On October 1, three hospitals in Alabama—DCH Regional Medical Center in Tuscaloosa, Fayette Medical Center, and Northport Medical Center—reported that they were suddenly unable to check appointments or manage new ones because something was not right in their IT systems.

To begin with, most people thought it was a blip that would be over quickly. That was until the cybersecurity team at DCH, the company that owns the three centers, became aware of the fact that the entire IT system had been infected with ransomware. The origin of the incident, it was discovered, was a phishing campaign that ended up encrypting many files containing private and confidential information. To decrypt these files, the cybercriminals demanded a cryptocurrency ransom.

The consequences of this cyberattack were serious. For a start, the hospitals were forced to reject new patients—unless they were in a critical state—causing a clear danger, since the three hospitals are all in the same state. Ambulances were also diverted to other nearby healthcare centers. Patients with previously scheduled appointments had to call the hospitals to check whether they could still go ahead (many couldn’t). The only thing that the hospitals kept as they were were previously arranged surgical operations.

A similar case was seen in Australia, where seven hospitals’ IT systems were suddenly hit by a ransomware attack. The consequences for these centers, in Gippsland and south-east Victoria, were similar to those seen in Alabama.

The problem with critical infrastructure_

These kinds of incidents bring to light the difficulties with dealing with those most delicate of cyberattacks: those targeting critical infrastructure. These targets can include hospitals, electric grids, or even a public administration’s judicial system. In these cases, regardless of the cyberattack’s technical complexity, the most complicated thing to manage is the fall out that the victim organization has to deal with if it cannot provide its services with normality.

In the specific case of organizations in the healthcare sector, victims are not only at risk of economic loss after a cyberattack; they may also have to deal with the loss of extremely sensitive documents (medical records, citations and so on), as well as dented reputations.

In fact, as Gizmodo has reported, the three hospitals in Alabama were forced to pay the ransom in order to get access to the decryption key for some of their more critical files and get back to normal. This goes against the advice given by police authorities about how to act when faced with a cyberattack: do not pay up. Agreeing to pay the ransom only encourages more attacks and in no way guarantees the recovery of any lost material. However, on this occasion, the fact that three hospitals were brought to a standstill and the nature of the service provided go some way to explaining why the ransom was paid.

How to stop intrusions on this kind of infrastructure_

We’ve already mentioned the special gravity of the fallout from a cyberattack on critical infrastructure. In this case, therefore, organizations’ ability to rapidly react to threats and respond in an appropriate manner is of particular importance.

Advanced endpoint protection is vital to deal with this kind of attack. This is why Cytomic tackles them with highly robust EDR capacities, endpoint monitoring, threat intelligence-enriched telemetry, and scaled data analytics. The solution Cytomic EPDR extends the detection and response of Cytomic EDR with the endpoint protection platform capabilities needed to stop threats from making their way onto the endpoint and to reduce the attack surface. Both solutions include the managed Zero-Trust Application Service, which is able to automatically determine the nature of processes and binaries in real time, classifying them either as malicious or trustworthy, and blocking or allowing them to run based on this classification. This way, it allows organizations to deal with any kind of malware, be it known or unknown, including ransomware, as seen in the cases discussed here.

It is worth remembering that a cyberattack on an organization such as a hospital doesn’t just affect the center in question, its image and economic results; it ultimately affects patients, causing a serious social impact.