Healthcare organizations must be wary of cybercriminals exploiting a software vulnerability called MOVEit. The Cybersecurity and Infrastructure Security Agency issued an alert this month warning health systems about this vulnerability — the alert stated that Clop, a Russian ransomware gang known for going after healthcare providers, has been exploiting MOVEit.
Johns Hopkins University and its health system were recently victims of a data breach caused by hackers targeting this vulnerability, as was Texas-based Harris Health System.
Johns Hopkins said that hackers may have accessed patients’ sensitive personal and financial information during the attack, including names, contact information and health billing records. The health system also said that the cyberattack “impacted thousands of large organizations around the world.”
MOVEit is a commonly used piece of software that allows organizations to transfer data between various systems and networks. Clop found a vulnerability in the software before most organizations could update it, according to the federal government’s alert.
Ransomware attacks can be “disastrous” for health systems, said Aaron Mendes, CEO and co-founder of data privacy platform PrivacyHawk, in a recent interview. These attacks can make a hospital’s systems go offline, force clinicians to revert to paper records and delay patient care.
“If a ransomware attack is successful, there’s not a great way to undo the damage without paying the ransom most of the time. You end up just paying the ransom, unfortunately. And then [the hackers] unlock your systems and you have to try to figure out how they got it and then put things in place to try to prevent it from happening in the future,” he explained.
It’s difficult to get data on the dollar amounts that ransomware gangs typically demand because hospitals usually don’t disclose this information, but Mendes said these sums certainly “aren’t insignificant amounts of money.” According to him, some cybercriminal groups ask for millions or tens of millions of dollars.
He noted that cyberattacks often lead to data theft — when hackers steal healthcare records, patients’ personal and medical information could end up on the dark web or public web. Cybercriminals use this data for a number of purposes, including blackmail, extortion, identity fraud, impersonation and doxing, Mendes explained.
Cyberattacks also create a major legal liability for healthcare providers, he added.
“If you have a ransomware attack or a breach, you’re going to get sued. It’s a major legal risk, and those class action lawsuits are extremely expensive. Unfortunately, the individual patients don’t get very much — it’s usually the lawyers that make a third of the money,” Mendes declared.
In his view, health system cyberattacks aren’t proliferating because hospitals are ignoring security protocols — they’re happening because hackers are really talented at their jobs.
Most hospitals are aware that hackers are posing a major threat to the sector and are taking precautions, but it’s hard for them to protect themselves when they employ thousands of people, Mendes pointed out. It only takes one human mistake to give a hacker access to a hospital’s systems, he said.
“Hackers only need to succeed one out of a thousand times to successfully breach. They might send out 500 phishing emails, and it only takes one click to give them the access that they want. It’s just a really, really hard problem to make 100% bulletproof,” Mendes declared.
Photo: anyaberkut, Getty Images