slow down the spread of ransomware, which we know is heavily targeting hospitals at the moment.”

Looking Beyond Health Care

The hospitals’ experience offers lessons for other industries, Riggi continued. He recommends that they establish a relationship and develop a rapport with the FBI and other government agencies, like the Cybersecurity and Infrastructure Security Agency, prior to an attack. All companies would be wise to do likewise, he said. You don’t want to start the process as you fumble for advice in a crisis.

And now more than ever, Riggi said, all industries are vulnerable. The Covid pandemic that forced a mass exodus from the office has made us all more dependent on technology, he noted. “Technology is great, digitization is great, our use of artificial intelligence is great. But within those advancements,” he said, “there is embedded risk, which may expand the attack surface for the adversaries.”

And the risks aren’t limited to business failures, he warned. There can be safety risks as well. Not only to your employees. They can also endanger your clients, he added.