Israeli hospitals have seen a marked increase in cyber attacks since the start of the coronavirus pandemic and last week, ransomware hackers targeted Hillel Yafe Hospital in Hadera — a coastal city approximately halfway between Tel Aviv and Haifa — in an event, the scale of which is still unclear.
The hospital said that it did not receive any advance warning ahead of the attack and claimed that it switched to alternate systems, which did not affect the hospital’s running – aside from some non-urgent treatments, according to The Times of Israel.
The hospital released a statement that said “the incident was immediately reported to the Ministry of Health and Cyberpro Israel, and is in the care of the experts in the field.”
Israel’s National Cyber Directorate, which is responsible for promoting cybersecurity in the country, issued an advisory last Wednesday urging both healthcare providers and “organizations in the economy” to review their systems.
NoCamels interviewed cybersecurity experts both about the attack on Hillel Yafe Hospital and more generally the measures that even the smallest companies can make to attempt to thwart cyber gangs and nation states from collecting their data.
Scale of the problem
Reuven (Rubi) Aronashvili, CEO of Herzliya-based CYE is very matter-of-fact in his assessment of cybersecurity. “We should start with the basic assumption that every organization – no matter how small – is the potential target of hackers and they should take even the most rudimentary steps to prevent cyber attacks. No organization is 100 percent resilient to attack.”
He adds that “the Israeli market – along with the United States is one of the most targeted in the world. No company is ever going to be completely safe but if we apply basic cyber hygiene – the basic foundations of cybersecurity – a firm does not necessarily need to spend large sums of money or use something highly sophisticated. It’s very annoying to see that.”
Ido Geffen, VP Customer Success & Support at CyberMDX, an Israeli healthcare cybersecurity provider explains that the shift from in-person consultations to remote and teleworking, including remote connection solutions, potentially makes the system both more attractive and susceptible to attacks.
In the specific case of Hillel Yafe Hospital, Geffen admits that the hackers got through the hospital’s systems. It realized that parts of systems were likely encrypted – including some back-ups – which required the hospital to move from using computers to a pen and paper system. Doctors and medical staff were also forced to shuttle between hospital departments as they could not call up a patient’s records on the system.
“It’s true that an important system was attacked and encrypted, although it seems that initially at least, the incident was contained. Fortunately, it does not appear that the encryption included medical devices. It is difficult to underestimate the severe impact and how much more dangerous – particularly with regard to patient safety – it would be if bad actors gained access to CTs, MRIs, fusion pumps, or respirators,” he says.
With so many nefarious players in the cyber world looking to wreak havoc, it is tricky to pin down exactly which group or nation may have been behind the attack. Both Aronashvili and Geffen divided the actors who perpetrate cyber attacks into two broad categories.
“There are those attackers who are simply looking for financial gain, and they may also attack banks or financial institutions, and those types of attacks never end,” remarks Aronashvili. “Whether they are after bitcoin or blockchain, those attacks are pretty traditional,” Geffen says. He also states that hackers can charge at least double on the black market for medical records that also include financial data.
Sign up for our free weekly newsletterSubscribe
It should be noted that sometimes nation states or state actors will use criminal cyber gangs to undertake missions on their behalf, to attempt to obscure the actual source. However, Aronashvili notes that in the case of North Korea, for example, there is a specific need to attempt to extort tens of millions of dollars for an internationally ostracized country under tough sanctions. He adds that it would be more unusual for a Russian or United Kingdom gang to extort an Israeli hospital, preferring to “keep their own capabilities under wraps more.”
In the second category, organizations such as hospitals are highly attractive targets, particularly for the wealth of information – including private data on thousands of citizens, such as national identification or social security numbers, bank account details, credit card information, and more. Geffen termed hospitals’ ripeness for an attack as being a case of “low-hanging fruit.”
Hospitals susceptible to cyber attacks
Aronashvili sees it similarly, suggesting that hospitals are susceptible due to a number of potential pressure points, coupled with what he believes is a general lack of investment in cybersecurity. He was not speaking specifically about the Hillel Yafe Hospital, adding that it was an issue familiar to medical centers and healthcare organizations throughout the world. However, he maintains that healthcare organizations’ management teams need to alter their outlook somewhat and acknowledge that cybersecurity is there to serve the business, and understaffing and underbudgeting need to be addressed.
“Healthcare delivery organizations have a unique pain or challenge,” Geffen states. “In addition to the IT infrastructure, such as work stations, tablets and cell phones, they have connected medical devices into the network.” With the average age of an MRI machine more than a decade old, they are run using outdated operating systems that cannot generally run upgraded apps.
Geffen points to an additional issue – particularly in the United States – namely that the first lines of code used in firmware is so old that if a manufacturer wishes to upgrade a medical device using patches and other upgrades – they require FDA approval to do so – a process that can take months. “It is not an easy task and the cost of doing so can be prohibitive.”
Aronashvili’s simple prescription for improved safety in hospitals (and other organizations) is for a change in culture and for cybersecurity to be conducted on a macro scale the same way that it would be for an individual. “Would a person print out a page with their username and password for their bank account and stick it to the wall?” he asks rhetorically. “Of course not. So, why are their offices across the world that do this, with just as, if not more sensitive information affecting a greater number of people?”
“The majority of attacks – around 80-90 percent – go through user or domain accounts – phishing emails and the like. If organizations can train people to be protective of its data like they are about their own, then that is a big step toward mitigating and mediating the danger from cyber attacks.”
Taking a layered approach
Both experts agree that a layered approach – not so dissimilar from the country’s missile defense strategy – is the most effective protection from attack. “If your first line of defense is breached, one might assume that each of the successive lines will be attacked,” Geffen says.
“It is the job of cybersecurity to make it as difficult as possible for those successive defensive lines to be breached. This is why it so crucial that hospitals or other organizations have segmentation and that the defenses are not flat. One of the most effective ways to address this is to ensure that each device can only access what is necessary. An administrative assistant in the management office does not need access to any medical devices,” he explains.
Aronashvili concludes that although in general Israel takes the issue of cybersecurity seriously, especially at a strategic national defense and essential infrastructure level, there needs to be an acknowledgment that the country is constantly under various attacks.
“Once we understand that we are at risk you need to get visibility into your organization and act accordingly. Hoping that your organization is too small or that the risk of attack is minimal is not an appropriate response. The model of how we have been doing things needs to be challenged.”
NoCamels reached out to Hillel Yafe Hospital, which did not immediately respond to requests for comments by the time of publication.