“Killware”: Is it just as bad as it sounds?
https://blog.malwarebytes.com/cybercrime/2021/10/killware-is-it-just-as-bad-as-it-sounds/
On October 12, after interviewing US Secretary of Homeland Security Alejandro Mayorkas, USA TODAY’s editorial board warned its readers about a dangerous new form of cyberattack under this eye-catching
headline: “The next big cyberthreat isn’t ransomware. It’s killware.
And it’s just as bad as it sounds.”

In May, the Federal Bureau of Investigation warned ongoing ransomware attacks on medical providers and first responders could endanger the public and risk medical care delays. In addition, Joshua Corman, a senior advisor at the Cybersecurity and Infrastructure Security Agency, said ransomware can lead to dire consequences for hospitals and patients.

“We can see that a cyberattack can strain [hospitals] enough to contribute to excess deaths,” Corman said.

Under attack, an Alabama hospital struggled to monitor patients
On July 8, 2019, Springhill Medical Center was hit by a ransomware attack—likely orchestrated by the hacking group Ryuk, the Journal reports. According to a hospital spokesperson, the hospital refused to pay the ransom, instead shutting down its network for at least three weeks before systems returned to normal.

During the network outage, nursing staff and doctors struggled to perform routine tasks, like accessing medical records and monitoring patients’ vital signs. In the labor and delivery unit, staff were unable use a central monitoring system at the nurses’ station, which showed real-time vital signs of patients in 12 delivery rooms.

Nurses were instructed to stay in or near their patients’ rooms, and they routinely checked a paper readout from the fetal heart monitors.

Teiranni Kidd was one of the patients in the hospital’s labor and delivery unit during the outag

According to nurses specializing in obstetrics and newborns, an abnormal increase in heart rate can mean that an entangled umbilical cord has cut off blood and oxygen to the fetus. Doctors commonly choose to deliver a baby by C-section in these cases due to the potential for brain injuries.

However, only one person was monitoring Kidd’s vital signs at the time, the Journal reports, and it’s unclear whether the attending nurse noticed the rising heart rate or how it was interpreted.

“If that nurse didn’t recognize it, it would have gone unnoticed,”

Later that day, Kidd’s baby, Nicko, was born unresponsive with her umbilical cord wrapped around her neck. Nicko was soon transferred to the neonatal ICU at a nearby hospital and later diagnosed with significant brain damage.

A day after Kidd’s delivery, the nurse manager examined Kidd’s heart monitor printout for “what [they] missed or if [they] could have called [the attending doctor] sooner.” After reviewing the printout on her own, Katelyn Parnell, the attending obstetrician, said she would have performed a C-section if she had been notified of the change in heart rate sooner, the Journal reports.

“I need [you] to help me understand why I was not notified,” Parnell wrote in a text to the nurse manager. In another text she wrote, “[T]his was preventable.”

The first alleged ransomware death
According to Kidd, she was not aware of the ransomware attack when she was admitted to the hospital. In January 2020, she filed a medical malpractice lawsuit against Springhill in the Circuit Court of Mobile County, later amending it when her daughter died in April 2020.

In her lawsuit, Kidd alleges information about her baby’s condition never reached Parnell because the attack removed the extra scrutiny the heart rate monitor would have received at the nurses’ station, the Journal reports. If Kidd’s allegations are proven in court, the case will be the first confirmed death from a ransomware attack.

In response to the lawsuit, Springhill has denied any wrongdoing. Jeffrey St. Clair, Springhill’s CEO, said the hospital handled the ransomware attack appropriately.

Advisory Board’s take
3 steps to protect against (and prepare for) health care cybersecurity attacks

So how should health care organizations prepare for this new reality of a technology driven health care world? I’ve detailed three crucial steps to consider.

1. Regularly revisit back-up processes to ensure staff are prepared
One of the first steps any provider organization is going to take after an attack is to shut off all systems to prevent further infection or data breaches. This often means physicians and staff will have to turn to manual processes

2. Move cybersecurity up your organizational priority list and provide funding to match
Every health care organization provides some standard defense measures and employee training. But too many organizations stop here and allow security awareness to become a temporary or annual campaign with limited funding. Instead, organizations need to embed security into their organizational culture.

3. As you expand your digital ecosystem, be prepared for the new entry points it creates
As adoption of telehealth, connected health devices, and the internet of things continues to expand, so too does the risk for hacking with new devices and applications. Increasingly, this risk lives outside the four walls of provider organizations and instead resides with patients and third parties with network access. When it comes to third-party technology vendors and service providers, it is important to both establish risk management standards at the contracting stage and regularly assess how those standards are being met. As telehealth usage has increased, we have also seen an increase in attacks directed at telehealth systems. Furthermore, patient connected health devices can place patient data and safety at risk while leaving providers with less control over the management of these devices.

As health care providers continue to invest in new technologies to further care delivery and connect with patients, they must also proactively consider how to prevent these investments from weakening their overall security.

We need to recognize that operational sides of these facilities need to be cut off from remote access. China and Russia, for the most part, have declared open season on infrastructure in the West.

 The firm estimated that the financial impact of cyber-physical security attacks resulting in fatalities will surpass $50 billion within a few years.

“Even without taking the actual value of a human life into the equation,” Gartner concluded, “the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.”

