Ransomware Gangs Break the Moral Compass
Sadly, ransomware gangs are on the prowl in the healthcare sector as COVID-19 infections increase.
Ransomware groups appear to have no shame or moral compass concerning the life-saving care hospitals are offering COVID patients. These groups have attacked dozens of hospitals during the pandemic putting the lives of patients at risk while stealing sensitive information, including social security numbers, patient records, and other personal data.
ZDNet reports that in August 2021, the renowned Barlow Respiratory Hospital in Los Angeles, California discovered patients’ personal information posted to a leak site on the dark web. This attack illustrates the trend to “double-dip.” First, the groups encrypt files for ransom, and second, they threaten to disclose stolen data as part of their extortion demand.
In this case, the Vice Society ransomware gang exfiltrated data from the hospital’s backups.
Thanks to the timely implementation of their incident response plan, Barlow prevented interruption of patient care and operations of the hospital.
Another cyberattack scenario played out in August 2021. The HIPAA Journal reported that Marietta, OH-based Memorial Health System, which operates three hospitals in Ohio and West Virginia, was forced to divert emergency care patients to other hospitals due to a ransomware attack.
Bleeping Computer reported that urgent surgical cases were canceled after the Hive ransomware gang encrypted computer files. The personal information of more than 200,000 patients, which includes sensitive details, such as social security numbers, names, and dates of birth.
No reports indicate that Barlow or Memorial paid a ransom and both attacks are under investigation.
Prevention
How can hospitals counter the onslaught of attacks? By training their staff on cybersafety and running through an incident response plan before a cyberattack.
In addition to HIPAA for providers, Health IT Privacy and Security offers useful resources and guidance.
During COVID, live hands-on training may not be possible. However, virtual training on cyber hygiene is available for your staff as part of your cyber risk management.
Response
Hospitals that do not prevent cyberattacks or data theft, need to consider how they will respond and recover. Planning on the day of an attack is simply too late.
Incident Response Plans
It is important to be aware of the following step-by-step guidelines for handling a cyber attack. This guidance is provided by the Department of Health and Human Services and applies to any medical institution.
Four-Step Plan
- Respond — Incident Response Plan
- Contact Law Enforcement — FBI, state and local law enforcement
- Report to Federal Agencies — DHS and the HHS Assistant Secretary for Preparedness and Response
- Assess the nature of the breach — If you know or even suspect that more than five hundred records are at risk, notify the affected individuals, the media, and the OCR within 60 days.
Recovery
If you have backups that are still viable then recovery could be less costly and time-consuming.
If you do not have backups, data restoration will be part of your recovery process and costs.
In hospitals, time is of the essence. Have your team of experts and advisors ready to roll at the first sign of detecting a possible cyber incident.
Gratitude
A note of gratitude is warranted to the front-line healthcare workers who are helping patients with COVID-19, and other care, while potential cyber threats from immoral hackers are looming.
Thank you for all that you do to keep us safe and well.
Featured image (top) by Ghinzo from Pixabay