For 10 days hospitals were unable to provide their primary function: taking care of the sick.
Seven days ago DCH Health System resumed intake of patients after a ransomware attack knocked three of its West Alabama hospitals' systems offline. The "diversion protocol" was lifted after 10 days.
For 10 days hospitals were working to restore computer systems.
For 10 days hospitals were operating "under downtime procedures."
For 10 days new patients were deferred to hospitals in Birmingham, Alabama and Mississippi.
More often than not, the cyber news cycle reserves headlines for enterprises, not hospitals, schools or local governments. Those vulnerable institutions are forgotten.
While President Donald Trump requested a $17.4 billion budget for cybersecurity in 2020, state CISOs have been challenged by strapped security budgets since 2010. About half of state CISOs seek funding from intra-state cybersecurity programs.
Limited cybersecurity budgets allow hackers to prey on the already-strained, the already-wounded.
On average, enterprises spend more than 10% of their IT budgets on security. Less than 3% of state IT budgets are dedicated to cybersecurity in most states, according to the National Association of State Chief Information Officers.
Since Oct. 1, the first day of DCH's ransomware attack, there have been at least 15 recorded episodes of ransomware across U.S. healthcare networks, municipalities, school districts, police departments and employment agency offices, according to research from cloud security company Armor.
"Assumption would lead us to believe [cyberattacks on] schools, hospitals and municipalities, are more targeted than opportunistic."
Head of threat resistance unit research team at Armor
Armor found more than 500 K-12 schools were ransomware victims since January 2019. Emsisoft research revealed at least 621 government entities, healthcare service providers, and school districts, colleges and universities have been inflicted with ransomware since January.
"Assumption would lead us to believe [cyberattacks on] schools, hospitals and municipalities, are more targeted than opportunistic," Chris Hinkley, head of Armor's threat resistance unit research team, told CIO Dive.
Most cyberattacks are born of opportunity and intentional targeting — neither is mutually exclusive, said Hinkley. But either attacks' modus operandi is detrimental to small organizations.
Smaller entities, laden with holes in defense, are often lost in cybersecurity. They have just a fraction of the cybersecurity budgets of private sector counterparts, cementing their place as bad actors' favorite targets.
"The previous ransomware wave targeted enterprises, like Maersk," Adrien Gendre, chief solution architect at Vade Secure, told CIO Dive. "In response to this wave, large companies implemented stronger cybersecurity controls, including firewall and endpoint protection. Smaller companies typically don't have the same level of protections in place, making them more vulnerable targets."
The decision to pay a ransom is based on basic math: Will paying the ransom cost less than recovery? Hackers typically low-ball a ransom depending on the financial stature of their victims. Most ransoms are conservative, payable.
Ransomware is "a relatively low cost technique that can place devastating pressure on victims. Hackers are refining their demands to identify the optimal price that organizations will be willing to pay," John Dermody, counsel at O'Melveny & Myers, told CIO Dive.
While it's still considered taboo to pay ransoms, DCH Health System joined two Florida cities — hit earlier this year — in paying attackers to restore computer functions.
Riviera Beach, Florida paid hackers $600,000 in June to unfreeze its computer system. Hackers encrypted city records, disabled email systems, and disrupted digital payroll and 911 functions. About a week later, Lake City, Florida paid more than $460,000 in ransom after the "triple threat" malware rendered its phone and email systems inoperable.
Less than 3% of state IT budgets are dedicated to cybersecurity in most states.
Lake City's insurance provider encouraged the city to pay the ransom instead of risking the costs of recovery, estimated to be over $1 million.
"When [cybercriminals] find something that works, they do more of it," said Gendre. Until the frequency of payouts diminishes, don't expect ransomware hit jobs to stop. Cybercriminals "have shifted from 'Big Bang' attacks to death by a thousand paper cuts."
"They're targeting smaller quick hits of a few thousands of dollars," Gendre said.
In July, U.S. mayors agreed to cease ransomware payments, suspecting payments encourage further attacks. Several of the organizations Armor identified followed the mayors' resolution.
A Massachusetts police department was hit by ransomware in July attached with a request of $50,000. By Oct. 8, the department had yet to completely restore computer function or pay the ransom, which was reduced to $30,000.
Grappling with recovery, however, is a privilege to some victims. Other ransomware targets didn't weather as well.
Brookside Medical Center in Battle Creek, Michigan had patient records and services hacked in March. The hackers demanded $6,500, though the owners of Brookside declined to pay. The hackers, in retaliation, deleted all the encrypted patient files.
