Spooks, Phishing and Cyberattacks Cripple Hospitals

On Saturday, May 13, 2017, Martin Hardy was in his hospital gown, ready to be wheeled into the operating room for knee surgery at the Royal London Hospital in East London.

Suddenly his surgeon tells him the operation couldn’t take place because the hospital’s computer system was down.

“WannaCry” Ransomware

The hospital was one of 48 British National Health Service (NHS) organizations held hostage that day by a ransomware called “WannaCry.” Ransomware is a kind of malware that encrypts data, locks out the user and demands a ransom to release it. The computer virus is transmitted by email.

According to Amber Rudd, the British home secretary, a full 20% of all public health trusts in Britain were affected by the cyberattack. Before the day was over, according to Europol, more than 200,000 computers in more than 150 countries had been attacked. Rudd acknowledged that many NHS computers had outdated software vulnerable to malware and ransomware and that the system was ill prepared, despite numerous warnings.

In addition to Britain’s NHS, targets included FedEx in the U.S., Spanish telecom giant Telefonica, France’s Renault carmakers, Germany’s federal railway system and Russia’s Interior Ministry. The Dharmais Hospital, a cancer hospital in Jakarta, Indonesia, was attacked, without a major impact on patients. China reported disruptions to nearly 40,000 organizations, including 4,000 academic institutions such as Tsinghua and Peking Universities.

Patient Care Disruptions

But the attack in Britain was the most feared, as hospitals scrambled to access patient records vital to patient care.

Doctors and nurses reported being unable to access patient computer files and had to go back to the pre-internet age by using paper files and recording patient histories by pen. Several nurses said they struggled to obtain blood test results.

A note on one hospital’s emergency room door warned patients that the hospital was experiencing information technology problems. A man with a cast and crutches told the Guardian he had been turned away.

At some hospitals, nurses couldn’t even print out name tags for newborn babies, this led to the use of
the-medical-negligence-experts.co.uk because of all the sues from the patients.

St. Bartholomew’s, a large hospital in London’s financial district, cancelled nonessential appointments and surgeries.

One surgical resident reportedly was in the middle of a heart operation when several computers suddenly flickered off, although monitoring equipment remained operational. The operation was completed safely. One hospital reportedly struggled with some heart scanning machines that feed into the computer network.

Previous Cyber Attacks

This wasn’t the first cyberattack in Britain.

A unit of NHS in Lincolnshire was hit by another kind of ransomware attack in October, shutting down operations for four days. It was reported that 1 in 3 NHS trusts had a ransomware attack in 2016.

There have also been reported cyberattacks on U.S. healthcare systems.

In February 2016, Hollywood Presbyterian Medical Center in Los Angeles had hackers seize control of computers systems and the hospital paid a $17,000 ransom to release them. The hospital administrator reported the incident to authorities but said the quickest and most efficient way to restore their system was to pay the ransom and get the decryption key.

The attackers demanded payment in the form of 40 Bitcoins, the currency of choice for online criminals because of the difficulty in tracing the currency.

A month earlier, the Titus Regional Medical Center, a small hospital in Mount Pleasant, Texas, experienced a similar attack and had its core electronic medical record system knocked offline. It also paid a ransom.

Easy Prey Healthcare

Healthcare systems are easy and deep-pocket targets for hackers with ransomware.

Krishna Chinthapalli, M.D., a senior resident at the National Hospital for Neurology and Neurosurgery in London, predicted a cyberattack in an article published in the British Medical Journal a few days before the attack. He warned that hospitals were especially vulnerable to ransomware attacks because they held vital data, and were probably more willing than others to pay a ransom to recover it.

Interconnected medical records systems make the systems more vulnerable. Britain, for instance, plans to digitize all patient records by 2020.

Technology Weaknesses

But why was Britain such an easy target?

According to Microsoft Corp—old and pirated Windows operating systems.

The virus hit computers running older versions of Microsoft software, such as Windows XP, that had not been recently updated. Microsoft released patches in April and on the day of the attack to fix a vulnerability that allowed the worm to spread across networks. The infected computers appeared to be largely out-of-date devices. Some involved hospital functions making it difficult to patch without disrupting operations.

In Britain, many of NHS’ computers still run old Windows XP software, which Microsoft had stopped supporting. The warnings in Britain started after one hospital had already had to pay almost $1 million to repair a breach that began with a web link in an unsafe email.

Ransomware on the Rise

Reported cases of ransomware cyberattacks are on the rise, but rarely made public.

Charles Carmakal of the security firm FireEye, said the firm receives over 100 calls and emails a month from different organizations that had been exposed to ransomware.

