co-authored by Sarah Boyer

A recent string of hospital ransomware attacks around the world underscores just how personal the cyber-threats have become—they can mean life or death. By combining focused spear-phishing and whale hunting tactics with automated exploits that target unpatched systems, hackers continue to threaten our healthcare system.

In Ontario, Michael Garron Hospital (formerly known as Toronto East General) announced they were recently compromised by the Ryuk ransomware – a ransomware variant that was first discovered in 2018. From their early reports, it appears that the IT department at Michael Garron Hospital was quite successful in containing the problem, and proactive in assigning resources to protect against further damage. According to research published by Checkpoint, Ryuk ransomware is delivered manually, but that doesn’t mean that a payload (i.e. a Trojan) precedes the malware to allow hackers access to the target resources. This type of ransomware doesn’t typically propagate across a system on its own but the recommended response is still to segregate all systems and turn off networks.

Just a week ago, two hospitals in Southwestern Ontario were also hit in a ransomware attack. Although it seems that no payment has (yet) been requested, the proliferation of these attacks illustrates how random they can be. However, within the randomness, there is a pattern. In the last week, we have seen three US and several Australian hospitals partially close their doors to patients due to similar attacks.

A trend that I’m seeing in this latest round of incidents is how organizations are responding to them. From a public relations perspective, the impacted hospitals were quick to get in front of the news and announce that no data was compromised and that critical functions weren’t impacted. The data breach playbook is well known by now, and at Michael Garron Hospital the situation even has a name – Code Grey. This code used to be reserved for a more physical type of emergency management response (i.e. think pipes and electricity) and this designation shows how important computers are to modern health.

These latest attacks are compelling because it is further proof that hackers are now targeting smaller public organizations and lower levels of government. This includes smaller cities and municipalities that are resource-challenged when it comes to IT protection. However, the severity of the impact is amplified by the type and value of the information that these organizations store. For example, in a recent case that hit the local government in Stratford, they ultimately had to pay out $75,000 in bitcoins after spending months of effort trying to recover.

The landscape has changed; healthcare and smaller public sector institutions are the latest example of how there is no target small enough for a cyber-thief motivated by greed. Even small clinics, that are closer to a local business than a healthcare facility, are vulnerable and largely unprepared as we can see from a recent California provider that had to cease operations forever.

The only current solution is mitigating risk with defence-in-depth (aka multiple cybersecurity tools working together) and a good PR plan. CIRA has a few layers in placeat several hospitals across the country and we continue to do our best to help make a better online Canada.