Frequent ransomware attacks in healthcare and public health sectors elevate security threats to OT/IoT environments

Organizations in the healthcare and public health sectors are facing an increasing number of ransomware attacks, often leaving hospital networks vulnerable. With these adversaries lurking around in the OT/IoT environments, they have become considerably more capable of executing significant attacks at scale while also taking advantage of the growing success of the ransomware-as-a-service (RaaS) model.

The healthcare and public health sectors remain a top attack vector for cybercriminals and ransomware threat groups. However, hackers are shifting their focus to smaller entities that truly have a deficit in cyber defenses, showing a huge change in victims and approach. Additionally, changes in government regulations, a massive revolution in connectivity of medical devices and mobile technology, and transformation in how care is delivered and consumed have come together to form a perfect storm of complexity and vulnerability, which cyber adversaries target. 

Ninety-four percent of healthcare organizations hit by ransomware in the last year said the most significant attack impacted their operating ability. Furthermore, 90 percent of private sector healthcare organizations said it caused them to lose business or revenue. About 44 percent of healthcare organizations that suffered an attack in the last year took up to a week to recover from the most significant attack, whereas 25 percent took up to one month.

In early August, ransomware hackers targeted Advanced, a software provider for the UK’s National Health System (NHS) and other healthcare customers. The attack caused disruption to NHS services, including ambulance dispatch, appointment bookings, patient referrals, and emergency prescriptions. In July, U.S. security agencies issued a joint cybersecurity advisory warning of North Korean state-sponsored cyber hackers using Maui ransomware to target the healthcare and public health sectors since at least May 2021.

Last May, Ireland’s Health Service Executive (HSE) was targeted with Conti ransomware. The initial infection of the ‘patient zero’ workstation happened on Mar. 18, 2021, when an employee on a Windows computer opened a booby-trapped Microsoft Excel document in a phishing email sent two days earlier.

Industrial Cyber reached out to experts in the healthcare sector to assess the manner in which ransomware attacks affect the OT/IoT environments across the healthcare and public health sectors.

“For the most part, when it comes to ransomware in the OT/IoT space, the health sector has mainly been affected by attacks against third party suppliers,” Denise Anderson, president and CEO of the Health Information Sharing and Analysis Center (H-ISAC), told Industrial Cyber. “For example, during the COVID-19 pandemic, organizations that pharmaceutical manufacturers relied on for packaging vaccines and therapeutics experienced ransomware attacks, which halted operations and impacted packaging supply and ultimately the distribution of vaccines and therapeutics,” she added.

“Ransomware gangs still mostly target data in healthcare environments with two goals: stealing sensitive information, then demanding a ransom not to publish it; and encrypting data, then demanding a ransom to decrypt it,” Daniel dos Santos, head of security research at Forescout‘s Vedere Labs, told Industrial Cyber. “But healthcare organizations host a wide variety of OT and IoT devices, including building automation functions such as HVAC and surveillance cameras, as well as medical equipment, that have been impacted by attacks.”

Many ransomware attacks have spilled over to medical devices, rendering them unavailable, such as WannaCry in 2017, the attack on a hospital in Alabama affecting fetal monitors in 2019, and several attacks involving radiation devices in US and Ireland since 2020, according to dos Santos. “Building automation equipment has reportedly been targeted for initial access in hospitals and to take access control systems offline in other organizations – so there is potential for ransomware attacks targeting building automation in healthcare facilities too,” he added.

Ransomware poses a serious threat to clinical environments, Jonathan Langer, chief operating officer (COO) at Claroty, told Industrial Cyber. “The implications to healthcare go much further than typical IT equipment, where medical device behavior, reporting, and sometimes the devices themselves may be altered, rendered inoperable, or worse, work in an erratic fashion. In some cases, ransomware may affect the system managers, monitoring stations, or gateways that translate traffic.” 

“In other cases, the ransomware may affect the devices themselves by damaging or infecting them,” Langer mentioned. “It is critical that healthcare and public health sector organizations build robust and properly defended clinical environments that are as cyber safe as they are physically clean and isolated,” he added.

Data from MIT Sloan disclosed that consultancy and venture fund Rock Health said 2021 was the biggest year ever for digital health investment. The US$29 billion raised nearly doubled the previous high of $15 billion in 2020.

