View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Focus
April 26, 2023

Did North Korea just hack your hospital?

Hospitals are attractive targets for hackers. Here’s how healthcare organisations can avoid being compromised by ransomware.

By Stephanie Stacey

North Korea loves hospitals — hacking them, that is. According to a cybersecurity advisory released by the US government in February, the Democratic People’s Republic of Korea (DPRK) has directed its army of elite hackers to create new revenue streams for the regime by infecting healthcare providers with ransomware. Perceived by the regime as soft targets ready to be squeezed for every won, pound, and dollar, hospitals and clinics have never been more vulnerable to one of the world’s foremost cybercriminal operations — and other groups like it. 

In many ways, hospitals make perfect targets for ransomware gangs. Not only do they host a deep well of private and important personal data, but they’re run by doctors, nurses and healthcare administrators with more pressing matters on their minds than ensuring today’s backup went to the correct server. As such, many cybercriminals assume that healthcare providers will pay ransoms quickly and quietly to guarantee the smooth operation of their facilities, which might be the main reason why the number of ransomware attacks on such organisations spiked by 94% year-on-year in 2022. 

The impact of these attacks ranges from benign to tragic. In one lawsuit filed in 2020 and first reported in 2021, Teiranni Kidd, a former patient of Alabama’s Springhill Medical Center, sought damages after her child suffered severe brain trauma during birth. The plaintiff contended that, in the chaos of the hospital’s response to an ongoing cyberattack, staff missed troubling signs of her baby’s condition — a mistake she believes led to the child’s untimely death. 

Medical staff rush a patient through the hospital
Hospital workers already have to rush to solve medical crises even without the added pressure of digital attacks. Ransomware adds a new, unwanted source of pressure for healthcare providers. (Photo by Yuri A/Shutterstock)

Healthcare ransomware crises

Hackers aren’t dissuaded by cases like Kidd’s, whose suit is still being considered by the Alabama court system. In fact, explains cybersecurity expert Erich Kron, cybercriminal gangs use this fact to their advantage. By “leveraging the mission-critical nature of healthcare and the threat of public disclosure of potentially embarrassing medical records they like to steal, [they] push for prompt and exorbitant ransom payments,” says the security awareness advocate at KnowBe4. 

Stolen medical data can also fetch a high price on the black market, where it is particularly valuable for criminals seeking to steal identities. “This,” says Kron, “all adds up to a really lucrative target that some bad actors simply cannot ignore.”

Hospitals are also often easy prey, in part due to their reliance on third-party cloud and security vendors. “All these factors have expanded the attack surface of healthcare organisations and added to the complexity of securing data across platforms and devices,” says Amit Trivedi, senior director of informatics and health IT standards at the Healthcare Information and Management Systems Society (HIMSS.) Hospitals generally operate a large array of connected devices — from smart TVs to monitoring tools and medical devices — which provide “more opportunities for an attack,” says Trivedi. 

It’s also fairly common knowledge that most healthcare organisations have limited resources, overstretched staff, and tight budgets, especially in the wake of the Covid-19 pandemic. “It is a constant challenge for hospitals to keep current with the latest cyber threats, challenges and mitigation practices,” says Trivedi. 

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

Who’s afraid of North Korea?

Culprits come from around the world, but state-sponsored North Korean hackers are some of the most ruthless and relentless, especially when it comes to attacks on critical infrastructure. In its February advisory, US officials advised that North Korean hackers had used about a dozen types of malware and ransomware to attack hospitals and healthcare systems. “Several hospitals, including hospitals in the US, have had to weather major disruptions due to this North Korean campaign at a time when they have been under enormous strain,” wrote John Hultquist, an intelligence analyst at security firm Mandiant. 

North Korean hackers aren’t just prominent because of their scale. “The North Korean groups are also quite sloppy,” says Chris Doman, chief technology officer at Cado Security. “It’s not uncommon to see North Korean IP addresses in attacks, particularly when they’re using a VPN and it drops out. This is a mistake, because it’s easy to trace back to North Korea.” It’s also fairly easy to connect attacks because North Korean groups generally rely upon “a shared code base dating back over a decade,” adds Doman. These groups have even been known to commit the most infamous cybersecurity no-no: repeating passwords.

Nevertheless, North Korea undoubtedly has “some incredibly talented developers too,” says Doman. They’re also highly motivated. Some ransomware groups made healthcare providers off-limits during the Covid-19 pandemic, but the DPRK’s finest had no such qualms. “North Korean attackers will do anything to gain money to fund the regime,” says Doman.

North Korean students learn programming. North Korea has been behind several high-profile cyberattacks on hospitals.
Students learning programming in a computer study room at the Grand People’s Study House, an educational centre in Pyongyang. Spreading ransomware throughout healthcare networks has become a preoccupation for the DPRK’s elite hacking operation of late. (Photo by Mirko Kuzmanovic/Shutterstock)

Digital hygiene

Experts recommend various strategies to help hospitals shore up their defences and fend off attackers — many of which follow standard cybersecurity wisdom. “Hospitals should have a policy in place to ensure that all software and systems are up to date with the latest security patches,” says Trivedi. They should also mandate multi-factor authentication to protect sensitive information and implement firm password policies for staff, he continues, including the standard recipe of ensuring all passwords consist of a combination of letters and numbers as well as being regularly updated. 

There are also various ways to minimise the potential devastation when attackers break through these defences. “Regular backups of data can help hospitals recover quickly in the event of a ransomware attack,” says Trivedi. This should be “stored off-site and tested regularly to ensure that data can be quickly restored.” Systems should also be divided by digital firewalls so that essential clinical devices aren’t on the same network as administrative devices. This means that critical systems are cut off from the most frequent source of ransomware — phishing emails — and can remain operational during an attack, thus preventing some of the most lethal potential damage.

Planning is also critical, argues Trivedi. “A robust incident response plan is essential to quickly identify and respond to a cyberattack,” he says. “The plan should include procedures for reporting and investigating incidents, as well as communication strategies for notifying stakeholders and mitigating the impact of an attack.”

But the most important remedy might be more social than technical. More than 90% of successful cyberattacks begin with a phishing email, according to the Cybersecurity and Infrastructure Security Agency. That’s why educating workers on red flags to watch out for can have a big impact.

“Continuous training and simulated phishing attacks can really help the staff to be better prepared,” says Kron. Drills help staff “identify gaps in the incident response plan and improve overall preparedness,” adds Trivedi. 

This, of course, is much easier said than done, given resource constraints across every hospital from Seoul to Southampton. Even so, healthcare providers will have to increasingly prioritise digital hygiene in their ongoing efforts to protect patients — the better to prevent your average North Korean hacker from locking out their systems.

Read More: North Korea is the most sophisticated bank robber around

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU