FBI Warns of 'Imminent' Cyberattacks on US Hospitals

Deborah Brauser

November 06, 2020

Amid recent reports of hackers targeting and blackmailing healthcare systems and even patients, the Federal Bureau of Investigation (FBI) and other agencies have issued warning of "imminent" cyberattacks on more US hospitals.

A new report released by the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, notes that the FBI and the Department of Health and Human Services (HHS) have "credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers."

The agencies are urging "timely and reasonable precautions" to protect healthcare networks from these threats.

As reported, hackers accessed patient records at Vastaamo, Finland's largest private psychotherapy system, and emailed some patients last month demanding €200 in bitcoin or else personal health data would be released online.

In June, the University of California, San Francisco (UCSF), School of Medicine experienced an information technology (IT) "security incident" that led to the payout of $1.14 million to individuals responsible for a malware attack in exchange for the return of data.

In addition, last week, Sky Lakes Medical Center in Klamath Falls, Oregon, released a statement in which it said there had been a ransomware attack on its computer systems. Although "there is no evidence that patient information has been compromised," some of its systems are still down.

"We're open for business, it's just not business as usual," Tom Hottman, public information officer at Sky Lakes, told Medscape Medical News.

Dr Paul Appelbaum

Paul S. Appelbaum, MD, Dollard Professor of Psychiatry, Medicine, and Law at Columbia University Vagelos College of Physicians and Surgeons, New York City, told Medscape Medical News, "People have known for a long time that there are nefarious actors out there." He said all healthcare systems should be prepared to deal with these problems.

"In the face of a warning from the FBI, I'd say that's even more important now," Appelbaum added.

"Malicious Cyber Actors"

In the new CISA report, the agency notes that it, the FBI, and the HHS have been assessing "malicious cyber actors" targeting healthcare systems with malware loaders such as TrickBot and BazarLoader, which often lead to data theft, ransomware attacks, and service disruptions.

"The cybercriminal enterprise behind TrickBot, which is likely also the creator of BazarLoader malware, has continued to develop new functionality and tools, increasing the ease, speed, and profitability of victimization," the report authors write.

Phishing campaigns often contain attachments with malware or links to malicious websites. "Loaders start the infection chain by distributing the payload," the report notes. A backdoor mechanism is then installed on the victim's device.

In addition to TrickBot and BazarLoader (or BazarBackdoor), the report discusses other malicious tools, including Ryuk and Conti, which are types of ransomware that can infect systems for hackers' financial gain.

"These issues will be particularly challenging for organizations within the COVID-19 pandemic; therefore, administrators will need to balance this risk when determining their cybersecurity investments," the agencies write.

Appelbaum said his organization is taking the warning seriously.

"When the report first came out, I received emails from every system that I'm affiliated with warning about it and encouraging me as a member of the medical staff to take the usual prudent precautions," such as not opening attachments or links from unknown sources, he said.

"The FBI warning has what seems like very reasonable advice, which is that every system should automatically back up their data off site in a separate system that's differently accessible," he added.

After a ransomware attack, the most recently entered information may not be backed up and could get lost, but "that's a lot easier to deal with then losing access to all of your medical records," said Appelbaum.

Dr Ipsit Vahia

Ipsit Vahia, MD, medical director at the Institute for Technology and Psychiatry at McLean Hospital, Belmont, Massachusetts, noted that, in answer to the FBI warning, he has heard that many centers, including his own, are warning their clinicians not to open any email attachments at this time.

Recent Attacks

UCSF issued a statement noting that malware detected in early June led to the encryption of "a limited number of servers" in its School of Medicine, making them temporarily inaccessible.

"We do not currently believe patient medical records were exposed," the university said in the statement.

It added that because the encrypted data were necessary for "some of the academic work" conducted at UCSF, they agreed to pay a portion of the ransom demand ― about $1.14 million. The hackers then provided a tool that unlocked the encrypted data.

"We continue to cooperate with law enforcement and we appreciate everyone's understanding that we are limited in what we can share while we continue our investigation," the statement reads. UCSF declined Medscape's request for further comment.

At Sky Lakes Medical Center, computer systems are still down after its ransomware attack, including use of electronic medical records, but the Oregon-based healthcare system is still seeing patients.

They are "being interviewed old school," with the admitting process being conducted on paper, "but patient care goes on," said Hottman.

In addition to a teaching hospital, Sky Lakes comprises specialty and primary care clinics, including a cancer treatment center. All remain open to patients at this time.

Diagnostic imaging is also continuing, but "getting the image to a place it can be read" has become more complicated, said Hottman.

"We have some work-arounds in process, and a plan is being assembled that we think will be in place as early as this weekend so that we can get those images read starting next week," he said.

In addition, "scheduling is a little clunky," he reported. However, "we have an awesome staff with a good attitude, so there's still a whole lot we can do," he added.

He also noted that his institution has reconfirmed that as of November 4, no patient data had been compromised.

"Especially Chilling"

Targeting hospitals through cyberattacks isn't new. In 2017, the WannaCry virus affected more than 200,000 computers in 150 countries, including the operating system of the UK National Health Service (NHS). The cyberattack locked clinicians out of NHS patient records and other digital tools for 3 days.

Appelbaum noted that as hospital systems become more dependent on the Internet and on electronic communications, they become more vulnerable to data breaches.

"I think it's clear that there have been concerted efforts lately to undertake attacks on healthcare IT systems to either hold them hostage, as in a ransomware attack, or to download files and use that information for profit," he said.

Still, Vahia noted that contacting patients directly, which occurred in the Finland data breach and blackmail scheme, is something new. It is "especially chilling," said Vahia, that individual psychiatric patients were targeted.

"It is difficult to even fathom the kind of damage that can be done by compromised mental health records. It's difficult to overstate how big a deal this is, and we should be treating it with the appropriate level of urgency," he told Medscape Medical News.

"It shows how badly things can go wrong when security is compromised; and it should make us take a step back and survey the world of digital health to gain recognition of how much risk there might be that we haven't really understood before," Vahia said.

Clinical Tips

Asked whether he had any tips to share with clinicians, Hottman noted that the best time to have a plan is before something dire happens.

"I would make [the possibility of cyberattacks] part of the emergency preparedness program. What if you don't have access to computers? What do you do?" It's important to answer those questions prior to systems going down, he said.

Hottman reported that after a mechanical failure last year put their computer systems offline for a day, "we started putting all critical information on paper and in a binder," including phone numbers for the state police.

Vahia noted that another important step for clinicians "is to just pause and take stock of how digitally dependent" healthcare is becoming. He also warned that precautions should be taken regarding wearables and apps, as well as for electronic medical records. He noted the importance of strong passwords and two-step verification processes.

Even with the risks, digital technology has had a major impact on healthcare efficiency. "It's not perfect, the work is ongoing, and there are big questions that need to be addressed, but in the end, the ability of technology when used right and securely" leads to better patient care, he said.

Dr John Torous

John Torous, MD, director of digital psychiatry at Beth Israel Deaconess Medical Center, Boston, Massachusetts, agreed that digital healthcare is and will remain very important; but at the same time, security issues need proper attention.

"When you look back at medical hacks that have happened, there's often a human error behind it. It's rare for someone to break encryption. I think we have pretty darn good security, but we need to realize that sometimes errors will happen," he told Medscape Medical News.

As an example, Torous, who is also chair of the American Psychiatric Association's (APA's) Health and Technology Committee, cited phishing emails, which depend on a user clicking a link that can cause a virus to be downloaded into their network.

"You can be cautious, but it takes just one person to download an attachment with a virus in it" to cause disruptions, Torous said.

Telehealth Implications

After its data breach, Vastaamo posted on its website a notice that video is never recorded during the centers' telehealth sessions, and so patients need not worry that any videos could be leaked online

Asked whether video is commonly recorded during telehealth sessions in the United States, Vahia said that he was not aware of sessions being recorded, especially because the amount of the data would be too great to store indefinitely.

Appelbaum agreed and said that, to his knowledge, no clinicians at Columbia University are recording telehealth sessions. He said that it would represent a privacy threat, and he noted that most healthcare providers "don't have the time to go back and watch videos of their interactions with patients."

In the case of recordings for research purposes, he emphasized that it would be important to get consent and then store the health information offline.

As for other telehealth security risks, Vahia noted that it is possible that if a computer or device is compromised, an individual could hack into a camera and observe the session. In addition to microphones, "these pose some especially high vulnerabilities," he said.

"Clinicians need to pay attention as to whether the cameras they're using for telecare are on or if they're covered when not in use. And they should pay attention to security settings on smartphones and ensure microphones are not turned on as the default," he said.

Appelbaum said the Health Insurance Portability and Accountability Act (HIPAA) requires that telehealth sessions be conducted on secure systems, so clinicians need to ascertain whether the system they're using complies with that rule.

"Particularly people who are not part of larger systems and would not usually take on that responsibility, maybe they're in private practice or a small group, they really need to check on the security level and on HIPAA compliance and not just assume that it is adequately secure," he said.

Appelbaum, who is who is also a past president of the APA and director of the Center for Law, Ethics, and Psychiatry at Columbia, noted that the major risk for hospitals after a cyberattack is probably not liability to individual patients.

"It's much more likely that they would face fines from HIPAA if it's found that they failed to live up to HIPAA requirements," he said.

For more Medscape Psychiatry news, join us on Facebook and Twitter.


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.
Post as: