Cyber-attacks on the healthcare sector

More than 19,000 terminated visits in medical facilities, cancelled scheduled treatments and patients being hastily transported to other hospitals in order to perform life-saving operations. This is not a scenario of a disaster movie, nor the effect of the global pandemic caused by the SARS-CoV-2 virus. This is the result of a completely different virus – a digital work of engineers whose ill-considered or irresponsible activities can destroy the systems and computer networks of life-saving units.

Exactly three years ago, the day before one of the most important national holidays in Ukraine, the most devastating cyber-attack in history began. The operation, connected to the 2014 Hybrid War between Russia and Ukraine, hit enterprises and governments on every continent. NotPetya, taking advantage of a loophole in the SMB protocol, made public by Shadow Brokers, took control of the victim’s computer only to irrevocably destroy all data stored on it. In the first hours of the attack, more than 12,000 computers were infected in Ukraine alone, which was the target of the operation. The exact number of all infected machines is unknown, however, more than 2,000 companies and enterprises worldwide suffered from the attack, according to data of Kaspersky company.

NotPetya, whose authorship is attributed to the Sandworm group that originated from the Russian military intelligence, spread automatically using self-replicating mechanisms. Although the authors of the malicious code anticipated the possibility of “saving” certain targets by placing a specific vaccine on selected machines [1] protecting them from the activation of the irreversible mechanism of data destruction, yet the facilities providing medical services were not given any special treatment. In the United States the infrastructure of hospitals, such as Princeton Community Hospital (Princeton, WV) as well as Heritage Valley (Beaver, PA and Sewickley, PA) were attacked. The lack of access to patients’ medical records and specialist equipment controlled by the infected computers resulted in cancellation of scheduled operations. The situation was brought under control and within a few days the facilities returned to full operational capacity [2], but it is not hard to imagine the magnitude of problems that the attack caused to the patients of the affected hospitals. The financial losses were also enormous – the pharmaceutical company Merck (producing, among others, medicines supporting cancer treatment) estimated its financial losses at USD 1,300,000,000 [3]. 30,000 personal computers and over 7,500 servers connected to the company’s network were destroyed.

On the other hand, the statistics mentioned at the beginning of the article are the result of North Korean WannaCry ransomware. Korean malware, similarly to NotPetya, used exploits stolen from the NSA, which allowed to take control of the computer’s operating system. However, unlike NotPetya, it allowed for the recovery of encrypted data after the victim paid a fee in bitcoins which was set by the authors. Cybercriminals associated with the North Korean regime paid out BTC 52.2 from a digital wallet in which they collected ransoms. At the time of the withdrawal, the ransom was worth USD 143,000 – today around USD 500,000. This is the value of the lives of people who were waiting for the specialist help in infected hospitals. The authors of the malware probably did not reflect on deliberately infecting the hospitals, but they did nothing to protect the medical facilities from the jeopardy that was spreading in the blink of an eye. WannaCry installed itself on 3,000-4,000 new computers every hour. In England alone, 80 out of the 236 National Health Service (NHS) units were infected. 34 of them were severe enough that they were not able to provide services. The losses were estimated at GBP 92,000,000.

While a visit to a family doctor cancelled due to a cyber-attack could be disappointing at most, a postponed planned procedure or operation can cause serious problems. Neurosurgeons from Tyumen Hospital had to complete the brain surgery of a 13-year-old girl without the use of specialist equipment to monitor the patient’s condition, after the LCD screens went out and computers prompted to pay the ransom.

In December 2019, a deliberate attack was aimed at the Warsaw Coma Clinic for Children. Hospital employees received phishing emails with infected documents. After their careless opening, the malware led to the freeze of the whole IT system of the clinic. In this case the life of the patients was not endangered and the clinic’s data was recovered from the back-up copies. Cybercriminals deliberately attacked the medical facility, demanding a ransom of PLN 30,000. Two months earlier, a similar situation occurred in three American hospitals (Alabama) and seven hospitals in Australia [5]. Likewise, the attacks were motivated by the desire to extort the ransom payment.

During the global COVID pandemic, criminals did not slow their pace down. The information about the attacks targeted at hospitals were heard from all parts of the world in recent months. Czechia, France, the United States are just the examples. Most of the attacks, as the previously described ones, had only one aim – to make the criminals rich. These individuals were hoping that the targeted hospitals and laboratories will be an easy prey in the hard times. Other ones were politically motivated – multiple institutions providing various kinds of aid were attacked in order to fuel the negative social moods in the affected countries [6]. An attack on the US Department of Health and Human Services (HHS) in March 2020, which, according to experts, was aimed at disrupting the pandemic-oriented actions of the US administration, is one of the examples. Other attacks, accompanying the pandemic, are related to industrial espionage. The race for medicines and a vaccine, which will generate a fortune in the future, caused the laboratories of institutions conducting research on SARS-COV-2 coronavirus to be repeatedly attacked by hackers in recent weeks. Their objective was to steal as much information regarding the work progress on the virus as possible. Such attacks were made public by laboratories in the USA, England and Israel, among others [7].

This article was originally published on “Polish Express”.

Author: Wiktor Sędkowski – graduated in Teleinformatics at the Wrocław University of Science and Technology, specialized in cybersecurity field. He is an expert on cyber threats. CISSP, OSCP and MCTS certificates holder. Worked as an engineer and solution architect for leading IT companies.

[1]https://www.cybereason.com/blog/cybereason-discovers-notpetya-kill-switch

[2]https://www.heritagevalley.org/news_posts/updates-on-the-cyber-security-incident-at-heritage-valley-health-system

[3]https://www.inquirer.com/wires/bloomberg/merck-cyberattack-20191203.html

[4]https://www.rbth.com/lifestyle/328711-russian-hackers-switched-off

[5]https://arstechnica.com/information-technology/2019/10/hamstrung-by-ransomware-10-hospitals-are-turning-away-some-patients/

[6]https://www.usnews.com/news/national-news/articles/2020-05-13/us-accuses-china-of-hacking-coronavirus-research-undermining-vaccine-development[7]https://www.cufi.org/cyberattacks-target-israeli-labs-working-on-coronavirus-vaccine/