From ransomware to killware: Is the future of cyberattacks turning more sinister?

By Claire Reilly, RN MSc, Director, Clinical Operations at Imprivata

October 27, 2021

HDOs have witnessed ransomware’s danger to patient health for years. But is killware the next big threat?

Some big news came out of little Oldsmar, Florida in February – but relatively few people took notice. And yet, a drama of Hollywood proportions was quietly unfolding near the shores of the Gulf Coast, which Senator Marco Rubio quickly deemed “a matter of national security.”

Hackers had breached the city’s water treatment system and attempted to poison its water supply by increasing the level of sodium hydroxide “by a factor of more than 100.” Commonly known as lye, the chemical is used in small amounts to control water’s acidity.

According to the Tampa Bay Times, a plant operator “watched as someone took control of the mouse, directed it to the software that controls water treatment, and increased the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million.”

Fortunately, the operator witnessed the malicious activity and immediately reset the system to safe levels. But the incident illustrates what federal officials and cybersecurity experts have been warning government agencies and critical industries about for years.

Critical infrastructure at risk: Government sounds the alarm

For some bad actors, whether foreign or domestic, the goal of cyberattacks isn’t financial – or even political. It’s solely intended to create chaos and cause harm. In a recent USA TODAY article, Secretary of Homeland Security Alejandro Mayorkas said the Florida attack was clearly designed to harm people. “And that should have gripped our entire country.”

The intrusion “demonstrated the grave risks that malicious cyber activity poses to public health and safety," he explained. “The attacks are increasing in frequency and gravity, and cybersecurity must be a priority for all of us.

“The Oldsmar intrusion was one of many indications that malicious hackers are increasingly targeting critical parts of the nation’s infrastructure – everything from hospitals and water supplies to banks, police departments and transportation – in ways that could injure or even kill people,” Mayorkas said.

Analyst predictions: The weaponization of operational technology

The Secretary is not alone in warning government and industry leaders and IT professionals about the disturbing threat of what some in the industry are calling “killware.” Recent reports from analyst groups and other experts also paint a bleak picture. Here are some of the most striking observations and predictions about the risks of cyber-physical system (CPS) security incidents affecting operational technology (OT) environments and Internet of Things (IoT) devices and networks:

From a Gartner press release, July 2, 2021:

  • “By 2025, cyber attackers will have weaponized operational technology environments to successfully harm or kill humans.”
  • “The financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023.”
  • “Most CEOs will become personally liable for such incidents.”
  • “In operational environments, security and risk management leaders should be more concerned about real world hazards to humans and the environment, rather than information theft.”

And from a recent Forrester report, Q2 2020:

  • “Connected medical devices can make up 74% of the devices on a hospital’s network, yet these devices are typically invisible in the eyes of traditional endpoint and network security solutions."
  • “84% of security professionals believe IoT devices are more vulnerable than computers.”
  • “Several cases have been identified over the past few years where attackers directly compromised a medical device as part of overall campaigns against hospitals.”
  • “67% of enterprises have experienced an IoT security incident.”

Healthcare in the crosshairs: How ransomware affects patient care

The potential horrors of killware aside, it’s important to remember that healthcare delivery organizations (HDOs) have historically been a perennial favorite of criminal intrusions – and continue to be heavily targeted by ransomware attacks. And while ransomware remains a serious challenge for many industries, HDOs are often more acutely affected because of the increased danger to patient health.

Recent reports of disruptions caused by such incidents include two that some claim are among the first deaths directly attributable to the adverse effects of ransomware:

  • An elderly cardiac patient in Germany died after her ambulance was redirected to an ER 20 miles away, following an attack on Düsseldorf University Clinic’s servers
  • A lawsuit aimed at Springhill Medical Center in Mobile, Alabama claims that brain injuries leading to the death of a newborn were due to diminished care following a cyberattack

But experts say that while incident-related deaths are relatively rare (at least in official statistical reporting – the lack of which can seem quite glaring) more common are the dangerous disruptions to patient care which can result in:

  • Patients being turned away due to ER closures and the cessation of other key services
  • Lack of access to EHRs, medication systems, and other diagnostic and treatment tools
  • Patients experiencing longer hospital stays and delays in critical tests and procedures
  • Clinical and support staff (already taxed by COVID pressures) facing additional stress

A new study reports dramatic effects of ransomware on patients and HDOs

While there has generally been scant statistical data about how – and the extent to which – patients and hospitals are negatively affected by ransomware attacks, new research suggests that these incidents can have life-or-death consequences.

A report entitled, “The Impact of Ransomware on Healthcare During COVID-19 and Beyond,” by the Ponemon Institute (and its sponsor, Censinet) reveals some striking results that point strongly to a link between ransomware and mortality rates.

In a statement to Healthcare IT News, Dr. Larry Ponemon, chairman and founder of the institute said, “Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers.”

Based on a survey of nearly 600 IT and IT security healthcare professionals, key findings include:

  • Nearly 70% of organizations said they’ve been victims of ransomware – a third of whom having experienced two or more attacks
  • Almost 25% of respondents reported increased mortality rates following a ransomware attack
  • 71% of participants noted that patients experienced longer stays after an attack
  • 70% of HDOs reported poor patient outcomes caused by delayed tests and procedures
  • And 61% of respondents said they lacked confidence in their ability to mitigate the effects of ransomware, due in part to COVID-related stressors

Is your organization prepared to guard against increasingly dangerous and costly attacks?

If, like many HDOs, you too lack confidence in your organization’s ability to repel malicious and dangerous attacks – while shielding patients from adverse effects, ensuring your ability to deliver quality care, and protecting your bottom line – it’s time to reassess your security strategy.

You can’t afford to wait. Now’s the time to prepare and safeguard against criminal data breaches, the scourge of ransomware, and the ominous potential of killware. Leading security experts agree that no one control element is infallible, so the safest environments rely on a multi-layered approach for strengthening security strategies.

Learn how your organization can be more strongly positioned to repel attacks and protect patients and staff from harm with a defense in depth security strategy – based on the Imprivata digital identity framework.