While ransomware attacks dominate the headlines, Mayorkas has begun sounding the alarm about cyber intrusions such as the one in Florida in which money wasn’t the primary motive.

Several nations, including Iran, Russia and China, have penetrated elements of critical U.S. infrastructure, but there have been few instances of them taking any action.

https://lm.facebook.com/l.php?u=https%3A%2F%2Fwww.usatoday.com%2Fstory%2Fnews%2Fpolitics%2F2021%2F10%2F12%2Fcybersecurity-experts-warn-killware-attacks-rival-ransomware%2F6042745001%2F&h=AT0424mINaKA5rhQye0p_Dxf_210ZoV6Ntq8_FWJDsWeHJ_a2hhbVKaHn32HrKhdSRTwjn98YR6Ifjm5qKY6VmagyEe9TgjkQjfhVYXoTw8bZQFy0YLqb_qj5sRyzfMxZA

Hackers increasingly target infrastructure – from hospitals and water supplies to banks and transit – in ways that could injure or kill.

As most Americans are still learning about the hacking-for-cash crime of ransomware, the nation’s top homeland security official is worried about an even more dire digital danger: killware, or cyberattacks that can literally end lives.

But “there was a cyber incident that very fortunately did not succeed,” he added. “And that is an attempted hack of a water treatment facility in Florida, and the fact that that attack was not for financial gain but rather purely to do harm.”

That attack on the Oldsmar, Florida, water system in February was intended to  distribute contaminated water to residents, “and that should have gripped our entire country,” Mayorkas said. 

Mayorkas and cybersecurity experts said the Oldsmar intrusion was one of many indications that malicious hackers increasingly are targeting critical parts of the nation’s infrastructure – everything from hospitals and water supplies to banks, police departments and transportation – in ways that could injure or even kill people.

“The attempted hack of this water treatment facility in February 2021 demonstrated the grave risks that malicious cyber activity poses to public health and safety,” Mayorkas told USA TODAY in a follow-up exchange. “The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us.”

Like Mayorkas, private-sector computer security experts warn that so-called cyber-physical security incidents involving a wide range of critical national infrastructure targets could lead to loss of life. Those include oil and gas manufacturing and other elements of the energy sector, as well as water and chemical systems, transportation and aviation and dams.

The rise of consumer-based products such as smart thermostats and autonomous vehicles means Americans live in a “ubiquitous cyber-physical systems world” that has become a potential minefield of threats, said Wam Voster, senior research director at the security firm Gartner.

“The attack on the Oldsmar water treatment facility shows that security attacks on operational technology are not just made up in Hollywood anymore,” Voster wrote in an accompanying article.     

In a report July 21, Gartner said there is enough evidence of increasingly debilitating and dangerous attacks to expect that by 2025, “cyber attackers will have weaponized operational technology environments to successfully harm or kill humans.”

Another example, Voster wrote, was the Triton malware that was first identified in December 2017 on the operational technology systems of a petrochemical facility. It was designed to disable the safety systems put in place to shut down the plant in case of a hazardous event.

“If the malware had been effective, then loss of life was highly likely,” Voster wrote. “It is not unreasonable to assume that this was an intended result. Hence ‘malware’ has now entered the realm of ‘killware.’”

A frightening target: Hospitals

However, U.S. officials are concerned about the rash of ransomware attacks on hospitals, which have had to divert patients and cancel or defer critical surgeries, tests and other medical procedures, as was the case in a nationwide cyberattack on Universal Health Services, one of the largest U.S. health care providers, in September 2020.

In hospital hacks, patients could die or suffer life-threatening complications, but it would be nearly impossible to find out unless medical centers offered that information, said a senior Department of Homeland Security official speaking on the condition of anonymity because he was not authorized to discuss security concerns.

A year ago, the FBI, DHS and the Department of Health and Human Services issued a warning about attacks on hospitals, describing the tactics, techniques and procedures used by cybercriminals to infect systems with ransomware for financial gain.

In Alabama, a woman sued a hospital this year, alleging that its failure to disclose a cyberattack on its systems resulted in diminished care that caused her baby’s death.

Last year, a hacker attack caused the failure of information technology systems at a major hospital in Germany. That forced a woman who needed urgent admission to be taken to another city for treatment, where she died.

What will be interesting to see is whether the courts rule that the hospital was negligent in its security, contributing to the success of the ransomware and by extension the death of the infant.

Springhill declined to name the hackers, but Allan Liska, a senior intelligence analyst at Recorded Future, said it was likely the Russianbased Ryuk gang, which was singling out hospitals at the time.

They’re certainly never going to be held accountable.

An Alabama woman whose 9-month-old daughter died has filed suit against the hospital where she was born claiming it did not disclose that its computer systems had been crippled by a cyberattack, which resulted in diminished care that resulted in the baby’s death.

Springhill Medical Center was deep in the midst of a ransomware attack when Nicko Silar was born July 17, 2019, and the resulting failure of electronic devices meant a doctor could not properly monitor the child’s condition during delivery, according to the lawsuit by Teiranni Kidd, the child’s mother.

Left with severe brain injuries and other problems, the baby died last year after months of intensive care at another hospital.

The lawsuit, initially filed in Mobile County in 2019 while Nicko was still alive, was first reported by The Wall Street Journal on Thursday.