Red Tape Is Making Hospital Ransomware Attacks Worse WIRED

pTo revisit this article visit My Profile then View saved storiesppMatt BurgessppCrippling ransomware attacks against hospitals and health care providers are on the rise These ruthless cyberattacks can take medical systems offline for weekscanceling appointments and surgeries and causing harm to patients Doctors and nurses are plunged into crisis situations where they resort to using pen and paper while IT staff work to make systems safe and bring them back online The recovery can be longlasting and brutalppHealth care professionals lawyers and cybersecurity experts tell WIRED that amid the chaos caused by criminal hackers a littleknown bureaucratic process can slow down hospitals and medical providers getting their systems working againppThe red tape involves organizations hit by ransomware sending detailed assurance or attestation letters to companies that they connect their systems or software with These letters are designed to convince organizations that it is safe to reconnect after the ransomware attack but they can add extra pressure to those already dealing with physically and mentally draining recovery operationsppThe letters arent required by any law and are not unique to medical organizations impacted by ransomware attacks but experts say in situations where lives are at risk more efficient processes should be considered Assurance letters seen by WIRED contain up to 40 individual questions about cyberattacks and include detailed requests about how events unfolded steps taken to respond and any evidence that may have been gatheredppNegotiating with hundreds of vendors each with their own unique set of requirements to reconnect was an arduous and timeconsuming process says Sean Fitzpatrick the vice president of external communications at Ascension a network of 140 hospitals and thousands of affiliated providers across 19 states which was hit by ransomware in May Ascension now has more than 95 percent of its suppliers reconnected or in the process of reconnecting Fitzpatrick says and has attempted to be as transparent as possible with its recoveryppMeanwhile Shane Thielman the chief information officer at Scripps Health a San Diego health care provider with more than 70 hospitals and clinics says it was required to produce around 30 vendor letters when it was hit by Conti malware in May 2021 for clinical business and administrative software partners Initially there were several vendors that did not accept the assurance letter and requested additional technical documentation and information Thielman says However this was limited and ultimately did not result in a delay to restoring access to systems at ScrippsppHospitals and other health care organizations are hugely complex beaststhey can use dozens of pieces of software from different companies providing everything from electronic health care records to staff shift schedules Cyberattacks that take medical services offline can impact a hospitals own internal systems and networks and those belonging to thirdparty suppliers An attack against a company that provides software to hundreds or thousands of organizations can have widespread ramificationsppIt doesnt take long to see how ransomware which is most often launched by Russiabased cyberciminals can have a dangerous impact on medical care More than 1100 surgeries and 2194 appointments have been canceled at London hospitals this month after pathology services provider Synnovis was hit by ransomware Some cancer appointments have been canceled blood testing reduced and more than 50 organs needed to be diverted for use at other hospitals figures from the UKs National Health Service showppBy David RobsonppBy Angela WatercutterppBy Mark HarrisppBy Adrienne SoppI can tell you with complete confidence that ransomware attacks harm patients says Hannah Neprash an associate professor of health policy at the University of Minnesota who has researched the impact of ransomware attacks on US hospitals and concluded they result in higher mortality rates If you are a patient who has the misfortune to be admitted to a hospital when that hospital goes through a ransomware attack the likelihood that youre going to walk out the doors goes down Neprash says The longer the disruption the worse the health outcomesppIn the hours and days immediately after ransomware attacks its common for companies who have software connected to the targeted organization to pull their services This can include everything from disconnecting medical records to refusing to email a cyberattack victim This is where socalled assurance letters come inppWeve really seen the demand for these letters increase over the past few years as breaches have become much more litigiousfrom class actions lawyers chasing settlements to lawsuits between businesses says Chris Cwalina the global head of cybersecurity and privacy at law firm Norton Rose FulbrightppCwalina says he is unsure where and when the practice of sending assurance letters started but says it is likely it began with lawyers or security professionals who misunderstood legal requirements or the risks they are trying to prevent There is no legal requirement to request or obtain an attestation before systems can be reconnected Cwalina saysppThese assurance and attestation letters are often compiled with the support of specialist cybersecurity companies that are employed to respond to incidents What can be reconnected and when will vary depending on the specific details of each attackppBut much of the decisionmaking comes down to riskor at least perceived risk Charles Carmakal the chief technology officer of Googleowned cybersecurity firm Mandiant says companies will be worried that cybercriminals could move laterally between the victim and their systems Companies want to know a system is clean and the attackers have been removed from the systems Carmakal saysppI understand the rationale behind the assurance process What I would say is that people do need to really consider what is the risk associated with the level of connectivity between two parties and sometimes people tend to default to the most restrictive path Carmakal says For instance it is rare that Mandiant sees wormable ransomware moving from one victim to another he saysppVendors were interested to know that independent outside cybersecurity experts were engaged with Scripps technical teams and verification that malware was contained and remediated with reasonable best efforts Thielman the CIO of Scripps Heath says For Ascension Fitzpatrick says the company also held oneonone calls with vendors and hosted eight webinars where it provided updates It has also shared indicators of compromisethe traces left by attackers in its systemswith health organizations and the US Cybersecurity and Infrastructure Security Agency CISAppCybercriminals have become more brazen with attacks against hospitals and medical organizations in recent years in one case the Lockbit ransomware gang claimed it had rules against attacking hospitals but hit more than 100 Often these sort of attacks directly impact private sector companies that provide services to public infrastructure or medical organizationsppIf you look plausibly at the threat picture in the years ahead disruption to public services and public activity caused by cybercrime activity that affects the private sector is probably something thats going to happen more and more says Ciaran Martin a professor at the University of Oxford and the former head of the UKs National Cyber Security Centre In these instances Martin suggests there may be questions around whether governments have or need powers to direct private firms to respond in certain waysppBy David RobsonppBy Angela WatercutterppBy Mark HarrisppBy Adrienne SoppJohn Riggi national adviser for cybersecurity and risk at the American Hospital Association says there could be more federal support for health care providers Some of the resources for instance that CISA dedicates to defending federal civilian networks could also be devoted and expanded to help defend critical infrastructure like health careppWhen it comes to the need for assurance and attestation letters Norton Rose Fulbrights Cwalina says much of the information requested in these scenarios could be received through directly speaking to people The piece of paper is ultimately only obtained after lawyers review it and insert caveats and protectionswhich means the attestation will actually say very little to give an organization confidence to reconnect and certainly nothing that couldnt be obtained through other means Cwalina says Scripps Healths Thielman recommends establishing communications with software providers as soon as possibleppWe need a situation in which somebody be that a incident response company or CISA is able to sound an all clear signal after which vendors can reconnect immediately says Brett Callow a threat analyst at Emsisoft A thirdparty approval could speed up the process he says The primary concern here has to be patient safety We need to get hospitals up and running in a safe manner in the shortest possible time Masses of red tape just arent conducive to thatppIn your inbox Get PlaintextSteven Levys long view on techppWelcome to the hellhole of programmatic advertisingppHow many EV charging stations does the US need to replace gas stationsppA nonprofit tried to fix tech culturebut lost control of its ownppIts always sunny Here are the best sunglasses for every adventureppAndrew CoutsppKim ZetterppMatt BurgessppAndy GreenbergppMatt BurgessppSamanth SubramanianppMatt BurgessppDhruv MehrotrappMore From WIREDppReviews and Guidespp 2024 Condé Nast All rights reserved WIRED may earn a portion of sales from products that are purchased through our site as part of our Affiliate Partnerships with retailers The material on this site may not be reproduced distributed transmitted cached or otherwise used except with the prior written permission of Condé Nast Ad Choicesp