The practice, as a result, was forced to close.
Cornered by ransomware
Less than a week after it was attacked, DCH paid hackers an undisclosed amount because it had to.
"You don't have a choice. All your files are encrypted," Darren Hayes, assistant professor at Seidenberg School of CSIS at PACE University, told CIO Dive. "If your files are locked, the only way of continuing your business is to pay the ransom."
Backed into a corner, smaller entities largely act in an "everyone for themselves" protocol with a dreaded sense of urgency, according to Hayes. And public school districts are low-hanging fruit for hackers.
Students of Souderton area school district in Lansdale, Pennsylvania were instructed to power down school-issued devices and return them last month. District personnel shut down the district-wide computer network to prevent more damage, according to updates from the district.
Computer screens in the Cherry Hill school district in New Jersey displayed the word "Ryuk," a common ransomware family credited for attacking at least five education organizations earlier this year. Ryuk is often proceeded by Emotet and Trickbot trojans, according to Armor.
Delaying student education, while harmful, isn't as dangerous as hospitals unable to service patients.
"They're targeting smaller quick hits of a few thousands of dollars."
Chief solution architect at Vade Secure
Park DuValle Community Health Center was hit in June, leaving the healthcare provider unable to access medical records, patient contacts or insurance information for seven weeks, according to Emsisoft. A Wyoming healthcare provider, Campbell County Health, stalled inpatient admissions, canceled surgeries and sent ER cases to neighboring hospitals.
Healthcare organizations with large networks "may feel an increased pressure to pay a ransom to restore vital services," said Dermody. "It is one thing to lose your personal files and vacation photos, it is another not to be able to provide life-critical services to constituents."
The connectivity of healthcare providers intensifies a ransomware attack's severity. Hackers are targeting managed service providers (MSPs) because they "can provide an entry point to multiple clients, maximizing the efficiency of the attack," according to Gendre.
An MSP was manipulated in Texas' ransomware attacks and PerCSoft, a cloud management service for U.S.-based dental practices, according to Emsisoft. PerCSoft's ransomware infection rendered about 400 dental offices unable to access patient information.
Strapped for resources, these entities are forced to make difficult decisions based on levels of importance. Dermody suggests entities form a proactive relationship with the Department of Homeland Security and FBI, "that way they are not picking up the phone and trying to figure out who to call in the middle of a crisis."
The U.S. Senate recently passed the DHS Cyber Hunt and Incident Response Team Act, geared at aiding the private and public sector from cyberattacks. The bill, championed by Senator Margaret Wood Hassan, D-NH, codifies existing DHS cyber hunt teams, meaning there is no retroactive application.
The bill is "an important step in protecting Upstate New York school districts from the swaths of ransomware attacks that take hostage the personal information and vital data of our students, school employees and local governments," said Senator Chuck Schumer, NY-D, in an announcement.
Most victims of cybercrime are unprepared — in budget, staffing, solutions — making schools and hospitals prime targets.
Small entities are malware victims, just like enterprise victims, because "security is hard," said Hinkley. "Ransomware isn't the tool of compromise, it's the product, it's a symptom."
That "symptom" just happens to be most prevalent in smaller organizations. Governments, for example, are more likely to have "red tape" restraints and "bureaucracy hindering software and hardware updates," according to Hinkley. However, they are more capable of declaring a state of emergency in light of a cyber event, like Texas did.
Having connections to larger government bodies is a luxury other entities lack.
Cybersecurity risk is most pressing in the healthcare industry, according to Hayes. "There's been a lot of mergers going on, they've become a lot bigger. And with every healthcare record going digital, it means that they're more susceptible to widespread ransomware attacks."
"They don't have the same resources as a Microsoft or another type of company like that."
Assistant professor at Seidenberg School of CSIS at PACE University
"They don't have the same resources as a Microsoft or another type of company like that," said Hayes.
Schools and municipalities usually don't have sufficient resources to recover from a cyberattack, placing the organization in an existential crisis. Investments in backups and testing them to scale, could give organizations a realistic timeframe for recovery.
But depending on the strain of ransomware, some entities could require twice as much disk space to run a parallel backup in restoration. Without that additional disk space, restoration is challenging at best.
Security risks should be acknowledged in financial planning and personnel training.
Security, especially ransomware disguised in phishing schemes, is a people issue. "Expensive security systems aren't going to prevent an employee from clicking on a link in a phishing email," said Dermody. Training is a low-tech solution for cybersecurity improvements.