Skip to main content

Waves of attacks on US hospitals show a change in tactics for cybercriminals

Waves of attacks on US hospitals show a change in tactics for cybercriminals


They’re knowingly targeting hospitals

Share this story

Electronic Health Records
Photo by David S. Holloway/Getty Images

United States hospitals were targeted by two major cybersecurity attacks this fall: the first taking down Universal Health Services, a chain of hundreds of hospitals, and the second by a group called UNC1878 threatening hundreds of individual health care facilities all around the country. Targeting health care institutions directly marks a new approach for cybercriminals.

“We haven’t seen an incident of magnitude that actually has the potential to harm people, literally all the way up to the point of death,” says Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek. “It crosses a line that I think the entire cybersecurity community just didn’t think was going to get crossed anytime soon.”

Many large-scale cyberattacks on hospitals over the past few years have been incidental. A piece of ransomware is sent out generally and happens to get into a hospital. That’s what happened to the United Kingdom’s National Health Service (NHS) in the spring of 2017 when the WannaCry cyberattack hit organizations worldwide. But the latest two attacks were intentionally made on hospitals. They’re an appealing target during the COVID-19 pandemic because they’re so essential. Institutions can’t afford to be offline while they try to extricate themselves from ransomware, says Alan Woodward, a computer security expert and professor at the University of Surrey in the United Kingdom.

They’re also targeted because some have paid a ransom to get their systems unlocked, he says. “There’s been quite a few high profile cases where people have paid,” Woodward says. “Whereas, if you ask any law enforcement agency, they will say, please don’t pay. You’ll paint a target on your back.”

Some cybercrime groups pledged not to target hospitals during the COVID-19 pandemic, but attacks on health care facilities doubled in the second half of the year. Most health care institutions are unprepared for cyberattacks, and the pandemic could make things worse, Barlow says. “They are financially strapped because of that pandemic,” he says. “You have a perfect storm: ransomware has been hitting America’s hospitals heavily over the last few years, and almost always, they pay. You have a victim here that is weak, and if you attack them, you’ve got a high probability that you’re going to get paid.”

Thankfully, the two major attacks this fall weren’t as devastating as they could have been. The electronic health records at United Health Services weren’t directly affected, and the system was able to get back up and running in a few weeks. The second threat, from UNC1878, was flagged by federal agencies early enough for many hospitals to prepare. Advance warning may have bought many health care centers enough time to harden their defenses by blocking phishing emails associated with the attack and searching their systems for dormant, malicious files. Hundreds of hospitals were at risk, and these actions may have helped most avoid falling victim to the ransomware. They’re not nearly out of the woods, and the attack took down the computer systems of at least 20 facilities already, but the scale of the disruption could have been much larger.

“I hope that what will happen is that people will be prepared, and the warnings will be enough,” Woodward says.

That’s one difference from the WannaCry cyberattack to the NHS. That attack shut down 80 hospitals across the system, forcing them to divert patients and reschedule regular care. The system had some warning, but it didn’t respond quickly enough.

Barlow says that since the warning was posted, he’s spent “all day, every day” in conversations with leadership at various hospitals around the US, helping them make sure they’re ready to ward off attacks. He thinks, so far, facilities taking those steps have been in good shape. Those investments will also help prepare them for the future: even if the current threat fades, he says, others will pop up.

During the pandemic, hospitals will stay a target, Woodward says. “The threat will continue to exist, and the danger will be that people will drop their guard, and they’ll be back,” he says.

For cybersecurity experts, another next step is figuring out why cybercriminals are more aggressively targeting hospitals, with actions that could be deadly. There are dozens of theories floating around, Barlow says but no direct evidence for any of them. “We’re all trying to figure out the same questions you’re asking: Why has the atmosphere changed? And what is their endgame?”

Today’s Storystream

Feed refreshed Sep 24 Striking out

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.

The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.

Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.

A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix
Jay PetersSep 23
Twitch’s creators SVP is leaving the company.

Constance Knight, Twitch’s senior vice president of global creators, is leaving for a new opportunity, according to Bloomberg’s Cecilia D’Anastasio. Knight shared her departure with staff on the same day Twitch announced impending cuts to how much its biggest streamers will earn from subscriptions.

Tom WarrenSep 23
Has the Windows 11 2022 Update made your gaming PC stutter?

Nvidia GPU owners have been complaining of stuttering and poor frame rates with the latest Windows 11 update, but thankfully there’s a fix. Nvidia has identified an issue with its GeForce Experience overlay and the Windows 11 2022 Update (22H2). A fix is available in beta from Nvidia’s website.

External Link
If you’re using crash detection on the iPhone 14, invest in a really good phone mount.

Motorcycle owner Douglas Sonders has a cautionary tale in Jalopnik today about the iPhone 14’s new crash detection feature. He was riding his LiveWire One motorcycle down the West Side Highway at about 60 mph when he hit a bump, causing his iPhone 14 Pro Max to fly off its handlebar mount. Soon after, his girlfriend and parents received text messages that he had been in a horrible accident, causing several hours of panic. The phone even called the police, all because it fell off the handlebars. All thanks to crash detection.

Riding a motorcycle is very dangerous, and the last thing anyone needs is to think their loved one was in a horrible crash when they weren’t. This is obviously an edge case, but it makes me wonder what other sort of false positives we see as more phones adopt this technology.

External Link
Ford is running out of its own Blue Oval badges.

Running out of semiconductors is one thing, but running out of your own iconic nameplates is just downright brutal. The Wall Street Journal reports badge and nameplate shortages are impacting the automaker's popular F-series pickup lineup, delaying deliveries and causing general chaos.

Some executives are even proposing a 3D printing workaround, but they didn’t feel like the substitutes would clear the bar. All in all, it's been a dreadful summer of supply chain setbacks for Ford, leading the company to reorganize its org chart to bring some sort of relief.