Wave of Cyberattacks on Hospitals Offers IT Security Lessons for MSPs

At least 14 U.S. hospitals have become victims of cyberattacks during the past six weeks, with some paying thousands of dollars in ransoms to regain access to locked data files and crippled networks.

The MedStar Health chain has been particularly hard hit in the latest wave of ransomware breaches, and operations have still not returned to normal after an attack last week targeted networks linked to several of the company’s Maryland- and Washington, D.C.-area hospitals.

The growing number and sophistication of cyberattacks poses serous implications for managed services providers (MSPs), for whom a serious security breach and lengthy system downtime could lead to a costly loss of customers and reputational damage to a meticulously cultivated brand.

Cyber-criminals’ recent focus on hospitals offers important clues about the thinking of professional hackers, and hints at other types of organizations and networks that could be similarly vulnerable, said Patrick Upatham, director of threat research at Digital Guardian, a provider of IT security solutions, including managed security services.

“What it comes down to is that there’s definitely no safe business,” he said. “Even with cutting edge tools, some of the variants are not detectible.”

Deployment of ransomware or other types of malware are an increasing fact of life in a world of rapidly increasing interconnectivity.

Infiltrating a network can be very cheap, and a successful breach can be lucrative.

An attacker need only send out a batch of emails containing a malicious file to employees of an organization, and wait for just one of them to click the item and unleash the malware into the network.

Despite digitizing patient health records as mandated by the Affordable Care Act, some hospitals still use older operating systems and legacy IT technology, Upatham explained.

Smaller hospitals can have understaffed IT departments, and cost-pressures to minimize network downtime can foster a culture that often forgoes recommended upgrades or patching.

“The machines must stay up,” Upatham said. “They’re kind of pushed into the (mindset of) make it run and just leave it alone. Once it’s up and running, if it’s not broken, don’t try to fix it.”

Once inside, the malware is directed by the attacker through a command-and-control server, and spread throughout the network until the victim organization realizes the intrusion and shuts down their systems to halt the infection.

Often, by the time the attack is discovered, it’s already too late.

Under one common scenario, Upatham said, someone in the hospital’s administration goes to their computer and finds an obnoxiously bright-colored pop-up or background message on their monitor.

The message contains an advisory that the files have been encrypted, a countdown timer indicating how much time before the files are permanently irrecoverable, a ransom demand in untraceable electronic currency – often Bitcoin, and contact information for a support desk-type system to help the victim comply.

“Most of these (victims) have no idea what a Bitcoin is,” Upatham said.

“(The hackers) will give you an address and a support phone number,” he said. “They will actually walk you through and help you figure out how to pay.”

Modern cybersecurity solutions can certainly improve a network’s defenses to attack, Upatham said.

But nothing is foolproof.

Organizations should provide regular training about the social engineering tactics employed by hackers to fool employees into clicking on dangerous emailed files, Upatham said.

Businesses and other groups should also segregate as much of their systems as possible, to minimize the risk to other parts of the network if malware is launched on one machine, he said.

Upatham offered an analogy from health care.

“It’s the same principles as with biological viruses,” he said. “You have certain hygiene practices so you don’t introduce certain viruses or bacteria.”

Please send tips and news to [email protected].