North Korea loves hospitals — hacking them, that is. According to a cybersecurity advisory released by the US government in February, the Democratic People’s Republic of Korea (DPRK) has directed its army of elite hackers to create new revenue streams for the regime by infecting healthcare providers with ransomware. Perceived by the regime as soft targets ready to be squeezed for every won, pound, and dollar, hospitals and clinics have never been more vulnerable to one of the world’s foremost cybercriminal operations — and other groups like it.
In many ways, hospitals make perfect targets for ransomware gangs. Not only do they host a deep well of private and important personal data, but they’re run by doctors, nurses and healthcare administrators with more pressing matters on their minds than ensuring today’s backup went to the correct server. As such, many cybercriminals assume that healthcare providers will pay ransoms quickly and quietly to guarantee the smooth operation of their facilities, which might be the main reason why the number of ransomware attacks on such organisations spiked by 94% year-on-year in 2022.
The impact of these attacks ranges from benign to tragic. In one lawsuit filed in 2020 and first reported in 2021, Teiranni Kidd, a former patient of Alabama’s Springhill Medical Center, sought damages after her child suffered severe brain trauma during birth. The plaintiff contended that, in the chaos of the hospital’s response to an ongoing cyberattack, staff missed troubling signs of her baby’s condition — a mistake she believes led to the child’s untimely death.
Hackers aren’t dissuaded by cases like Kidd’s, whose suit is still being considered by the Alabama court system. In fact, explains cybersecurity expert Erich Kron, cybercriminal gangs use this fact to their advantage. By “leveraging the mission-critical nature of healthcare and the threat of public disclosure of potentially embarrassing medical records they like to steal, [they] push for prompt and exorbitant ransom payments,” says the security awareness advocate at KnowBe4.
Stolen medical data can also fetch a high price on the black market, where it is particularly valuable for criminals seeking to steal identities. “This,” says Kron, “all adds up to a really lucrative target that some bad actors simply cannot ignore.”
Hospitals are also often easy prey, in part due to their reliance on third-party cloud and security vendors. “All these factors have expanded the attack surface of healthcare organisations and added to the complexity of securing data across platforms and devices,” says Amit Trivedi, senior director of informatics and health IT standards at the Healthcare Information and Management Systems Society (HIMSS.) Hospitals generally operate a large array of connected devices — from smart TVs to monitoring tools and medical devices — which provide “more opportunities for an attack,” says Trivedi.
It’s also fairly common knowledge that most healthcare organisations have limited resources, overstretched staff, and tight budgets, especially in the wake of the Covid-19 pandemic. “It is a constant challenge for hospitals to keep current with the latest cyber threats, challenges and mitigation practices,” says Trivedi.
Culprits come from around the world, but state-sponsored North Korean hackers are some of the most ruthless and relentless, especially when it comes to attacks on critical infrastructure. In its February advisory, US officials advised that North Korean hackers had used about a dozen types of malware and ransomware to attack hospitals and healthcare systems. “Several hospitals, including hospitals in the US, have had to weather major disruptions due to this North Korean campaign at a time when they have been under enormous strain,” wrote John Hultquist, an intelligence analyst at security firm Mandiant.
North Korean hackers aren’t just prominent because of their scale. “The North Korean groups are also quite sloppy,” says Chris Doman, chief technology officer at Cado Security. “It’s not uncommon to see North Korean IP addresses in attacks, particularly when they’re using a VPN and it drops out. This is a mistake, because it’s easy to trace back to North Korea.” It’s also fairly easy to connect attacks because North Korean groups generally rely upon “a shared code base dating back over a decade,” adds Doman. These groups have even been known to commit the most infamous cybersecurity no-no: repeating passwords.
Nevertheless, North Korea undoubtedly has “some incredibly talented developers too,” says Doman. They’re also highly motivated. Some ransomware groups made healthcare providers off-limits during the Covid-19 pandemic, but the DPRK’s finest had no such qualms. “North Korean attackers will do anything to gain money to fund the regime,” says Doman.
Experts recommend various strategies to help hospitals shore up their defences and fend off attackers — many of which follow standard cybersecurity wisdom. “Hospitals should have a policy in place to ensure that all software and systems are up to date with the latest security patches,” says Trivedi. They should also mandate multi-factor authentication to protect sensitive information and implement firm password policies for staff, he continues, including the standard recipe of ensuring all passwords consist of a combination of letters and numbers as well as being regularly updated.
There are also various ways to minimise the potential devastation when attackers break through these defences. “Regular backups of data can help hospitals recover quickly in the event of a ransomware attack,” says Trivedi. This should be “stored off-site and tested regularly to ensure that data can be quickly restored.” Systems should also be divided by digital firewalls so that essential clinical devices aren’t on the same network as administrative devices. This means that critical systems are cut off from the most frequent source of ransomware — phishing emails — and can remain operational during an attack, thus preventing some of the most lethal potential damage.
Planning is also critical, argues Trivedi. “A robust incident response plan is essential to quickly identify and respond to a cyberattack,” he says. “The plan should include procedures for reporting and investigating incidents, as well as communication strategies for notifying stakeholders and mitigating the impact of an attack.”
But the most important remedy might be more social than technical. More than 90% of successful cyberattacks begin with a phishing email, according to the Cybersecurity and Infrastructure Security Agency. That’s why educating workers on red flags to watch out for can have a big impact.
“Continuous training and simulated phishing attacks can really help the staff to be better prepared,” says Kron. Drills help staff “identify gaps in the incident response plan and improve overall preparedness,” adds Trivedi.
This, of course, is much easier said than done, given resource constraints across every hospital from Seoul to Southampton. Even so, healthcare providers will have to increasingly prioritise digital hygiene in their ongoing efforts to protect patients — the better to prevent your average North Korean hacker from locking out their systems.
This piece was originally published by Tech Monitor on April 26.