Ransomware attacks are increasing because they work. A Dell research team gathered data from one ransom-payments server for a six-month period. They found that it collected $1.1 million.

Intel reported it detected 638,000 new ransomware variants in 2014. In 2015 that number shot up to nearly 3.8 million.

The average payment demand is just $300, for personal user. But more attackers are targeting organizations with deep pockets and go to greater lengths to remove data, not just lock access to it. Then they threaten to release the data publicly if they are not paid.

Healthcare organizations seem to be particularly vulnerable to hacking attacks because they have been slower to embrace sophisticated backup systems and other security measures, say some security experts.

Perpetrators and Spooks

Who was behind this attack and what did they want?

In the cyberspook world, those answers are hard to come by or take at face value.

Russian President Vladimir Putin said the technology for this ransomware, apparently came from the U.S. National Security Agency. He cited Microsoft Corp President Brad Smith who confirmed what researchers already widely concluded: the attack made use of a hacking tool built by the U.S. National Security Agency (NSA) that had leaked online in April.

The Guardian reported the malware was made available online on April 14 after a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the NSA.

Putin said that once the technologies “are let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators.”

Microsoft’s Smith said the latest attacks showed the dangers of governments’ “stockpiling of vulnerabilities.” “This is an emerging pattern in 2017,” Smith added. “We have seen vulnerabilities stored by the CIA [Central Intelligence Agency] show up on WikiLeaks.”

Reuters reported that cyber security researchers have found technical clues they said could link North Korea with the ransomware. President Trump’s homeland security adviser Tom Bossert said on the Monday following the attack that both foreign nations and cyber criminals were possible culprits.

The perpetrators had raised less than $70,000 from users looking to regain access to their computers, according to Bossert. “We are not aware if payments have led to any data recovery.”

Because most large ransomware cyberattacks pull in millions of revenue, Matthew Hickey, of British cyber consulting firm Hacker House, said he believes that this was spread for the purpose of “causing as much damage as possible.”

Reuters also reported that Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him “the customer service provided by the criminals is second-to-none,” with helpful advice on how to pay: “One customer said they actually forgot they were being robbed.”

Attack Fizzles Out

The original attack lost momentum late on Friday after a security researcher took control of a server connected to the outbreak, which crippled a feature that caused the malware to rapidly spread across infected networks. Users are urged to immediately install a security patch for older versions of Microsoft’s Windows, including Windows XP. Windows 10 users were not targeted.

Senior spokesman for Europol, Jan Op Gen Oorth, told Agence France-Presse: “The number of victims appears not to have gone up and, so far the situation seems stable in Europe, which is a success.”

“It seems that a lot of internet security guys over the weekend did their homework and ran the security software updates.”

UK Health Minister Jeremy Hunt confirmed to the BBC that UK intelligence services had found no evidence of a second wave of attacks on Monday.

Go Phishing

The ransomware is unleashed when someone opens a link on an email sent during a “phishing” expedition by the attackers.

Beyond keeping operating systems updated and patched, one health system tries to trick colleagues into clicking on malicious e-mails.

The Mayo Clinic’s office of information security sends out fake emails of their own creation as part of an anti-phishing campaign. JoEllen Frain, Mayo’s senior manager of information security, told Healthcare IT News last October that they learned that if they phish their staff, they will get good for a period of time, but if they do not keep those exercises in front of them, staff will quickly slide back into old behaviors. Frain said, “Healthcare organizations must make sure these efforts are relevant, giving staff real-life situations that we all are faced with and keeping the efforts consistent over time.”

“The industry has to recognize this: Even though we have heard about all of this for years and people are familiar with the terms phishing and cybercrime, we have not done a good job of talking through what cybercrime looks like and means,” Frain said. “And until the industry does that on a personal level, it will not be successful. When you break things down, people ask really good questions, such as what does cybercrime look like, what happens, what are the consequences? And that is when you see a huge shift in how people approach their e-mail, which happens after we conduct these internal phishing campaigns.”

Frain said there are three overarching principles to protect against cyberattacks: technology, process and people.

“It’s important that you leverage the technology you have and recognize and use it to its fullest capacity,” she said. “There are lots of decisions that can be made in setting up filtering in what you let in or out. In healthcare, that gets much more complex because we are accustomed to working with all sorts of individuals and businesses that other industries do not have to deal with.”

This cyberattack perpetrated by criminals using America’s top spook technology, is casting a necessary spotlight on precautionary steps healthcare systems need to take to protect patients. No one is sure who benefitted most from this attack, but Microsoft is likely to gain a lot of new paying customers.