With the healthcare system leaning towards more effective digital healthcare implementations, the issue arises of how the network design is affected by ransomware attacks within the OT/IoT environments and how such attacks have altered the cybersecurity posture of healthcare and public health organizations.

Anderson said that the main targets were hospital operations when ransomware attacks against the health sector first took place with Hollywood Presbyterian in 2016. She added that one of the first big ransomware attacks in OT was against Norsk Hydro in December 2019. 

“Attacks against the OT sector really started ramping up during the pandemic when the need for remote work changed operating environments and exposed them more to the internet and attacks,” Anderson identified. “Threat actors realized that OT environments were an easy and lucrative target because manufacturing environments have traditionally not been very secure and need to be operating 24×7 in many cases to produce products.”

In the IoT space, with medical devices, in particular, medical device manufacturers initially did not produce products that were secure against cyber attacks, according to Anderson. “That has changed rapidly over the last five years or so, where security is built into products as they are manufactured.” 

“The challenge has been keeping up with vulnerabilities in the off-the-shelf software used in these devices,” Anderson said. “Again, there have been great strides in this area with the advent of the Software Bill of Materials or SBOM and vulnerability disclosures through entities like the Health-ISAC and the Cybersecurity and Infrastructure Security Agency (CISA),” she added. 

Anderson further added that the medical device manufacturers (MDMs) and healthcare delivery organizations (HDOs) had made great strides over the last five years to work together through the Health ISAC and other organizations to understand pain points and address concerns.

“After years of ransomware attacks, there is now a broader recognition in the healthcare industry for the need to secure extended networks comprising not only IT systems but also medical devices,” dos Santos mentioned. “Whenever new medical devices are connected to the network, it is now more common for organizations to do a risk assessment and try to mitigate issues before they can lead to cyberattacks.” 

He also pointed to guidance from NIST and others on securing networks with specific device types, such as infusion pumps, patient monitors, and PACS.

“However, there is still a large number of other types of OT/IoT devices in healthcare organizations that do not receive the same attention, such as building automation equipment, printers, VoIP phones, and networking devices,” according to dos Santos. “Although these devices are not patient-connected and don’t often process patient data, they can be used as initial access points into vulnerable networks or lateral movement enablers,” he added.

Langer said that telehealth, a form of digital healthcare, has skyrocketed in use over the past two years, improving the convenience and reach of HDOs. “The problem this presents for overall security posture is that many of the devices used to administer telehealth services are not managed by the HDO,” he added. 

“Many have been rolled out to meet immediate needs without considering the security impacts,” Langer said. “Often, IT and security teams are not even consulted, creating a huge blind spot around the presence of telehealth and telemedicine within the organization. Most hospitals have no idea what devices are being used to deliver these services and certainly have not implemented policies to protect them,” he added.

Given the negative consequences to patient safety and care delivery consequences, increased mortality rates, and other poor outcomes, it is necessary for the healthcare and public health sectors to adopt necessary steps that will build safeguards and bolster their environments from future ransomware attacks that affect the OT/IoT environments.

Anderson said that defending OT environments really comes down to segmenting the OT environment from the business operations environment and conducting good basic cybersecurity principles applicable to any cyber operation. “To name a few: patching/vulnerability management, segmenting, identity management, least privilege, end-point protection, employee awareness, and asset management,” she added. 

“It is also important to deploy enterprise risk management (of which OT/IoT security is one component) and have situational awareness to understand the threat environment and potential impacts,” Anderson noted. “Having an incident response plan and then exercising that plan is critical. Of course, enough cannot be said of participating in a community of peers like we have at Health-ISAC to understand the threats, employ the indicators of compromise and other tools offered to protect against those threats, and to share best practices and lessons learned with each other,” she added.

“Individual organizations should focus on protecting their networks against these threats, but there is a larger role to be played by regulatory agencies, policymaking bodies, industry associations, ISACs, and other industry-wide organizations,” dos Santos mentioned. “These institutions need to issue guidance and regulations for organizations that encompass the growing role of OT/IoT devices both as a final target of attacks but also as initial access points into vulnerable networks or lateral movement enablers,” he added.

Langer said that the best method for protecting against attacks is prevention. “By making sure ample operations measures are put in place, HDOs are much better equipped to stop a potential threat before it ever becomes an issue.”

