US hospitals are being warned to prepare for a potential cyberattack from either the Russian government, criminal gangs resident in Russia, or both, as a result of the invasion of Ukraine and the US and Western countermeasures against the aggressor nation.
The day after President Biden announced that the war had begun, the American Hospital Association (AHA) issued an alert to hospitals. The cybersecurity division of the Department of Health and Human Services (HHS), known as HC3, joined AHA with another public warning to the healthcare system on March 1. The federal government’s Cybersecurity & Infrastructure Security Agency (CISA) issued a “Shields Up” alert to private industry, supporting Biden’s March 21 statement about the need to improve domestic cybersecurity.
CISA warned that the Russian invasion of Ukraine could lead to “malicious cyber activity against the US homeland, including as a response to the unprecedented economic costs imposed on Russia by the US and our allies and partners.” The agency noted that the Russian government is currently exploring options for cyberattacks.
John Riggi, the AHA’s national advisor for cybersecurity and risk, and a former senior executive in the FBI’s cyber division, told Medscape Medical News, “We are not aware of any cyberattacks related to the current conflict [in Ukraine]. We don’t know of any specific credible threats targeted against US healthcare from the Russian government.”
He added that there have been reports of Russian hackers searching US health IT security systems for weaknesses.
Criminal Gangs Remain A Threat
Besides the Russian government, Riggi said, Russian criminal gangs are another threat to US hospitals and other healthcare providers. Of particular concern, he noted, is the Conti gang, which “has a history of conducting ransomware attacks against US healthcare and the Irish health system.”
On February 25, said Riggi, the Conti group announced plans “to retaliate against the West for what they viewed as potential cyber aggression by the West against the Russian federation.”
Sophisticated hacker groups like the Conti gang that operate under the protection of the Russian government have “caused the greatest amount of disruption and have cost the most in terms of recovery and lost business,” Mac McMillan, CEO of CynergisTek, a cybersecurity consulting firm, told Medscape Medical News.
However, he said, the current threat is greater for two reasons: first, it will likely come directly from the Russian military intelligence service; and second, there are indications that the malware will be more destructive than ransomware. Two new types of malware identified by HC3 — HermeticWiper and WhisperGate — are designed to wipe out the data in their targets’ systems, rather than just encrypting it and disrupting access to data until a ransom is paid.
The Russian military intelligence service, known as the GRU, is extremely capable and dangerous, McMillan said. He doubts that many healthcare systems, even if they are fairly well prepared, could withstand an attack from this source. And he fully believes that the attack, when it comes, will aim to wipe out data in victims’ systems in order to create as much chaos and disruption as possible in the US.
Hospitals Better Prepared, but Still Have Gaps
Like Riggi, McMillan said that the healthcare industry is better prepared for cyberattacks now than it was in 2017, when the NotPetya assault on Ukraine’s online infrastructure created considerable collateral damage in the US. However, he said, hospitals still have a long way to go before they can counter and/or recover from a dedicated Russian government cyberattack.
The NotPetya malware, Riggi said, was of the destructive variety. “That digital virus spread uncontrollably across the globe like a biological virus. All the organizations and institutions that had contact with Ukraine became infected.”
According to an indictment of six GRU officers that the Department of Justice announced in December 2020, NotPetya disrupted operations at a major pharmaceutical company, subsequently revealed to be Merck, and hospitals and other medical facilities in the Heritage Valley Health System in Pennsylvania. In addition, it temporarily shut down the transcription services of Nuance Communications, which lost $98 million as a result. Merck received $1.4 billion from an insurer to cover its NotPetya loss, Bloomberg reported.
That incident prompted the AHA to urge hospitals to use “geo-fencing” to block online communications with Ukraine and neighboring countries. However, Riggi said, that solution is not too effective because hackers commonly use proxy servers in other countries to forward their malware to the intended target.
The AHA alert included a list of actions that hospitals and health systems could take to reduce their vulnerability to Russian hacking. Besides geo-fencing, the AHA suggested that hospitals:
Heighten staff awareness of the increased risk of receiving malware-laden phishing emails
Identify all international and third-party mission-critical, clinical, and operational services and technology and put in place business continuity plans and downtime procedures
Check the redundancy, resiliency, and security of the organization’s network and data backups
Document, update, and practice the organization’s incident response plan
Hospitals Increasingly Targeted
In recent years, Riggi noted, hospitals have invested much more in cybersecurity than before, and hospital executives have told him that this is now one of their top priorities, along with COVID-19 and workforce issues. This has been not only because of NotPetya, but also because healthcare facilities are being increasingly attacked by foreign ransomware gangs, he says.
The hospitals’ biggest vulnerabilities, he said, are phishing emails, remote desktop access and unpatched vulnerabilities, in that order. It’s not easy to remedy the latter, he observed, because hospital networks can include up to 100,000 connected medical devices and other computers that can access the network, both within and outside the hospital.
“With the new work-at-home environment, you may have thousands of employees who are using the network outside the traditional perimeter of the organization,” he pointed out. “There’s no longer that standard firewall that protects everything.” In addition, he said, hospitals also have to depend on vendors to develop patches and implement them.
In McMillan’s view, the healthcare industry is a decade behind the financial industry and other sectors in cybersecurity. Among other things, he says, “half of our hospitals still don’t have active monitoring on their networks. They don’t have privileged access on their networks. A bunch don’t have segmentation or endpoint protection. There are so many things that hospitals don’t have that they need to fend off these attacks — they’re better off than they were in 2017, but they still aren’t where they need to be.”
Physician Practices Also at Risk
Employed physicians, naturally, are in danger of losing access to their electronic health records if their hospital’s network goes down as the result of a cyberattack, he notes. Many community doctors also use the EHR of a local hospital, and they’d be similarly affected, Riggi noted.
Physician practices might be saved if the attack were directed at the hospital and they could still connect to the EHR through a cloud provider, McMillan said. But Riggi stressed that practices still need a plan for their doctors to keep working if they lose access to a hospital EHR.
“The other possibility is that the practice could be targeted,” he added. “As hospitals become more hardened, often these hackers are looking for the weak link. The practices could become victims of increased targeting. And the practice becomes the conduit for malware to go from its system to the hospital and infect the hospital system.”
Hackers Can Hit Service Suppliers
Hospitals’ mission-critical service suppliers may also be targeted by Russian hackers and others, or they may be the accidental victims of a cyberattack elsewhere, Riggi noted. In the case of Nuance, he said, the disruption in transcription services affected thousands of US healthcare providers who were unable to access their transcribed notes. This not only harmed patient care, but also meant that hospitals couldn’t fully bill for their services.
Another type of service supplier, he said, was struck with a ransomware attack last year. This was a cloud-based service that operated linear accelerators used in radiation oncology. “So radiation oncology and cancer treatment for patients across the US was disrupted, and radiation oncology was delayed for some patients up to 3 weeks.”
More recently, another cloud-based service called Kronos was struck by ransomware. Because of this incident, payroll and timekeeping services were disrupted across several industries, including healthcare.
Ken Terry is a healthcare journalist and author. His latest book is “Physician-Led Healthcare Reform: A New Approach to Medicare for All.”