Cyberattacks targeting health systems, federal agencies warn

Cynthia Bent Findlay
Columbus CEO

Add ransomware attacks on hospitals to the list of reasons to love 2020. The FBI, the Cybersecurity and Infrastructure Security Agency and Department of Health and Human Services joined together this week to warn of exponentially increasing cyberattacks on health care systems over the past month.

No such attacks have been reported in the Columbus region, but local IT professionals are on alert.

On Oct. 28, the three federal agencies warned of an “increased and imminent cybercrime threat to U.S. hospitals and health care providers,” mostly taking the form of ransomware attacks, in which cybercriminals bottle up victims’ access to critical data and demand ransom for the data’s decryption. 

Locally, no health care systems have reported ransomware attacks this year. Otterbein University suffered a malware attack in March which shut down its computer network, phones and other systems for more than a week, delaying its shift to online classes this spring

Both the number of attacks and the ransoms sought are on the rise. Cybersecurity firm Emsisoft reports the average ransomware demand went from $5,000 in 2018 to $200,000 this year.

Large-scale attacks can shut down a health care system’s ability to operate. Emsisoft reported on the first-known death linked to a ransomware attack: In September, a patient turned away from a Düsseldorf, Germany, hospital frozen by a cyberattack died due to treatment delay.  

Security experts say criminal gangs in Russia have been producing a growing suite of tools allowing deeper and broader access to systems made vulnerable by careless clicking on phishing links.

The attacks have been increasing in frequency as the increased remote communication required by the Covid-19 crisis has created vulnerabilities, says Ben Blanquera, vice president of client success for Columbus-based Covail.

Stay up to date with the region’s dynamic business scene. Subscribe to Columbus CEO’s weekly newsletter.

Blanquera says the targets are mainly larger corporations and health care systems, rather than local providers, though any office in a network needs to be vigilant. “This is about money,” Blanquera says.

Covail, formerly Columbus Collaboratory, is a consultancy in artificial intelligence, automation, cybersecurity and risk management that uses a collaborative partnering approach.

Covail has been reaching out to share intel, and Blanquera says most Columbus region health care systems are on alert. 

Larger, more urban health care systems have sophisticated IT and security operations, making them better equipped than smaller, rural systems to deal with issues.

But while rural systems may be more vulnerable, they are also less likely to have cyberattack insurance coverage or enough money to pay a ransom, and making them less likely to be targeted, says Jeff Schmidt, Covail’s vice president of cybersecurity and trustworthiness. 

But in general, “Covid stress has both distracted resources and caused hasty implementation of often insecure workarounds, and that’s true of every business since March,” Schmidt says. 

Defense has got to be robust and all-encompassing, say the experts. 

“Phishing is definitely one of the primary mechanisms that attackers use to gain an initial foothold, but it’s not the only one,” Schmidt says. “In particular, in places like hospitals, physical access is still common. You’ve got the public walking in—often in hospitals, you’ll see attackers walk in the front door, duck into an office, plug something in and leave.”

The federal agencies developed a bulletin on best practices for defense against the attacks. It’s available at . 

Cynthia Bent Findlay is a freelance writer.