Crippling ransomware attacks against hospitals and health care providers are on the rise. These ruthless cyberattacks can take medical systems offline for weeks—canceling appointments and surgeries and causing harm to patients. Doctors and nurses are plunged into crisis situations where they resort to using pen and paper, while IT staff work to make systems safe and bring them back online. The recovery can be long-lasting and brutal.
Health care professionals, lawyers, and cybersecurity experts tell WIRED that amid the chaos caused by criminal hackers, a little-known bureaucratic process can slow down hospitals and medical providers getting their systems working again.
The red tape involves organizations hit by ransomware sending detailed “assurance” or “attestation” letters to companies that they connect their systems or software with. These letters are designed to convince organizations that it is safe to reconnect after the ransomware attack, but they can add extra pressure to those already dealing with physically and mentally draining recovery operations.
The letters aren’t required by any law and are not unique to medical organizations impacted by ransomware attacks, but experts say in situations where lives are at risk, more efficient processes should be considered. Assurance letters seen by WIRED contain up to 40 individual questions about cyberattacks and include detailed requests about how events unfolded, steps taken to respond, and any evidence that may have been gathered.
“Negotiating with hundreds of vendors each with their own unique set of requirements to reconnect was an arduous and time-consuming process,” says Sean Fitzpatrick, the vice president of external communications at Ascension, a network of 140 hospitals and thousands of affiliated providers across 19 states, which was hit by ransomware in May. Ascension now has more than 95 percent of its suppliers reconnected or in the process of reconnecting, Fitzpatrick says, and has attempted to be as transparent as possible with its recovery.
Meanwhile, Shane Thielman, the chief information officer at Scripps Health, a San Diego health care provider with five hospitals and 30 outpatient centers and clinics, says it was required to produce around 30 vendor letters when it was hit by Conti malware in May 2021 for clinical, business, and administrative software partners. “Initially, there were several vendors that did not accept the assurance letter and requested additional technical documentation and information,” Thielman says. “However, this was limited and ultimately did not result in a delay to restoring access to systems at Scripps.”
Lawyers Enter the Chat
Hospitals and other health care organizations are hugely complex beasts—they can use dozens of pieces of software from different companies, providing everything from electronic health care records to staff shift schedules. Cyberattacks that take medical services offline can impact a hospital’s own internal systems and networks and those belonging to third-party suppliers. An attack against a company that provides software to hundreds or thousands of organizations can have widespread ramifications.
It doesn’t take long to see how ransomware, which is most often launched by Russia-based cyberciminals, can have a dangerous impact on medical care. More than 1,100 surgeries and 2,194 appointments have been canceled at London hospitals this month after pathology services provider Synnovis was hit by ransomware. Some cancer appointments have been canceled, blood testing reduced, and more than 50 organs needed to be diverted for use at other hospitals, figures from the UK’s National Health Service show.
“I can tell you with complete confidence that ransomware attacks harm patients,” says Hannah Neprash, an associate professor of health policy at the University of Minnesota, who has researched the impact of ransomware attacks on US hospitals and concluded they result in higher mortality rates. “If you are a patient who has the misfortune to be admitted to a hospital when that hospital goes through a ransomware attack, the likelihood that you're going to walk out the doors goes down,” Neprash says. “The longer the disruption, the worse the health outcomes.”
In the hours and days immediately after ransomware attacks, it’s common for companies who have software connected to the targeted organization to pull their services. This can include everything from disconnecting medical records to refusing to email a cyberattack victim. This is where so-called assurance letters come in.
“We’ve really seen the demand for these letters increase over the past few years as breaches have become much more litigious—from class actions lawyers chasing settlements to lawsuits between businesses,” says Chris Cwalina, the global head of cybersecurity and privacy at law firm Norton Rose Fulbright.
Cwalina says he is unsure where and when the practice of sending assurance letters started but says it is likely it began with lawyers or security professionals who misunderstood legal requirements or the risks they are trying to prevent. “There is no legal requirement to request or obtain an attestation before systems can be reconnected,” Cwalina says.
These assurance and attestation letters are often compiled with the support of specialist cybersecurity companies that are employed to respond to incidents. What can be reconnected and when will vary depending on the specific details of each attack.
But much of the decisionmaking comes down to risk—or at least perceived risk. Charles Carmakal, the chief technology officer of Google-owned cybersecurity firm Mandiant, says companies will be worried that cybercriminals could move “laterally” between the victim and their systems. Companies want to know a system is clean and the attackers have been removed from the systems, Carmakal says.
“I understand the rationale behind the assurance process. What I would say is that people do need to really consider what is the risk associated with the level of connectivity between two parties, and sometimes people tend to default to the most restrictive path,” Carmakal says. For instance, it is rare that Mandiant sees wormable ransomware moving from one victim to another, he says.
“Vendors were interested to know that independent, outside cybersecurity experts were engaged with Scripps technical teams and verification that malware was contained and remediated with reasonable best efforts,” Thielman, the CIO of Scripps Heath, says. For Ascension, Fitzpatrick says, the company also held one-on-one calls with vendors and hosted eight webinars where it provided updates. It has also shared indicators of compromise—the traces left by attackers in its systems—with health organizations and the US Cybersecurity and Infrastructure Security Agency (CISA).
Third-Party Doctrine
Cybercriminals have become more brazen with attacks against hospitals and medical organizations in recent years; in one case, the Lockbit ransomware gang claimed it had rules against attacking hospitals but hit more than 100. Often these sort of attacks directly impact private sector companies that provide services to public infrastructure or medical organizations.
“If you look plausibly at the threat picture in the years ahead, disruption to public services and public activity caused by [cybercrime] activity that affects the private sector is probably something that's going to happen more and more,” says Ciaran Martin, a professor at the University of Oxford and the former head of the UK’s National Cyber Security Centre. In these instances, Martin suggests, there may be questions around whether governments have, or need, powers to direct private firms to respond in certain ways.
John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, says there could be more federal support for health care providers. “Some of the resources, for instance, that CISA dedicates to defending federal civilian networks could also be devoted and expanded to help defend critical infrastructure, like health care.”
When it comes to the need for assurance and attestation letters, Norton Rose Fulbright’s Cwalina says much of the information requested in these scenarios could be received through directly speaking to people. “The piece of paper is ultimately only obtained after lawyers review it and insert caveats and protections—which means the attestation will actually say very little to give an organization confidence to reconnect and certainly nothing that couldn’t be obtained through other means,” Cwalina says. Scripps Health’s Thielman recommends establishing communications with software providers as soon as possible.
“We need a situation in which somebody, be that a incident response company or CISA, is able to sound an ‘all clear’ signal after which vendors can reconnect immediately,” says Brett Callow, a threat analyst at Emsisoft. A third-party approval could speed up the process, he says. “The primary concern here has to be patient safety. We need to get hospitals up and running in a safe manner, in the shortest possible time. Masses of red tape just aren’t conducive to that.”
Correction 6/25/2024, at 11 am ET: The number of health care facilities operated by Scripps Health has been corrected.
