Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
February 07, 2020

Disruptionware: The Newest Form of Cyberattack is Targeting the Health Care Industry

By Jason G. Weiss and Jennifer R. Breuer

Beware, health care providers — there’s a new form of cyberattack coming to an organization near you! Disruptionware is an “emerging category of malware designed to suspend operations within a victim organization by compromising the availability, integrity and confidentiality of the systems, networks and data belonging to the target.1  Far more destructive than “garden-variety” malware and ransomware attacks, disruptionware attempts to encrypt and deny users access to their data, working as a “layered attack” designed to “disrupt operations and production in [target] environments (as well as infrastructure) in order to achieve some other strategic goal.2

Additional forms of evolving ransomware attacks — designed to block access to the victim’s computer systems until money is paid — are an increasingly prevalent threat to health care organizations. According to the FBI, hospitals and health care institutions are the primary targets of these high-impact ransomware attacks because of the critical role they play in providing lifesaving services, and the fact that health care institutions usually do not have the time to restore backups to get their networks working again and running safely and securely after an attack.3

The United Kingdom’s Department of Health and Social Care has estimated that the highly publicized 2017 global WannaCry cyberattack that affected its National Health Service (NHS) cost the NHS £92 million ($120.4 million) in lost patient care and IT support provided to its organization.4  Approximately 19,000 patient appointments were cancelled as a result of the attack.5

Ransomware has been so destructive that the FBI recently issued a Public Service Announcement (PSA) warning about “high-impact” attacks on critical private- and public-sector institutions.6  According to Emsisoft, a cybersecurity firm, since the beginning of 2019 there have been at least 621 reported successful ransomware attacks against U.S.-based corporations. Of these, at least 491 (almost 80%) were targeted against health care providers. Another 68 (11%) were directed at county and municipal institutions, and 62 (10%) were focused on school districts. Cybersecurity Ventures has predicted that ransomware payments alone by victim companies will have exceeded $11.5 billion in 2019 — representing an increase of almost 30% over the approximately $8 billion paid in 2018.7

Hackers are increasingly using new and diverse techniques to launch multiple forms of cyberattacks, including new Remote Desktop Protocol (RDP) attacks, and leveraging various software vulnerabilities to infect organizations through backdoor channels. RDP attacks are becoming far more common because of the simplicity of many users’ login credentials and the problems with “credential stuffing” attacks, while companies are not doing enough to “whitelist” exclusively acceptable computer software and applications to prevent security holes caused by numerous software vulnerabilities in unsecured and sometimes untested software applications. Best practices to avoid such attacks include: (1) hardening your IT systems using either ISO or NIST cybersecurity frameworks and (2) ensuring that you train your employees on cyber social awareness defense techniques.

The FBI’s PSA serves as a warning to businesses that they should have a plan in place to respond efficiently and appropriately in the event of high-impact ransomware and disruptionware attacks. Such plans should include, among other things, clear designation of responsible individuals (inside and outside the company), procedures for contacting law enforcement, and a firm understanding of what the company’s data is as well as a good understanding of its importance in the overall business plan.

Finally, businesses need a current and workable Incident Response Plan and/or Disaster Recovery Plan for getting the organization up and running again as quickly as possible if there is a cyberattack. Businesses would be wise to review how their systems are backed up, as reliable and readily accessible backups are often critical in resuming normal business operations as quickly as possible.

  1. Institute for Critical Infrastructure Technology, The Rise of Disruptionware: A Cyber-Physical Threat to Operational Technology Environments (September 22, 2019), available at https://icitech.org/wp-content/uploads/2019/09/ICIT-Brief-The-Rise-of-Disruptionware.pdf.
  2. Id.
  3. Federal Bureau of Investigation, Public Service Announcement: High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations, Alert No. I-100219-PSA (October 2, 2019), available at https://www.ic3.gov/media/2019/191002.aspx.
  4. UK Department of Health & Social Care, Securing cyber resilience in health and care, Progress update October 2018.
  5. Id
  6. See https://www.ic3.gov/media/2019/191002.aspx
  7. Cybersecurity Ventures, Global Ransomware Damage Costs Predicted to Exceed $8 Billion in 2018 (June 28, 2018), available at https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-exceed-8-billion-in-2018/.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Related Industries