A group of cybercriminals known as “FIN12” is expanding hacking operations and repeatedly targeting the health care industry with ransomware attacks, according to a new report by cybersecurity firm Mandiant.
“This is a group that we have responded to so many times that we want to bring out the story, so that everybody can start defending themselves more effectively,” Mandiant chief executive Kevin Mandia told CBS News.
The hackers are shutting down systems — hampering access to patient records, transmitting radiology imaging and other functions that heighten risk to patients — until a ransom is paid.
Russian-speaking hackers behind the widespread hacking campaign check financial statements before cherry-picking their victims, demanding ransoms sometimes reaching into the millions of dollars.
“Over 20% of the ransomware attacks that we respond to as a company are FIN12,” Mandia said. “And when you respond to somebody that frequently, like a detective, you start knowing their fingerprints, their tradecraft.”
For FIN12, hospitals and clinics are frequently the target. Nearly 20% of the group’s victims are part of the health care industry. According to the Mandiant report, over 70% of targets are based in the United States, but FIN12’s attacks outside of North America doubled in the first half of 2021, surpassing 2019 and 2020 collectively.
Mandia says the Russian-speaking group is “absolutely” putting American lives at risk.
“The attacker does not know the damage they’re causing, what its impact will be, what the collateral damage will be,” Mandia added. “When they launch that attack, there’s… a big zone of potential outcomes, and all of them are bad.”
The Ponemon Institute, an independent research group that helps hospitals identify and eliminate patient safety risks, surveyed over 500 health care delivery organizations. Nearly a quarter of those impacted by ransomware attacks on patients told researchers the result was deadly.
According to the Ponemon Institute, of the 43% of health care organizations that reported being a victim of ransomware attacks, 22% told researchers their patient mortality rate increased after the attack. A whopping 71% self-reported their patients spent more time hospitalized.
The same report found that 61% are not confident about their abilities to mitigate the risks of ransomware attacks during the COVID-19 outbreak, a slight increase from the pre-pandemic days.
Ed Gaudet, CEO and Founder of Censient, the health care risk management company that funded the Ponemon Institute’s research, said the results are a “wake up call” for the health care industry. “The data would suggest people are dying. There’s an increase in mortality rates based on ransomware attacks,” Gaudet said.
Gaudet called ransomware “the greatest stressor to doctors and nurses and their ability to deliver care to patients,” adding that attackers can target all sectors of the hospital, including the intensive care unit and emergency room.
“When a ransomware attack happens all services are shut down in a hospital. The doctors, the nurses, they don’t have access to the records and so they cannot deliver effective patient care,” Gaudet told CBS News.
But the ransomware attacks also have long-term negative impacts on hospitals, according to a new analysis conducted by Cybersecuirty and Infrastructure Security Agency (CISA) and released last Friday.
CISA’s analysis found a troubling relationship between cybersecurity intrusions and loss of life, particularly among hospitals that have reached “crisis standards of care,” in states forced to ration resources after ICU beds filled up amid the pandemic.
Although CISA’s report notes there are no deaths “directly attributed to hospital cyberattacks,” analysis shows ransomware attacks lead to “worsened health outcomes, which can be measured in the time of the COVID-19 pandemic in excess deaths.”
Researchers found that neighboring hospital systems are better equipped to “absorb” patient demands after a hospital suffers a ransomware attack in “peacetime.” But during the coronavirus pandemic, cyber attacks that disrupt a health care system’s ability to access electronic health records increase hospital strain, resulting in greater ambulance diversion and increased mortality.
But the attacks also complicate long-term patient care because hospital staff are forced to spend “more time tracking a patient’s health history.”
“Downstream effects include cancelled or delayed surgeries and cancer treatments, closure of several COVID-19 test collection sites, inability to submit radiology imaging and loss of communication between hospitals in the network,” the report found. “This forced critical patient diversion, paper-based record keeping and suspension of care to high risk patients.”
Springhill Medical Center in Alabama, which was the victim of a ransomware attack in July 2019, is currently being sued by a woman who claims the cyberattack, which diminished the hospital’s ability to provide care, led to the death of her 9-month-old baby.
Teiranni Kidd’s daughter was born amid a ransomware attack on the hospital. The lawsuit, obtained by CBS News, alleges doctors were unable to properly monitor the child’s condition during delivery, which left her with severe brain injuries. The child died last year after months in intensive care at another hospital.
Nearly a year ago, the FBI and Department of Homeland Security issued a joint advisory warning health care systems of the “credible threat” posed by ransomware criminal gangs willing to make a quick buck just as COVID-19 deaths spiked. That risk has only increased in 2021.
To curb the threat, cybersecurity experts say the U.S. must impose greater consequences for cybercriminal actors willing to target hospitals and medical providers.
“It would stretch credulity to think you can make millions of dollars with ransomware, and you’re just gonna stop doing it,” Mandia said.
Andres Triay contributed to this report.