Ransomware attacks on hospitals: Sideview from the battleline

Kevin Poulsen and Melanie Evans writing for WSJ:

The Wall Street Journal tracked the most disruptive attacks to one group: a notorious gang of Eastern European cybercriminals once called the “Business Club,” with ties to Russian government security services, according to threat analysts and former law-enforcement officials who closely follow Eastern European cybercrime operations.

The Ryuk gang has hit at least 235 general hospitals and inpatient psychiatric facilities, plus dozens of other healthcare facilities in the U.S. since 2018, when security researchers first spotted them, according to a Journal review of the attacks through interviews with hospital officials and security analysts, public statements and court documents.

The human cost of these ransomware attacks are terrible. Therefore, this is NOT an “IT problem”, but must be enforced strictly by the administration and leadership, while as end-users, we need to be aware of how these attacks happen through “phishing-emails” and other attack vectors. I have witnessed passwords being reused and secure systems being accessed remotely, because healthcare institutions don’t want to provision the “additional services” which are required to secure the infrastructure. The way out is through graded access for the several teams; isolate the critical parts of healthcare through separate provisions and having different forms of digital scribes to ease up the process of transcribing instead of the COW’s that dot the corridors.

The cost of the ransomware according to the authors:

A Ryuk attack last September on Universal Health Services Inc., one of the largest U.S. hospital chains, forced the company to simultaneously shut down computers that store patients’ medical records, laboratory results and medication orders across roughly 250 hospitals, free-standing emergency rooms and other outpatient centers. Recovery took weeks. The company said it didn’t pay a ransom in the attack, which cost it $67 million last year before taxes from lost revenue and higher labor expenses to restore its networks, according to Securities and Exchange Commission filings.

These are substantial losses (and possibly more) and I have specifically highlighted this because it is usually not in the public domain.