The first death formally tied to a ransomware attack is thought to have taken place in Germany in 2020, after an emergency patient in an ambulance had to be diverted to a hospital 30km away and died in transit. Since then there has been considerable alarm every time a patient care facility is targeted. A recent attack on a Barcelona hospital fortunately does not appear to have resulted in any casualties, but illustrates the extent to which these incidents can back up care and cause serious risks in even “milder” cases.
The hospital had to bring in additional staff from outside sources to handle some 800 urgent care cases that had to be processed manually, and some of these cases had to be unexpectedly transferred to other hospitals in the Barcelona area. 150 non-emergency procedures were also canceled, along with about 3,000 appointments. Normal hospital communications were also disrupted, and three impacted facilities are looking at weeks of time before total recovery.
Barcelona hospital faces long recovery as urgent care operations are slowed
The Barcelona hospital suffered a sophisticated attack on its virtual machines on February 5, one that ended up having an impact on three of its facilities in the city: CAP Casanova, CAP Borrell, and CAP Les Corts, in addition to the main 819-bed Clínic de Barcelona. In total these facilities serve over half a million people in the region.
The ransomware attack was reportedly the work of the RansomHouse group, which uses the WhiteRabbit encryptor and has engaged in numerous attacks since it first went active in May 2022. In addition to the Barcelona hospital the group has hit chip manufacturer AMD, a number of municipalities in Italy, African grocery chain Shoprite, and a Maldivian airline service among others.
As of February 7 the Catalonian government said that it was still investigating to determine the full extent of damage from the ransomware attack. The central SAP data management system was reportedly not impacted, but the attack reportedly caused problems with a broad array of other apps and communications tools. It also appears to have cut off access to digital patient record systems.
The Barcelona hospital said that radiology, dialysis, the outpatient pharmacy and endoscopic tests were functioning normally, but that there may be delays or limitations to other services.
The emergency room, pharmacy and laboratory were confirmed to be negatively impacted by the ransomware attack, and the hospital’s public-facing website was down for some time as well. The hospital’s press department has said that it is not sure how long it will take to restore full function, and that it is operating on an assortment of contingency plans until then.
Hackers have prior experience with ransomware attacks on health care facilities
The Barcelona hospital did not report receiving a ransom demand, and said that it does not intend to pay if it receives one. While ransomware groups sometimes pledge to stay away from health care, RansomHouse has already demonstrated it has no such qualms with a prior November 2022 attack on the Keralty healthcare multinational, which struck locations in Colombia. The group claims to have stolen 3 TB of private data in that ransomware attack, which disrupted some facility operations and public websites for a number of days.
“Honor among thieves” remains rare in the ransomware and data exfiltration world, and attacks such as the one on the Barcelona hospital are increasingly common. Ransomware attacks on health care facilities doubled between 2016 and 2021, and then doubled again from 2021 to 2022. In over 15% the attackers made sensitive personal information that they stole public, and 44% led to disruptions to operations; 8% led to disruptions that lasted for over two weeks. Only 20% said that they were able to restore from backups, the approach that the Barcelona hospital is taking to recover.
The Barcelona hospital is also an outlier in refusing to pay; ransomware attacks on the health care field are increasingly precisely because most of these entities cannot afford downtime and can be coerced into paying, even if they do not have as deep of pockets as some other targets might. Patient data is also quite lucrative on the black market, as scammers find most of what they need to operate in the contents of medical records. Even if a hospital pays to resolve a ransomware attack, it has to reasonably expect that stolen patient data is going to be sold at some point. And though they may not be directly attributed as such, recent research from Ponemon indicates that about 25% of health care organizations feel that ransomware attacks are driving up death rates due to follow-on care issues. 70% say that ransomware attacks lead to poorer health outcomes for patients, and 65% say that they have forced patients to be diverted to other facilities.
Stephan Chenette, Co-Founder and CTO at AttackIQ, notes that the health care industry must find a way to implement adequate defenses even when budgets are tight: “This cyberattack serves as the latest reminder that organizations simply don’t exercise their defenses enough, and healthcare organizations in particular should be evaluating their existing security controls to uncover gaps before an attacker finds them. We continue to see basic security protection failures resulting in data loss for companies both large and small. In February alone, Florida and Maryland hospitals suffered cyber attacks that limited IT operations. This trend is disturbing as the cost of recovering from a breach is far more expensive than conducting proactive testing to validate that the security products and services you have already purchased and implemented are working correctly.”
“To best defend against ransomware attacks, it’s essential to understand the common tactics, techniques, and procedures the adversary uses. In doing so, organizations can build more resilient security detection, prevention and response programs mapped specifically to those known behaviors. Organizations that manage sensitive health information must adopt a threat-informed cyber-defense strategy tailored to focus on the adversaries most likely to impact their operations to maximize their ability to protect sensitive information. This should include mapping their security controls to specific attack scenarios, aligned to the MITRE ATT&CK® framework, to measure an organization’s cybersecurity readiness for the attacks that are sure to come. Additionally, companies should use automated solutions that safely validate their defensive controls against ransomware campaigns and their techniques to avoid falling victim,” recommends Chenette.