Cyber Experts Weigh-In: Universal Health Services Hospital System Ransomware Attack
Updated: Oct 2, 2020
On Monday, the cyber community saw what some have deemed the largest ransomware attack in history. NBC first reported: "Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation."
Ransomware has been rapidly on the rise for sometime now. According to Trustwave's 2020 GSR, ransomware overtook payment card data in breach incidents for the first time this past year when comparing types of information most targeted by cybercriminals. And according to Microsoft, ransomware is the most common reason behind its incident response engagements from October 2019 through July 2020. Microsoft says, "The Department of Homeland Security, FBI and others have warned us all about ransomware, especially its potential use to disrupt the 2020 elections."
With this week's attack, and the recent death at a German hospital linked to ransomware, we wanted to hear what cyber experts had to say about the growing, and now deadly, threat of ransomware and lessons we can learn from UHS' recent attack.
Matthew Gardiner, cybersecurity strategist, Mimecast
“Despite data showing that the healthcare industry has a strong, dedicated cybersecurity approach in place – from awareness training to internal email protection – it continues to be a main point of attack for cybercriminals. In fact, 90% of healthcare organizations were hit by email borne attacks in the past year, with nearly three quarters (72%) experiencing downtime as a result of an attack. The industry should not be naïve to think that cybercriminals would overlook it simply because of the current pandemic. On the contrary, cybercriminals know that the industry is spread thin, widening its vulnerability surface. As such, targeting healthcare organizations like Universal Health Services with ransomware has a high potential return for malicious actors, putting operations, including patient care, and sensitive patient data at risk.
With this in mind, healthcare organizations cannot be reliant on IT security controls of the past. Security and resilience systems cannot just be “good,” they need to be top-notch. Healthcare organizations should be protecting themselves within, at, inside and beyond the perimeter with email security and threat protection. They should have a comprehensive backup and recovery plan and business continuity options in place to ensure that their data is protected and recoverable should a system go down. They should provide consistent training to their employees to be aware of and prepared to thwart a potential attack. Healthcare organizations are not immune to ransomware and must have plans in place in the inevitable situation that they are targeted.”
Tim Bandos, Vice President of Cybersecurity, Digital Guardian
“Even during a pandemic, ransomware distributors continue to take advantage of the healthcare industry while medical professionals are continuously working hard to slow down the contagion and save lives. Cybercriminal gangs only care about one thing: to profit even at the greatest expense of all.
Some ransomware developers have signaled to the industry that they would not target healthcare facilities to show some sign of empathy; however, these statements are clearly non-binding and will continue. These actions should only further enforce the requirement for all businesses running computing technology that supports health services to implement controls and technology that actually work to prevent the spread of ransomware or any other form of cyber-attack that disrupts operations.
The Ryuk ransomware, which is believed to be associated with the UHS attack, is commonly delivered via email from phishing links or attachments. There are a myriad of controls that could stop this from email filtering, end-user security awareness, patching devices, endpoint protection platforms, to anti-virus. Hospitals need to fund cybersecurity programs more appropriately with a focus on gaining the right level of visibility across the environment and providing regular training to staff given the amount of responsibility they have on keeping patients safe. Not to mention protecting sensitive data and PII which inevitably becomes a primary target in soliciting payment.”
Ray Canzanese, Threat Research Director at Netskope
"The Ryuk ransomware used in this attack has recently been spread using Emotet. Emotet uses cleverly crafted bait emails and cloud apps to deliver highly obfuscated Office documents that evade traditional AV. When the victim opens the Office document, it typically uses VBA scripts, WMI, and PowerShell to download the payloads, which have included the Ryuk ransomware. Enterprise security software can go a long way toward preventing ransomware infections like this. Multi-layered defenses that scan both traffic on the network and files on the endpoint can help ensure that Emotet or some other Trojan never gets opened by one of your users. The scanners themselves should also include multi-layered defenses, including signature-based and ML-based AV, static file analysis, and dynamic sandbox execution to ensure that even zero-day, highly obfuscated samples are detected. Such defenses can also help prevent exploitation of known vulnerabilities. However, the best defense against known vulnerabilities is patching. For example, the recent Zerologin vulnerability CVE-2020-1472 is already being exploited in the wild."
Recovering from ransomware attacks generally requires isolating and re-imaging infected machines. The isolation phase can be very disrupting as entire segments of the network containing infected machines might be taken offline as a precaution. Once the attack is isolated, the recovery begins. This typically requires a labor-intensive process of re-imaging infected machines and restoring data from backups. Depending on the availability of spare hardware, capacity to re-image infected machines, and the availability of backups, this can be a lengthy process.