To do this, healthcare CISOs and security leaders need to decide whether to build or buy, have proper tooling to ensure accurate data is coming in, and build a strong process, Langer outlined. “If going with an external MSSP, make sure there is a clear process for where/when the CISO is notified on documents – this should be seamless. Also, visibility is crucial in determining and defining the escalation process (who gets notified, and when),” he added.

Forescout said in a recent post that ‘in the future, Vedere Labs believes the impact will likely occur because of insecure IoT devices since IoT as an entry point is gaining relevance with ransomware gangs.’ As this becomes a reality, it is necessary to look into various initiatives that the OT/IoT environments within the healthcare and public health sectors could take to bolster their cybersecurity posture in the wake of rising ransomware and cybersecurity threats and attacks.

Anderson said that she previously identified measures that are good steps to stop IoT from becoming an attack vector. “The medical device and OT space are very challenging because, in many cases, the equipment is very expensive and runs on older operating systems that may not be supported any longer. It is also difficult to take these devices off-line to patch them as they are in continuous use.” 

“Probably the biggest thing when it comes to IoT is asset and vulnerability management and making sure that where possible, patching is done as quickly and efficiently as possible,” she added.

According to dos Santos, HDOs must implement a proactive and holistic approach to cybersecurity that prioritizes discovering and inventorying every device on their networks, including IT systems, OT equipment, medical devices, and IoT. “Then they should continuously assess the compliance and risk posture of these devices and automatically enforce segmentation controls and proper network hygiene to mitigate the risk from vulnerable devices,” he added.

“Most organizations have operational and business gaps that can hinder their ability to mature their security strategies and programs for maximum value. These silos and disconnects create massive inefficiencies and risks throughout an HDO’s operations,” Langer noted. “For example, different roles and conflicting responsibilities can stifle communication and coordination, creating disconnects that reduce productivity, increase spending, and introduce cybersecurity threats that can ultimately impact the availability and safety of the HDO’s operations and care. HDOs need to identify these gaps, both digitally and operationally, to create a strong security posture,” he added.

Last month, the NIST SP 800-66r2 draft document updated its cybersecurity guidance to safeguard patients’ personal health information for healthcare organizations. The update includes a brief overview of the HIPAA Security Rule, guides regulated entities on assessing and managing risks to ePHI (electronic protected health information), and identifies typical activities that a regulated entity might consider implementing as part of an information security program. It also lists additional resources that regulated entities may find useful in implementing the Security Rule.

Anderson said that privacy is more applicable in the IoT environment when looking into the potential role that the document plays in safeguarding the OT/IoT environments within the healthcare and public health sectors from rising ransomware and cybersecurity attacks. 

“Where medical devices contain sensitive information, most devices have been designed to meet HIPAA requirements,” Anderson mentioned. “While it won’t hurt to implement the updated guidance where applicable when it comes to cybersecurity, it is critical that healthcare operations and devices adhere to the basic measures that ensure availability, integrity, and confidentiality so that patients can be treated and treated safely,” she added.

“The NIST SP 800-66r2 draft explicitly includes medical IoT in the scope of risk assessment and gives specific examples of ransomware policies with data backup and disaster recovery plans as well as citing ‘Medical Device and Medical Internet of Things (IoT) Security’ in the appendix listing further information,” dos Santos said. Those are certainly important steps in the right direction, he added.

However, the document does not explicitly cite other types of OT/IoT in healthcare organizations, probably because these devices do not usually store or transmit PHI, dos Santos pointed out. “Nevertheless, those devices can be part of larger attacks targeting PHI, such as leveraging exposed IoT for initial access and then moving to workstations holding sensitive data.” 

Therefore, it is important that organizations follow the recommendations of the NIST SP 800-66r2 but also include in their risk assessment complex emerging scenarios where attackers leverage several parts of a target’s network to reach their goals, according to dos Santos.

The document helps organizations prepare and execute assessments related to HIPAA, Langer noted. “HIPAA has been with us for a while and originally focused on data privacy concerns related to IT components (EMR, PACS, etc.). As the ecosystem evolved and medical device connectivity became more prevalent, the need to include these devices in HIPAA assessments became clear, and indeed, it’s very encouraging to see these types of devices called out in the document,” he added.

Langer concluded by saying that given the fact that there are potentially thousands of connected medical devices in an HDO, it’s imperative to identify the devices that store, process, or transmit ePHI through automated tools that analyze traffic patterns, as well as MDM attestations.