Thank you for subscribing to the free edition of the twice-weekly Parallax View newsletter. All issues are free through March 22. After that, you’ll receive one issue per week. If you’d like to support our independent journalism on the intersection of health care and cybersecurity with a paid subscription, you can do so here. If you'd like a subscription option not available, please email email@example.com.
Behind a federal warning in October about a widespread, impending Ryuk ransomware attack, there was something quite rare, if not unprecedented: broad collaboration between three distinct federal agencies.
The Ryuk threat was serious. The FBI, the Department of Health and Human Services, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned U.S. health care organizations that there was an “increased and imminent cybercrime threat” to their computer systems from the Ryuk ransomware.
Charles Carmakal, chief technology officer at cybersecurity threat intelligence company Mandiant, told reporters that UNC1878, a financially motivated threat actor based in Eastern Europe, deliberately targets U.S. hospitals. In some cases, Carmakal said, the time between when a network is hacked and when the ransomware locks up the target’s systems with encryption is less than 45 minutes. UNC1878’s initial ransom demands of its targets ran as high as tens of millions of dollars, Carmakal said.
The overall impact of the Ryuk threat from October may not be known for some time. Some threat intelligence organizations have concluded that the threat was overblown; others say the warning helped targets prepare for a digital onslaught. It might be a few more months yet before further details are made public.
"All three agencies had to work rapidly to declassify information, vet each other's info, and agree on the wording of the warning. This was extraordinary and unprecedented." —John Riggi, former senior FBI official, now senior adviser for cybersecurity and risk at the American Hospital Association
We do know, nevertheless, that multiple agencies within the U.S. government that routinely deal with cyberattacks swiftly worked with one another and with health care liaisons to notify health care organizations of the danger they faced.
“All three agencies had to work rapidly to declassify information, vet each other's info, and agree on the wording of the warning. This was extraordinary and unprecedented,” John Riggi, a former senior FBI official and now senior adviser for cybersecurity and risk at the American Hospital Association, tells The Parallax.
“The solution here is not purely law enforcement,” he says. “The vast majority of these cyber adversaries, whether they’re sophisticated criminal organizations or sophisticated nation-states, are beyond the reach of the FBI. You really need the U.S. intelligence apparatus, Treasury, diplomatic efforts and sanctions, a multi-pronged model to go after cyber adversaries. It’s the same strategy we used to go after terrorists.”
That collaboration may not seem revolutionary, but it indicates that in the near future, we may see more communication between federal agencies, empowered to take steps to stop cyberattacks, and the health care organizations bearing the brunt of those attacks.
Health care organizations need to share the intelligence they glean when they’re subject to a cyberattack, such as the IP addresses that are targeting them. Government agencies, in turn, need to move more nimbly to help health care organizations defend themselves against attackers, who often have better resources than they do.
The Ryuk warning is arguably the highest-profile collaborative effort from the federal government to help stop cyberattacks against health care organizations, but it’s not the only one.
"More and more boards of directors and boards of trustees are bringing their CISOs into the briefing room." —Greg Garcia, executive director of cybersecurity, Health Sector Coordinating Council
In 2019, the Health Sector Coordinating Council published Health Industry Cybersecurity Practices, a joint effort by HHS and the council to help health care organizations defend against cyberattacks and protect patients.
The HICP, mandated by the Cybersecurity Act of 2015, took two years to develop, with input from more than 150 experts in health care, cybersecurity industry, and government operations. The HSCC issues ongoing, semi-regular guidance updates for health care organizations, with 13 published since 2019 and the most recent update on December 30.
How much communication there will be, and how the communication will be evaluated for its effectiveness in stopping cyberattacks against health care, remain open questions, says Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council. But he believes that health care organizations already have begun the arduous process of overhauling their cybersecurity readiness and hygiene.
“There is more and more awareness about the exigency of cybersecurity in the health care environment. More and more boards of directors and boards of trustees are bringing their CISOs into the briefing room. That’s working, in the sense that even some of the more midsized hospitals and medical-device makers have a general recognition that cybersecurity risk is an enterprise risk,” Garcia says. “Cyber risk can exacerbate financial risks, operational risks, compliance risks, and reputational risks.”
While improving communication between the public and private sectors is crucial to defending health care organizations against ransomware and other cyberattacks that can interfere with patient care, it often takes a catastrophe to motivate governments and providers to take action to improve health care cybersecurity.
By the time that the WannaCry cyberattack struck the United Kingdom’s National Health Service in 2017, the NHS had suffered more than 200 ransomware attacks in the three years prior, according to a CompariTech report. In the three years following WannaCry, the study concluded that the NHS had been victimized by only six reported ransomware attacks.
That’s because the British government made dedicated funds available to the NHS to help it strengthen its cybersecurity posture, argues Stephane Duguin, CEO of the CyberPeace Institute, a nonprofit think tank based in Geneva, Switzerland, that earlier this month published a report on the state of cyberattacks against the health care sector.
The U.K. and U.S. health care systems are not quite comparable because the U.K. system is guided by the government, while the U.S. system is mostly private, Duguin acknowledges, but he says any improvement in communication to stop cybercriminals from hacking health care must be accompanied by indictments and prosecution.
“What is missing so far is that attacks on health care are attacks on people and [attacks] on global health,” Duguin says. “Any action must be taken under this prism. It’s irresponsible during a pandemic that every day, health care is targeted by criminals, state-sponsored actors, or state actors.”
A Tweet to live by:
What do you know that we don't?
Thank you for subscribing to the free edition of The Parallax View! Learn more about our paid subscription options here.