On 04 June 2024, multiple hospitals in London declared a “critical incident” following a ransomware incident targeting a pathology services company called Synnovis. The incident resulted in multiple medical practices, including major hospitals, being unable to perform tasks such as blood transfusions or rapid testing of blood samples. Cascading impacts of this outage included cancelled surgeries and procedures, along with redirection of patients to other facilities.
As analyzed previously, the increase in friction and time to care for patients in aggregate WILL lead to adverse results, even if it is difficult to identify a specific person or individual whose care was dramatically impacted. Thus while we may (hopefully) not encounter a situation where the incident at Synnovis resulted in critical patient outcomes (such as death), all available evidence and past analysis indicates that real, physical harm is being done to patients through this event.
Furthermore, the incident in London does not stand alone. Earlier in 2024, UnitedHealth subsidiary Change Healthcare suffered a ransomware incident that effectively ground critical functions, such as prescription fulfillment, to a halt while also jeopardizing the personal data of millions of Americans. These macro, system-wide events mask a sea of more “minor” incidents at local, rural, and similar hospitals, resulting in impacts such as potentially damaging shifts in emergency room care and similar that can endanger patient outcomes.
Ransomware in medical environments has become so pervasive that it has made its way into regular news reporting and even entertainment. In doing so, we have collectively witnessed a concerning development: a state where ransomware events are not merely understood but also accepted and expected as part of a new medical “normal,” alongside other incidents such as mass casualty events or power outages. The steady, unrelenting stream of incidents over many years has inured us to an act that should be considered as beyond excuse or tolerance, and accepting that this is simply the new reality of healthcare operations.
This perspective is not merely suboptimal, but frankly dangerous. By normalizing that which should neither be accepted nor tolerated, we make space in our existence and society for actions that should be eliminated. Ransomware is an epidemic that has persisted for years, but the continual assault on critical infrastructure entities, especially hospitals and medical care, is beyond unacceptable. Yet we have now find ourselves in a place where each new breach is met with either a shrug or (if it impacts us directly through yet another data loss or disruption of service) consternation.
Most reactions to events such as the Change Healthcare incident focus on blaming targeted entities: how could the organization be so careless, shortsighted, penny-pinching, or other as to allow such a security incident to happen? There is merit to this claim, and the “new normal” means that healthcare organizations must allocate scarce resources away from those items directly benefiting patient outcomes to bolstering or improving their cybersecurity posture.
However, this “new normal” obscures or deflects from other considerations. Certainly, we expect hospitals and major healthcare service providers to provide and maintain minimally-necessary defenses against disruptive events such as ransomware, and further invest in the types of business continuity and disaster recovery planning to continue critical operations through such events. Yet the root of the problem is not the failure of healthcare providers – but rather the continued, unabated actions of international criminal entities carelessly targeting and harming these organizations with few (if any) material consequences.
There are certainly stories about how this ransomware group or that criminal network was “taken down” that hit the news, resulting in much triumphant back-slapping from government and law enforcement agencies globally. Yet like the mythical hydra, each “take down” seems to result in not just replacement of the supposedly eliminated entity, but a type of metastasis where multiple new, equally if not more concerning entities arise to take their place. This sequence of events has repeated itself through various “disruptions” leading some to ask: just what cost is really being imposed on such operations, and why is the current state (or limits to) action so insufficient in resolving the problem?
In an ecosystem where entities emphasize items such as “imposing cost” or “defending forward,” we MUST ask ourselves bluntly: do these actions properly and adequately address the issues at hand? Based on all available public evidence, the resounding answer at the moment is absolutely not, as ransomware entities and other eCrime affiliates continue to operate with relative impunity against vital civilian services. For every disruptive action or take down, another incident such as the 04 June London event or Change Healthcare takes place, with innumerable smaller (and just as impactful) localized incidents in between.
At present, much of the US policy establishment engaged in cyber questions is banging the drum about PRC-affiliated entities such as Volt Typhoon, and their prepositioning to take down or harm critical national infrastructure. While all available evidence indicates these entities are an emerging threat, they remain a future consideration. In the meantime, criminal elements are actively disabling critical national infrastructure right now to significant negative effect.
Given current circumstances, we should ask ourselves whether a focus on a possible future threat scenario (e.g., Volt Typhoon) should trump continuing impact scenarios due to ransomware. Moreover, if we shift the narrative of ransomware activity, particularly those targeting entities such as healthcare institutions, away from criminal justice towards national security considerations, what options for response, deterrence, and prevention might be unlocked? The US continues to be viewed as a titan in the cyber landscape despite the lack of commercial APTs named after its cyber entities, yet the continued success of eCrime entities such as ransomware affiliates calls into question just what this prowess is used for.
Based on the ransomware epidemic, policy makers and other decision makers must begin to question our current path – and pointedly ask at what stage do US entities such as US Cyber Command or other offensive organizations shift footing to a more active posture against ransomware actors. While some may advocate for increased law enforcement or even kinetic operations against ransomware entities, physical realities will prevent this from taking place in many circumstances. But deploying some of America’s (and other Western) cyber “might” actively against eCrime activity that is immediately harming citizens and others seems obvious at this stage. While there will almost certainly be collateral damage and other considerations to address, circumstances have moved so far beyond control that actively destroying command and control frameworks and directly targeting ransomware affiliate networks and resources seems the only answer among limited options to begin addressing the issue. Essentially, costs must be imposed, but the degree to which they have been thus far has proven inadequate – the gloves must come off.
Approved for Public Release; Distribution Unlimited. Public Release Case Number 24-1857
The author’s affiliation with The MITRE Corporation is provided for identification purposes only, and is not intended to convey or imply MITRE’s concurrence with, or support for, the positions, opinions, or viewpoints expressed by the author.‘©2024 The MITRE Corporation. ALL RIGHTS RESERVED.
0 Comments