Organizations need to constantly question if their security practices are optimal. I always gauge preparedness with the following questions: 'Is your organization prepared to defend itself against ransomware attacks, and is it prepared to respond to a ransomware attack if it happens?' For defense, take a look at your patching strategy. 'Is it working? Does it have any gaps?' Also, take a look at your security controls. 'Are they robust enough to detect zero-day samples? Are there any blind spots on your network?' For response, take a look at your network and security operations teams. 'Do you have the appropriate visibility and alerting in place? Can you effectively isolate affected systems from the rest of your network? Do you have backups and processes in place for a speedy recovery?'"
Taylor Lehmann, Partner, SideChannel Security and former CISO at athenahealth
"In the US, health care organizations are required (by HIPAA) to have contingency plans in place in the event operations of the hospitals are disrupted so that they may continue providing care. When ransomware attacks (or any other disruption occurs for that matter) occur at hospitals who have strong contingency plans that they practice regularly, these organizations have a better chance to continue providing care and restoring operations.
I am unclear on what German's health systems mandate are on this matter, but it seems very odd that a ransomware attack on a computer system of the type discussed could deny care to a human being. Physicians are trained to treat people in emergency scenarios and often provide care without needing a computer at all. Emergency ambulances call ahead to check capacity of a given health facility before attempting to deliver a patient there. Certainly, other controls failed - in addition to the those that should have stopped the ransomware or restored computer operations - which led to this. It's very sad.
It's peculiar why the German health system shut its emergency room down - its clear they weren't ready for a ransomware attack, but it's also clear they weren't ready for any real type of contingency of any type. One doesn't simply shut down an ER - ramifications of this decision include this result.
It's very unfortunate that someone had to lose their life, but I do not buy into the hype that ransomware caused this death. While I don't know or understand the economic or operational realities of the health system that was attacked and I am certainly NOT a physician or someone with medical training, the details shared about this specific attack do not lead me to believe that ransomware was the direct cause of death as the media reports."
Torsten George, cybersecurity evangelist, Centrify
“The UHS incident is the latest in a string of healthcare-focused ransomware attacks. Hackers could be motivated by two things: 1) hospital systems are mission critical, and with many lives at stake, healthcare organizations become more likely to pay a ransom to swiftly get back up and running; 2) ransomware is used as a distraction while hackers move laterally across the network, stealing patient data for additional pay off on the dark web, where it can be sold for $1,000 per record.
To minimize exposure to these attacks, there are fundamental measures to take such as implementing cybersecurity training, regularly updating anti-virus and anti-malware with the latest signatures, performing regular scans, as well as backing up all data to a non-connected environment and verifying the integrity of those backups regularly.
While these practices are table stakes, ransomware is just one form of exploit that can easily be replaced by another. According to Forrester, an estimated 80% of data breaches are tied to privileged access abuse, making it the No. 1 cause of data breaches. By applying proper access controls, organizations are applying a ‘dual therapy’ to the ransomware epidemic, which is addressing privileged access abuse, while also minimizing the overall impact of a ransomware attack by preventing malware from running or limiting its capability to spread through a network. In this context, organizations should establish a secure admin environment, enforce access zones that restrict access to specific systems by privileged users and require multi-factor authentication (MFA) in order to reach assets outside of their zone. In addition, vault away shared local accounts, and apply the concept of least privilege to granularly control what access admin users have and what privileged commands they can run.”
Heather Paunet, Vice President of Product Management, Untangle
“Healthcare facilities and personnel will continue to be high-level ransomware targets during this time, especially as continued testing increases the amount of data or information known about patients or future patients. IT departments need to be more aware than before about how to protect their network, their employees and their patients.”
Daniel Norman, Senior Solutions Analyst, Information Security Forum
“The healthcare industry has been under immense pressure during the pandemic. Staff shortages, lack of medicine, hospital beds and personal protective equipment have pushed the healthcare services to breaking point. In addition to these clear operational concerns, threats from the cyber domain remain apparent, invasive, and in some cases, deadly. Over the coming years, these security threats will continue to accelerate around the world over as far more invasive and automated technology makes its way into the operating room and in some cases, the human body. Attackers will once again turn their attention to disrupting the health service by targeting poorly secured devices and systems, which will now start to have severe ramifications for human life.
The healthcare services have an outdated approach to security awareness, education and training. With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber risks and threats is urgent. In addition, the safety and wellbeing of patients has historical been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many. Basic cyber hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices. Privacy should also be a high priority for anyone handling sensitive information, considering the shift towards storing patient records online.
This is an exciting time for the healthcare industry but it is also dangerous. As technology-based solutions begin to flourish, so will the risks and threats accompanying them.”
