Knowledge Articles

Double as much infected hospitals

Even in the coronavirus period, healthcare facilities are exposed to computer attacks. Cybercriminals don’t care that people can die from ransomware.

We didn’t really think much about it before. But now, we have found ourselves proud of them. We support them. We are grateful to have them. And for what they do for us. We are talking about physicians, nurses and all medical staff. A lot of people are trying to do something good for them now. Something to express gratitude, admiration and, most importantly, support for these people. Because in addition to coronavirus, there is another danger that can stop their work.

We have figured out how vulnerable we are. Unfortunately, our healthcare system, which is supposed to protect us, is very vulnerable. In recent weeks, we have been able to see several times that it is not enough for hospitals and healthcare facilities to stop working. Testing is limited, patients are transported to other facilities, surgeries, planned procedures and examinations are cancelled. And what is the fault? Cyber-attacks that disable IT systems of hospitals and healthcare facilities. No hospital can do without computer systems.

Cyber-attack anatomy

How does this happen? An e-mail arrives at the hospital which appears to be a critical report on coronavirus. An apparent sender of such a message can then be a local or global authority for the pandemic. It can be, for example, the Ministry of Health, the Institute of Public Health, Hygiene Authority or the WHO. The report seems to be very urgent and calls for an annex to be opened. This is where absolutely fundamental and ground-breaking information about the covid-19 disease is to be found. After opening the attachment, you will be asked to enable macros, without which the document cannot be read. Once the permission is granted, the document is legible.

But hey, there are no revolutionary figures in it. In contrast, the document contains commonly known and publicly available information, such as disease statistics and general recommendations. So then you close the document and quickly forget about this email. But in the background, a malicious and very sophisticated piece of software called ransomware has just been launched.

What’s next? Ransomware silently scans the hospital network and spreads as avalanche to other computers. To maximize damage, ransomware will first damage the most critical systems. Only in the end will it damage the last, least important system. Ransomware gradually encrypts all hospital data with an unknown algorithm. This is then unreadable, the systems do not run due to this, in short, nothing works. Why does this happen? Simply for money. Once encrypted, a ransom demand follows. For example, right on the log screen or in any other way, it is explained that the hospital became a victim of ransomware blackmail. That all data is encrypted. And if, for example, the hospital does not pay five or ten bitcoins to the given account within 48 hours, the data will be irretrievably lost. If payment is made, the hospital will receive a decryption key to unlock the encrypted data and everything will be as before.

Attacks with no mercy

Why are hospitals the target? Because absolutely all of them have to work now. Human lives depend more on hospitals at this time than ever before. And the authors of ransomware try to take advantage of this fact. For example, the recovery of the operation of the Benešov hospital took several long weeks. This is absolutely unthinkable at the moment. The need to resolve such situation at this critical moment immediately raises the chance to pay the ransom many times over. Cybercriminals don’t care that people can die because of it. What punishment would the creators of ransomware, which is currently attacking hospitals, deserve? Let everyone make their own opinion, but one thing is certain. Crime has always been here and always will be. It just moved into cyberspace. The exhausted, tired nurses, physicians and medical staff mentioned in the introduction are certainly not to blame for these hospital problems. Yes, someone read a malicious e-mail, opened its attachment, enabled the macros, and infected the hospital network. But phishing e-mails are becoming more and more clever, so anyone can get caught by them.

The culprits are those who have committed long-term underfunding of IT in healthcare. The result of this debt accumulated for years is outdated systems that lack the necessary security. How else would it be possible for such an email to reach the user’s inbox unnoticed? Do hospitals use antispam systems? And if so, are they current? Is there anyone to manage and maintain them at the salary of IT specialists in healthcare? How is it possible that no active ransomware protection has been activated? How does backup operate in such hospitals? Yes, hospitals and healthcare facilities have come to the forefront of interest in recent weeks. We can only hope that this will also be reflected in investments in their technologies and, above all, in IT security. But even if we decide to repay the mentioned technological debt immediately, it will take many more months before the investments in security will be implemented. Until then, hospitals will remain vulnerable. Unfortunately, the pandemic will not wait for anything.

Medicine for ransomware

What can we do to defend hospitals now? With covid-19, a huge and unexpected wave of solidarity emerged. People sew mouth-screens and hand them out free to those in need. The Vietnamese community offers free lunches and snacks for paramedics, rescue medical staff and police officers. We could also read about a project of free recreation for healthcare medical staff. Masses of volunteers help in hospitals and social facilities. And in a similar way, technology companies are trying to help. Many companies have provided cyber security software solutions for free during a pandemic. So why not use these tools?

There should be several layers of defence against ransomware and other cyber-attacks. There should be a backup at the end. In case the encryption cannot be stopped in time. In the middle there should be an active ransomware protection solution. This should detect and stop the encryption and spread of ransomware itself. Active protection should also be able to protect backups from encryption. An ideal solution is a combination of both backup and active protection. And in the beginning, email antispam should be effective. Not all ransomware attacks are carried out through phishing emails, but the vast majority of them do. Is there not enough people? Who would do that? Where there is a will, there is always a way. At the time that has forced us all to pull together, there will be plenty of companies that would be willing to help hospitals with the implementation of these security solutions. They would do this work at incomparably better price conditions than usual. And in some cases completely free for the entire term of pandemic. We don’t have a vaccine against covid-19 yet, but we do have a vaccine against ransomware.

Author

Karel Vostrý

European Ageing Network, Czech Republic