MITRE Cyber Experts Take on Ransomware Threats Against Health SystemsMarch 2021
Topics: Cybersecurity, Health IT, Information Security, Health, Cyber Resilience
Joanne Fitzpatrick is a lead cybersecurity engineer in MITRE’s Cyber Solutions Innovation Center. She works closely with a range of government sponsors to increase their situational awareness and improve their resiliency to cyber attacks.
We spoke with her about ransomware, which the government’s Cybersecurity and Infrastructure Security Agency describes as “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” Fitzpatrick explains why MITRE’s new Ransomware Resource Center focuses on defeating the increasing number of attacks aimed at the healthcare sector.
Q: Why are healthcare facilities such prime targets for ransomware attacks?
Hospitals and healthcare organizations, large and small, are at particular risk for ransomware. One study showed more than 500 attacks in 2020 alone, with major health systems in Texas, Minnesota, and Vermont recently coming under attack. Patient care and business systems, such as communications, billing, and electronic health records, are often disrupted, even to the point of re-routing patients to other facilities and cancelling surgeries.
Today, hospitals and healthcare centers are especially vulnerable because COVID-19 has reduced ICU bed capacities and medical professionals are serving COVID patients while managing existing caseloads. The pandemic has publicized the health systems’ struggles worldwide.
It’s worth noting that an adversary does not need to infiltrate an entire healthcare information system (HIS) to negatively impact an organization’s ability to deliver health services, a primary objective. They may choose to gain access to one subsystem, module, or critical file, such as the scheduling process for operating rooms.
Upon gaining access, the adversary could encrypt it, prohibiting the organization from accessing or using the schedule. They would then complete the attack by demanding funds in return for the necessary software to decrypt/unlock the module or files.
Q: Not all health organizations are equal. What do we know about how ransomware affects hospitals and health facilities in rural or underserved areas?
Great question. We tend to hear about large organizations in the media when an attack has happened. However, hospitals and health facilities in rural or underserved areas are just as vulnerable as larger, more urban organizations. Adversaries don’t adhere to rules, and don’t want to be predictable in their attack behavior.
Impeding an organization from successfully providing their services to their local communities is simply a pathway to demand a ransom. Since they primarily want to extort money from an organization, they don’t really care about its size, location, or nature of their databases.
From the perspective of hospitals and health facilities in rural or underserved areas, however, their ability to protect themselves from a ransomware attack, or to be able to operate through such attacks, may be more limited than their larger counterparts because their IT infrastructure may be less mature, and their resources may be more limited.
Q: Are there considerations for organizations with small or underfunded IT/security staff?
There are two key considerations. First, such organizations typically have smaller IT and security departments, with a handful of talented people wearing many hats, and each responsible for several major operational IT areas. Staff tend to be experienced in the operations of their own organization, but often have little access to growth/training/professional development on cybersecurity issues, such as threats and attacks. Lack of time or budget is usually the reason.
Additionally, there is little to no extra staff available to dedicate to specialty cyber topics, such as threat modeling or attack surface assessments. Second, we recognize that both small and large healthcare organizations may be targets for adversaries.
Size doesn’t matter. We’ve witnessed successful attacks at all types of health organizations. Adversaries may even exploit a smaller hospital as part of their attack navigation to exploit a larger, partnering organization.
For these reasons, we’ve built the Ransomware Resource Center to help all kinds of health organizations, whatever their size and wherever they are in their planning.
Q: How can the Ransomware Resource Center help healthcare organizations?
We hope the Ransomware Resource Center will make two key contributions. It will inform hospitals and healthcare organizations about how to prepare, respond to, and recover from such an attack.
It also will share freely with the broader community the unbiased guidance and best practices that MITRE cybersecurity and cyber resiliency professionals have provided for years to our many federal government sponsors.
Q: What is unique about the security needs of healthcare providers, suppliers, and support organizations?
In general, their needs are similar to those of other types of business with regards to structure and process flows. However, expectations for healthcare systems are different from other sectors (such as banking or retail, for example) because human well-being and lives are at stake. Emergency rooms, maternity, and much else demands 24/7 functionality.
In this way, the security needs of healthcare delivery are more like some of MITRE’s military sponsors where the safety of human life and local populations is paramount.
Q: Where should you start if you work at a smaller organization, or don’t have the benefit of a fully staffed information security team?
Many healthcare organizations choose to start with an assessment that asks and answers some key questions: What are our most important assets? What are the strengths and vulnerabilities of our current system? What are the roles and responsibilities around the organization if we come under attack?
MITRE has created numerous cyber tools that help organizations ask and answer these important questions. Three in particular: Cyber Tabletop Exercises, the Crown Jewels Analysis (CJA), and the Cyber Operations Rapid Assessment are well-suited to healthcare organizations. We’ve used them extensively in helping many organizations understand where they are in facing cyber adversaries, and then pointing the way to their necessary and feasible next steps.
—interview conducted by Gregory Michaelidis
To learn more about MITRE’s work in health and cybersecurity, contact us at HealthCyber@mitre.org.
Explore More at MITRE Focal Point: Pandemic Response