Mohit Tiwari, Co-Founder and CEO, Symmetry Systems
“Hospitals have a challenging setting. They have to prioritize fighting healthcare-related fires each and every day and have to work with software and hardware that takes years to certify for safety. This means the compute infrastructure lags behind for both business and technical reasons.
The shift in mentality that hospital executives must get to is that compute infrastructure in hospitals is key to healthcare, and computing failures are healthcare failures. Further, computing flaws are highly correlated and can spread quickly -- ransomware or a breach of large data stores or compromise of medical equipment on a network. With the right investments, there is new technology that can shift certified workloads into safer virtual machines and put defenses around it, and better identity and authorization methods that prevent small errors from scaling out organization wide.”
Caroline Thompson, Head of Underwriting, Cowbell Cyber
“Organizations need to assess cyber insurance for every coverage and assistance that the policy might provide prior, during and after a cyber incident. It is often ignored that in the case of ransomware, the damage to an organization goes beyond the necessity to pay the ransom if an available backup is not a possibility. Loss of revenue, business disruption and damage to the organizations reputation are all financial burdens that cyber insurance can offer relief for. Partnering with a trusted insurance carrier, with dedicated cybersecurity expertise, is essential.”
Drex DeFord, Executive Healthcare Strategist, CI Security
"There’s a lot we don’t know about the attack yet, so specific recommendations are difficult. Ransomware attacks are difficult to prevent, but if organizations take these steps, they have the best chance of stopping or slowing down ransomware, and limiting the amount of damage/impact to the business:
Have a robust security operations center monitoring your network; Managed Detection and Response helps organizations find bad-actors in their network quickly, and kick them out, minimizing impact to business operations
Patch servers, end-user-devices and other equipment as vendors and software producers issue them
Use two-factor identification to make it more difficult for cyber criminals to use any user credentials they might steal
Train end users on phishing and ransomware; in the current environment, front-line-personnel are full-time cyber-defenders
Have a robust cybersecurity program, with a leader that regularly updates the board on risks and requirements
Make sure all systems are backed-up, and that you test those backup processes on a regular basis to make sure the data can be recovered and systems can be restored from those backup
As much as possible, limit the company network to company business – personal computing, general website surfing, home email, and Facebook, should be done on personal devices
Have a well-planned and tested Incident Response program. Nobody wants an outage like this to occur, but if an organization has planned and practiced all the steps they would take in the event of a cyber-outage, they can panic less and recover more quickly. That program should include lists of who’s responsible for leading and participating in the event, a list of outside organizations and specific contacts they will need support from (including the FBI and local law enforcement), and the regular “exercise” process to test and improve the Incident Response program.
Have a well-planned and tested Business Continuity and Disaster Recovery program. Regularly exercise EHR outages so clinicians understand and have practiced how to provide care during downtimes. Work closely with clinical and business leaders to preposition tools they’ll need during downtimes (everything from pencils, paper, and forms, to regular backup of labs and medication lists to computers/printers that can operate without the network). The organization also needs to understand and have practiced how long they can operate without the EHR or other clinical systems before it’s necessary to begin diverting/transferring patients, or taking other steps to reduce workload to maintain safety.
From what we’re hearing, it appears the organization may be without computers for days, and full-recovery might take even longer. Over the past few years, healthcare organizations have become incredibly dependent on electronic health records (EHRs), networked medical equipment, and other clinical systems to provide safe, well-managed care. Without those systems, the provision of great care becomes much more challenging, and the risk to patients may increase. Expect to see delays in appointments and surgeries, emergency patients being diverted to other hospitals, and the transfer of some in-patients to other healthcare organizations if the system outage is of extended duration."
Rob Bathurst, Chief Product Officer, at Digitalware, Inc.
"The speculation is that Ryuk, or a similar variant was used to target UHS. Ryuk was designed to go after enterprises and is most likely being operated by a sophisticated group that are looking to do “big game hunting” e.g. get a large payout. The entry mechanism on these types of ransomware is usually accompanied by a delivery mechanism like the TrickBot or Emotet trojans. The complexity in stopping “enterprise ransomware” is that the attackers are skilled or at least financially motivated to utilize all the techniques that are available to them to bypass modern endpoint and network-based defenses. Determining an exact prevention strategy without all the facts is complicated, but it usually comes down to well-designed layers. Email scanning to prevent phishing/spam from reaching the user inbox, a proxy to ensure known bad domains are being actively blocked, a modern AV that isn’t reliant on signatures to attempt to prevent the malware from executing, and a design that limits potential impact from any one point within the environment.
When it comes to ransomware and hospital networks the consequences depend a lot on how the organization is designed. If you were to look at the NHS example with WannaCry, their architecture made it possible for the ransomware to spread unabated until it brought the nationwide system nearly to a halt. Large organizations that have multiple locations like UHS are particularly at risk because they have complex infrastructure and connectivity models that can vary across the enterprise and facility to facility.
