The FBI has warned the security community to be on alert against the Conti ransomware, which was reportedly used to attack the Irish healthcare system earlier this month. Conti and other types of malware are repeatedly being used to target health systems, with cybercriminals viewing healthcare providers as lucrative and potentially vulnerable targets.
The attack on the Irish healthcare system took a wide range of systems offline on 15 May. The Irish Government says it did not pay a ransom and subsequently received a decryption key anyway. The group behind the attack has since released a statement saying it will attempt to sell the information it harvested if the ransom isn’t paid.
Ireland’s health system is one of more than 400 institutions around the world that have been targeted using Conti, the FBI warning says. Of these, 290 were US-based and 16 were law enforcement agencies, emergency healthcare networks and 911 dispatch centres. Like most ransomware, it steals and encrypts files, followed by offers to decrypt them for a price. Recent ransom demands from the Conti group have been as high as $25m.
Healthcare ransomware attacks: why is the sector targeted?
Cyberattacks targeting emergency service networks can have big implications. Last year a woman in Germany died after cybercriminals struck at a hospital. The systems at Dusseldorf University Clinic were taken offline, meaning the woman, an emergency admission, had to be taken to a clinic 20 miles away, resulting in an hour-long delay to what could have been life-saving treatment.
Given the sensitivity of the data it handles, it is no surprise the healthcare sector has strong security measures in place. A report by security company Sophos shows 65% of IT respondents in healthcare said their data was already encrypted, and 28% had managed to thwart a ransomware attack before the data was encrypted by threat actors. But the attacks keep coming, and 34% of respondents said their organisation has been hit by a cyberattack since the beginning of the Covid-19 pandemic.
“There are multiple reasons why medical institutions are so attractive to cyberattackers” explains Jonathan Cordwell, principal analyst in UK health and social care technology at business intelligence company GlobalData. “For starters, the curated NHS data set as a whole is valued at around £10bn.” Even on an individual level, the range of identifiable information that a health record carries, in comparison to something like a credit card, makes it incredibly valuable on the black market, while the sensitivity of the information makes it potent for blackmail.
Attackers bank on the fact that crucial infrastructure providers, like those operating in healthcare, are more likely to pay the ransom quickly just to avoid any dangerous pauses in their service explains Jason Hill, head of research at security company CyberInt. “Some may consider government-backed organisations as being more inclined to pay, be that due to the perception of deeper pockets or simply that any nation would want to restore access to its critical infrastructure and emergency services quickly,” he says.
This perhaps explains why the initial ransom demanded of healthcare companies is much greater than any other sector, according to a report from Baker Hostetler.
Covid-19 has increased the risk of cyberattacks on healthcare
Cordwell says Covid-19 has heightened the vulnerability of healthcare systems to attack. "This threat is gaining traction during a global pandemic, where healthcare institutions are distracted and members of staff are exhausted," he says. Rushed staff with no time for cyber training represent a skills gap that may increase the attack vector, explains Bharat Mistry, technical director at security company Trend Micro. "Do [hospitals] have the right amount of skills and the number of people needed? Do they have the funding to provide a good cyber programme?"
The amount of legacy technology used in clinics is also a weakness, Mistry says. "A large number of health care systems still run legacy operating systems and legacy applications," he explains. "Some of them can't be patched and there's no update for some of them." Common equipment such as x-rays, insulin pumps and defibrillators, which play a critical role in modern healthcare, can open up more entry points for attacks, and can be seen as easy targets, says security company Swivel Secure.
Training staff should be the priority for healthcare providers wanting to shore up their defences, says Mistry. "People, education and awareness training is the number one thing I would say," he adds. "You can do so much with people without doing heavy technology investment. If you can just train your people, give them the awareness, have a program that regularly enforces the message." Cordwell agrees that preparation is key to shrinking the attack vector: "All institutions need to be proactive in preparing for a potential attack and ensure that business continuity measures are in place," he says. NHS Digital is aware of the Conti ransomware threat and has posted official guidance to prevent and detect an infection, as well as securing end-user device platforms according to NCSC guidance."