I have gotten more notices on this particular alert than usual, so I suspect that means that there is more fire than anyone is admitting.
The FBI, Homeland Security and Health and Human Services issued a joint alert that hospitals and other public health organizations are being targeted by malware, especially ransomware. They are calling it an imminent threat. Security experts say that they are seeing chatter from the Russian cybercrime groups that say that they plan to deploy ransomware to 400 hospitals this week.
Just this week the Saint Lawrence Health System in upstate New York, Sky Lakes Medical Center in Oregon, The University of Vermont Health Network and several others have admitted that they have been attacked.
Mandiant says that they identified three attacks on Tuesday and one attack on Wednesday.
The result is that hospitals have to revert to paper based systems.
That also means that they do not have access to patients’ charts, their medical history, online pharmacies, automated case file transcription and other typical hospital services.
Just what doctors and nurses need during a pandemic.
One result, many times, is that hospitals are forced to refuse ambulances. When that happens, ambulances need to find another hospital, typically further away. Recently, in Germany, the first ADMITTED case happened where a patient died as a result of being turned away at a hospital that had been hacked. The cops caught the hacker later and are threatening to charge him with MURDER.
In the FBI/DHS/CISA/HHS alert, they gave hospital IT and security teams details of what strings to add to their alerting systems. Which is great if a hospital, in the time of massive craziness, has the resources to do something with that information. And also, assuming that the malware doesn’t morph (it does). Large organizations with massive IT departments probably can, but medium size and smaller hospitals can’t.
When patients die, hospitals get sued. Also not great. During a pandemic or at any other time.
Lets assume that you don’t run a hospital or other public health service – do you care? Or should you care?
The answer to this is yes because, especially in times like these, it stops these organizations from executing their mission and possibly, from saving your life. If they have to worry about how to manage patient records by hand rather than taking care of those patients, care suffers.
Every hospital will say – with a straight face – that in the case of a cyber attack, patient care doesn’t suffer, but think about this. If they could provide equally good care without all of those computers and software as with it, then why are they spending billions on those computers? It doesn’t make any sense.
Of course they have to say that – saying that patient care has suffered would open them up to even more lawsuits than the actual breach will, but still, if you or a loved one were to be hospitalized, you want that hospital to be operating with every tool that they have, not reverting to the way they did business in 1960.
And it doesn’t seem like the hacks are letting up, which will force them to divert money away from patient care and research to hiring folks like Mandiant – and they are not cheap. Brian Krebs has also written about this issue.