Hospitals are generally divided (if at all) into two networks, the business network, and the clinical network (medical devices). What the hope is, in these ransomware scenarios, is that the clinical network is not penetrated by the incident and the Electronic Medical Records (EMR) system remains unaffected. The reality is that most hospital systems have their EMR tied into almost every part of the organization from billing to the ER and when something infects one part it almost always has a direct line to the EMR and by proxy the clinical network. In a lot of cases where there is ransomware, the hospital can continue to function using back-up procedures/paper charts for life saving and sustaining care as doctors don’t suddenly forget how to be doctors, but their care operations and efficiency are severely reduced when their workflows are taken away in a modern hospital. Almost everything in a modern large provider facility is automated and computerized including the medical records, pharmacy, scheduling, charting, admitting, billing, etc. Ransomware can impact medical devices, but odds are the pain the organization will feel is in all their support/operations systems before there is an impact to their medical devices directly.
It does not matter how much AI a security vendor says it has, a lot of preventing ransomware impacts comes down to architecture, technology, settings, and unfortunately luck. As no security solution is a silver bullet, the only way to have a chance to prevent something like this from occurring is by using the defense in depth strategy and understanding the organization's risk posture. The organization needs a modern AV that has multiple capabilities within it. The AV will fail to catch malware, but the hope is that not every part of the AV solution fails. These solutions are usually a combination of behavioral analytics/pattern matching, binary analysis, and some form of pre-execution prevention resulting in multiple places the solution could stop the malware from fully executing. Next, an organization needs network-based technologies to detect and prevent beacons, which are used for command and control, updating ransom notes, encryption keys, etc. The challenge is that these beacons can be commonly sent in otherwise normal channels like DNS and over HTTPS through proxy, which a lot of systems are not setup to detect. It requires an understanding of how attackers use the environment to their advantage to properly defend yourself. Ultimately, though, it comes down to understanding your risks and pain points. Determine how an attack could happen, what ransomware could do, what the attacker could impact, and how the damage can be limited and build a plan from there."
Chris Hauk, consumer privacy champion with Pixel Privacy
“The ransomware used in this attack is reportedly Ryuk ransomware, which used phishing emails to infect UHS systems. This attack underscores the need for companies to spend the relatively small amount of money needed to provide education for employees and executives to teach them how to avoid infecting their systems by opening attachments or clicking links in emails and text messages.
Unfortunately, the shutdown of UHS systems isn't the only hazard for UHS patients, as ransomware attacks like this can result in the theft of personal and medical information from systems, and can even result in the deaths of patients, as affected medical facilities are forced to divert patients to other hospitals, possibly endangering the health of patients.”
Mickey Bresman, CEO, Semperis
"The ransomware pandemic is continuing to spread with no end in sight. It's obvious that criminals will not stop at anything, including endangering lives. As much we all would like to see it end, organizations must always be prepared for the worst. Having a disaster recovery plan with a cyber-first approach is the only way to deal with this wicked reality. As attackers will always find a way in, we need to change the recovery times to hours instead of days or weeks, making the devastating impact minimal."
Brian Higgins, security specialist with Comparitech
“This looks like a well-planned and targeted attack against Universal Health Services. The timing and sophistication of the breach are hallmarks of organized cyber criminals, and UHS are clearly doing everything they can to defend their networks and clients as the attack plays out. Thankfully they appear to have learned from other recent attacks on healthcare service providers and have enacted a comprehensive Incident Response Plan to protect their company and its digital assets.
Unfortunately that clearly involves the shutdown of vital systems and the use of ‘offline documentation methods’ which will clearly cause some service impact. They also outsource their patients’ electronic health records which should provide air-gapped protection of that data and therefore some consolation for their clients at this worrying time.
The main threat to those clients, as with all successful data breaches, is that they will all be rightfully concerned about the safety and security of their medical information. The moment the breach became public those responsible and a multitude of other criminal organizations will have mobilized further phishing campaigns specifically designed to harvest more personal data by playing on the fears of those clients.
It is vital that any patients not respond to unsolicited requests to provide security or logon details, reset passwords or share any other data until UHS have the situation under control.
This is the golden hour for cyber criminals and it is incredibly difficult not to respond to their seemingly credible communications, whether they are via email, social media, telephone or even the regular postal service. Part of the UHS response plan will be to deal with patient communication and it will be very clear when those plans take effect. Until then any and all unsolicited requests should be passed to the authorities and ignored, however difficult that may be. Any engagement or response at this time will simply compound the problem and make what is clearly a very worrying time for all concerned even worse.”