North Korea-sponsored cyber attackers targeting healthcare, feds warn

Federal authorities issued a warning to healthcare organizations that cyber attackers backed by the North Korean government have been targeting the health sector.

The Federal Bureau of Investigation, Cybersecurity & Infrastructure Security Agency, and the Treasury Department all issued a joint Cybersecurity Advisory Wednesday.

The advisory offered details on “Maui ransomware.” Federal authorities said North Korean-sponsored cyber actors have been using Maui ransomware to target the healthcare sector since May 2021. The advisory also offers several technical steps and recommendations for healthcare organizations to mitigate the threat.

“The FBI assesses North Korean state-sponsored cyber actors have deployed Maui ransomware against Healthcare and Public Health Sector organizations,” the advisory stated.

Health systems, hospitals and other health sector organizations should only store personal patient data on systems protected by firewalls, and ensure extensive backups in the event data is compromised. Health systems should limit access to data and monitor devices to see if any are operating erratically, the federal agencies advised.

While most health systems are using firewalls to protect data, too many aren’t taking that step. Roughly 1 out of 5 health systems aren’t using firewalls, Lee Kim, the director of privacy and security for the Health Information and Management Systems Society, said at the HIMSS 2022 conference in March.

• Related content: Ransomware attacks threaten health systems

Health systems and hospitals that experience a breach should report it to their local FBI branch or to CISA.

Federal authorities also warn health systems not to pay ransom requests, and suggest payments could lead to sanctions.

“The FBI, CISA, and Treasury highly discourage paying ransoms as doing so does not guarantee files and records will be recovered and may pose sanctions risks,” the agencies said in the advisory.

The advisory said state-sponsored actors are going after health systems because they view them as willing to pay.

“The North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services that are critical to human life and health,” the advisory stated. “Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting HPH Sector organizations.”

Healthcare organizations have been battling cyberattacks for years, and the risks seem to be growing.

Hundreds of cyberattacks involving healthcare companies and patient records were reported to the government last year, and more than 100 breaches were reported in the first quarter of 2022.

State-sponsored cyberattacks appear to be a growing risk. FBI Director Christopher Wray said last month that hackers backed by Iran’s government attacked Boston Children’s Hospital. The attackers failed to cause major damage or problems in that 2021 attack, Wray said.

Federal authorities have also warned hospitals and healthcare systems to be wary of cyberattacks linked to Russia’s invasion of Ukraine.

• Related story: Health sector should be worried about Russian cyberattacks

Cybersecurity attacks create havoc in healthcare systems and also can prove to be every costly. The average cost of a breach rose to $9.4 million in 2021, an increase of $2 million over the previous year, according to a report by IBM.

Nearly 45 million Americans were impacted by breaches involving private health information in 2021, up from 34 million in 2020, according to a report by Critical Insight, a cybersecurity company. Millions of Americans have already been affected by breaches reported this year.

The advisory from federal authorities also urged healthcare organizations to create or maintain emergency response plans in the event of a cyberattack, including how to handle a ransomware incident.

North Korea has been engaging in cyberattacks around the world, including attacks of financial institutions and cryptocurrency exchanges, according to CISA.

Stephan Chenette, co-founder and chief technology officer of AttackIQ, a cybersecurity firm, said healthcare companies must understand the nature of ransomware attacks to employ better defenses.

“Since the onset of the COVID-19 pandemic, we’ve seen threat actors leverage this global crisis to target healthcare organizations — stealing this highly valuable patient data and creating general unrest,” Chenette said in a statement.

“This alert serves as the latest reminder that organizations simply don't exercise their defenses enough, and healthcare organizations, in particular, should be evaluating their existing security controls to uncover gaps before an attacker finds them,” he said.