Colorado Hospital Hit by Ransomware as COVID-19 ContinuesDespite Pandemic, Healthcare Sector Faces Surge in Cybercrime Campaigns
Despite the ongoing COVID-19 pandemic, the healthcare sector faces an ongoing surge of hack attacks that too often disrupt systems and patient care. Among the latest victims is a hospital in Pueblo, Colorado, which is still recovering from an apparent crypto-locking malware attack.
See Also: The Evolution of Email Security
Parkview Medical Center was hit with a ransomware attack on April 21, according to Fox 21 News. As of Monday, the hospital's website still displayed a message saying it was "currently experiencing a network outage."
A Parkview employee told Fox 21 News that the attack involved ransomware rendering the hospitals' patient records systems inoperable.
In a statement provided to Information Security Media Group on Monday, Parkview says that a hack attack, which it declined to explain further, resulted in an outage of a number of its IT systems.
"Our investigation is ongoing at this time, and we will provide updates as more information is verified by the forensics team," the statement says. "While our medical staff continue to work around the clock in response to the ongoing global pandemic, we are doing everything in our power to bring our systems back online as quickly and securely as possible."
Here's a rundown of other recent online attacks against the healthcare sector:
- The FBI says it has seen an increase in nation-state hackers targeting U.S. medical research facilities and healthcare organizations conducting research into COVID-19 (see FBI: Hackers Targeting U.S. COVID-10 Research Facilities);
- The World Health Organization has reported that the number of hack attacks targeting the organization since the pandemic began is five times the amount the organization saw during the same time period in 2019 (see: WHO Reports Dramatic Increase in Cyberattacks);
- The Department of Health and Human Services, which oversees the Centers for Disease Control and Prevention, has also been hit by a surge in hack attack attempts, some apparently from Russia and China, according to CNN.
The Health Information Sharing and Analysis Center says its members are also seeing a spike in hack attacks, says Errol Weiss, its chief security officer.
"While some of the Health-ISAC members are reporting an increase in the number of attacks attempts they are seeing, there is not a corresponding increase of attacks succeeding," he tells ISMG.
"Members reported a 30 percent increase last month in the number of COVID-19-themed phishing sites and lures detected. While we're also reading those media articles and warnings from the FBI, we just don't see a major increase in victim breaches or successful exploitation."
Earlier this month, the U.K. National Cyber Security Center and the U.S. Cybersecurity Infrastructure and Security Agency issued a joint warning that hacking groups associated with nation-state governments are exploiting the COVID-19 pandemic (see: UK and US Security Agencies Sound COVID-19 Threat Alert).
And the Czech Republic earlier this month warned of an increasing number of cyber incidents that have targeted medical facilities, according to Reuters.
"Healthcare organizations are under constant attack on the network perimeter with bad actors probing for vulnerabilities," says Rich Curtiss, director of healthcare risk assurance services at security consulting firm Coalfire.
"Ransomware has been a constant threat through phishing campaigns and malicious websites. It appears that rather than a surge in cyberattacks, there has been a shift in the attack vector," he notes.
With most of the non-clinical workforce working from home, plus a surge in telehealth, securing remote access has become more challenging, he says.
"Many, if not most, organizations are ill-prepared for a significant portion of their workforce to be quarantined and working from home," he says.
"Business continuity and disaster recovery plans are insufficient for this crisis. The work-from-home attack vector is being exploited, and organizations without multi-factor authentication, properly configured virtual private networks, patched secure access gateways, robust network configurations and proper training on work-from-home processes are the most vulnerable."
Warnings and Reminders
Weiss of H-ISAC says his organization continues to warn its members about ongoing cyberthreats.
"We're also working closely with several volunteer information security research and cyberthreat intelligence groups and sharing intelligence we derive from those sources," he says. Those organizations include the COVID-19 CTI League and the COVID-19 Cyber Threat Coalition.
"Health-ISAC also reminds our members that Citrix, Pulse VPN and remote desktop endpoints continue to be exploited by malicious actors," Weiss adds. "Multiple proof-of-concept exploit code examples have been released targeting vulnerable VPN servers. Citrix has released patches for CVE-2019-19781 and Health-ISAC members are encouraged to update their Citrix appliances to the latest security revision available."
An April 1 FBI notice said the Sodinokibi ransomware group continues to conduct mass port scans to identify Pulse Secure VPN servers that still remain unpatched for CVE-2019-11510 and are actively being exploited to install the malware, he adds.
Ransomware: Still Profitable
Ransomware attacks continue to be the most common types of attacks launched against healthcare organizations, says Curtiss of Coalfire, because they are "cheap, easy and profitable."
He also points out, however, that "many malicious websites are being spun up to take advantage of the COVID-19 supply chain deficiencies. Phishing campaigns, using the same malicious supply chain tactics, are being mounted with success."
Nation-states, especially China, have targeted research hospitals and pharmaceutical companies to, for example, attempt to steal medical research and other intellectual property, he says.
"This is similar to what nation-states have been doing with the Department of Defense for decades. Why spend money on research and development of drugs and vaccines when you can pilfer it with relative ease?"
To fight against all these threats, Curtiss suggests healthcare organizations use SIEM tools to provide alerts about "anomalous network and system access and/or behavior."
Organizations should consider enhanced and more frequent monitoring of network access, including an emphasis on remote connections. Plus they should closely manage remote desktop services.
Also, organizations should implement multi-factor authentication, ensure timely patching of security vulnerabilities, inhibit access to shadow information technology resources, and use secure video conferencing platforms, he adds.
"Don't forget what you have learned during this crisis and use it to implement or improve a pandemic action plan and add it to your business continuity and disaster recovery planning activities," he stresses.