Cyberattacks have significantly increased throughout this Coronavirus pandemic. The most common of these attacks is ransomware, where a hacker sends malware to a target that encrypts data, devices, and networks and demands payment for the decryption key. If a target has not prepared for such an attack, the only remedies are to pay the ransom or to reject the ransom and rebuild network systems and infrastructure from scratch – a process that can take weeks or months. According to Check Point Research, ransomware attacks have doubled in the United States in 2020 and increased by 50% worldwide in the last 3 months.

Many ransomware targets are hospitals, health clinics, medical device manufacturers and operators, and entities conducting vaccine research and development. While loss of data integrity is a serious problem, ransomware has not previously been viewed as a physical threat.

Unfortunately, a woman in Germany became the first known casualty as a direct result of a ransomware attack. She presented at a hospital with life threatening symptoms and was redirect to another hospital 20 miles away because the first hospital had experienced a ransomware attack and could not accept new patients. She died as a result of the delay in care. While it is possible care could have been provided without her being admitted into the system, the fact remains that ransomware led to a situation that resulted in her death.

Why are attackers targeting health care entities during a pandemic?

In short, because many of them are unprepared for a ransomware attack and cannot afford to lose access to their data and systems. They are more likely to pay the ransom than not. According to Emsisoft, an anti-malware company, the average ransomware demand is between $150-200,00 with some reaching the multi-millions. These attacks have gone beyond threatening the financial viability of an entity to becoming a matter of life and death.

Ransomware attacks have also evolved beyond simply encrypting data to stealing an entity’s data for later publication online or installing additional malware on a device or network that can be activated during future attacks. It is unconscionable that attackers would compound the effects of a global pandemic by increasingly targeting hospitals, health providers, and medical device makers. It is during this type of emergency that these entities do not have the time or resources to respond to a ransomware attack and will often pay the ransom rather than evaluate response options.

Do Not Negotiate with Terrorists

While ransomware attackers are not typically categorized as terrorists, they are certainly terrorizing their target’s networks and information. Ransomware is one of the most prolific forms of cyberattack. While our domestic public and private entities cannot typically thwart ransomware attacks through offensive measures, they can build strong defenses to limit their effect.

Confidentiality Integrity Availability

Confidentiality, integrity, and availability – referred to as CIA – comprise the elements of data security. When one of these is breached, data is no longer secure. Ransomware can affect all three CIA elements when data stolen during an attack is disclosed publicly, when data is changed or destroyed by nonpayment of a ransom, and when data is made unavailable due to ransomware encryption.

To limit the effect of a ransomware, attack an entity should undertake a full evaluation of all devices, data, and networks to identify vulnerabilities and protected assets. Knowing where an entity can tolerate the most and least risk will help identify where an attacker might strike. Once identified, entities should develop a system to store and update vital information away from its origination point. This may include making a backup that is stored off-site or air gapping different parts of a network. These measures may not result in the retention of all compromised data but will limit destruction of the most critical pieces.

Plans should then be developed to detect and respond to an attack. Particularly for hospitals and health care providers, this should include how to continue delivery of critical services without the use of electronics. Throughout this process, anyone with access to a computer, device, or network should be trained on the prevention, identification, and response procedures. Ransomware attacks are often delivered through phishing, where an unsuspecting employee clicks on a link or opens an email that then delivers the ransomware to the computer or entire network.  

Do No Harm

Our reliance on technology has drastically improved our lives while simultaneously increasing our vulnerability to attack. Until now, ransomware caused financial harm, limited productivity, and resulted in the destruction of data. With the demonstrated ability to inflict physical harm, ransomware has entered a new threat space and must be stopped.

It is easy to say an entity should not pay a ransom, but when time is critical and data and network operations are necessary, that decision becomes difficult. Going forward, Congress will have to determine whether to ban ransom payments outright, provide private entities more resources and authorities to prevent and respond to attacks, or to leave organizations to their own devices and decision making regardless of the consequences.

As a physician, I took an oath to do no harm. Ransomware may force entities into calculations where there may not be an option to do no harm. I hope that outcomes become clearer as we continue to defend against these heartless and harmful attacks.