Healthcare and ransomware are in the news in a big way. Data leaks are inevitable, but those are typically associated with accidents by the general public. Possibly the most malicious type of data spillage is when people compromising said data decide to do the spilling. It’s one thing to accidentally leave a database exposed; it’s quite another for someone else to grab it, then blackmail the data owners to pay up or else.
Well, we have our "pay up or else" business model and have done for some time; it’s called ransomware. We also have our latest pay up or else story, in the form a of New Zealand health system compromise.
Last week, a part of New Zealand’s health service was brought down. Specifically, one district’s “entire IT network” which caused appointment cancellations, postponed surgeries, and deferred outpatient activity at rural hospitals. Disruptions during normal times...remember those?...are bad enough. Anything interfering with hospitals during the pandemic is as danger-filled as it gets.
Let’s not forget that with lockdowns easing off, there’s lots of people out there with severely delayed non-Covid treatments waiting. Imagine wait to be seen for a year or more, finally landing an appointment, and then it’s cancelled because of people breaking into computer systems. Worse, Covid-19 infection numbers aren’t exactly stable. People could lose their slot, discover their area’s had a sudden outbreak, and then they’re left waiting...again.
The human cost of any attack on health services is absolutely horrendous. As far as the attack in New Zealand goes, the ITPro article mentions investigators suspect the “initial incursion” came about via a bogus email attachment. However, the Health Service newsroom page doesn’t mention this or go into further details while investigations are taking place.
Being shut out of systems is bad enough. Having to cancel appointments, or (for example) lose access to crucial patient data, is also a disaster. The promise of attackers dropping confidential information across the internet or putting it up for sale is the icing on a terrible slice of cake.
Where ransomware is concerned, this can happen should victims refuse to pay up. “Best” case scenario, they’re permanently locked out of encrypted files once the payment deadline passes. Worst case, they pay up and the files remain encrypted. Or, they refuse to pay and then the documents start to leak, and drip, into places they should never go.
It seems the group behind the ransomware have indeed done some leaky dripping, because the victims refuse to pay. Private patient information has found its way to media outlets, according to Reuters. Documents purportedly include names, addresses, and phone numbers of patients and / or staff.
Pay up...or else (maybe)
Passing this information to media outlets feels very much like the warning shot across the bow. If the situation here is the attackers are holding out for payment, the next step will be a dump of data to more public locations.
Note that nobody bar the affected organisation knows for sure at this stage. They won’t reveal if this initial leak is off the back of a request for payment, or some other demand. This is because they’re concerned that discussing details publicly could shape the attacker’s next steps. As a result, we’re all waiting to see what happens next (or, quite possibly, doesn’t).
A critical mass approaching
Ransomware is increasingly in the news for causing severe harm and disruption. If it isn’t hospitals and healthcare, it’s incredibly important oil pipelines. These attacks are now generating levels of heat towards attackers perhaps not seen before. If things keep going like this, who knows where things will end up. When critical infrastructure, healthcare, and other important functions are impacted, you can bet governments won’t sit idly by. The question is: Who will win this digital arms race?