War in Ukraine also threatens German hospital IT security

However, these were not the first cyberattacks in the long-smouldering conflict between Russia and Ukraine. In 2015 and 2017, several serious attacks were attributed to Russian hacker group “Sandworm”, which is said to be close to the Russian domestic intelligence service FSB. While the attack in 2015 paralysed the power grid in the Ukrainian capital Kiev for several hours, a more widespread attack took place in 2017 with the malware NotPetya. The Trojan purged stored data from hard drives and caused financial damage amounting to 0.5% of Ukraine's GDP. Among the affected were also Russian companies such as the listed energy company Rosneft. The company is headed by Igor Sechin as CEO, a close confidant of Russian President Vladimir Putin (as well as former German Chancellor Gerhard Schröder as chairman of the supervisory board). 

This collateral makes it clear how difficult it is, even for professional attackers, to direct a malware-based cyberattack strictly to the intended targets – and how easily such an attack gets out of control. So-called wipers, i.e. malware tools that delete hard drives and servers, are currently in circulation again. For example, IT security firm ESET reports that three new wipers have already been discovered in Ukrainian computer networks since February 23:¹ HermeticWiper, IsaacWiper and CaddyWiper. The former was already detected by IT security researchers on the eve of the invasion. 

Hospitals get caught in the digital crossfire

The analysts suspect that many of the Ukrainian systems that have been attacked by these wipers in recent weeks had already been infiltrated beforehand. This lines up with a notorious practice known as Advanced Persisting Threats (APTs): Intruders gain access to a foreign system and initially remain dormant without causing any noticeable damage. In this period, they spy on the system and tap into access and user data. This unnoticed intrusion can also be used to place targeted malware such as the wipers described above. This M.O. ensures that the intended targets are infected by the malware – even if an uncontrolled spread of the malware cannot be prevented afterwards, also damaging unintended institutions and companies on both sides of the conflict. 

IT security researchers point out the dangers of this type of digital warfare for healthcare systems, also in Germany: According to WHO data, Russia is responsible for a total of 197 conventional military attacks on Ukrainian hospitals and practices (as of May 24). with 70 people killed and 55 injured.² The UN considers such attacks to be war crimes. Targeted cyberattacks on healthcare facilities, on the other hand, have not been reported so far – in all cases, these are likely to have been collateral damage rather than intended targets of the Russian armed forces. 

Malware does not respect national borders

Such collaterals had already been reported in 2017, when NotPetya was deployed: First, Ukrainian hospitals were infected and had to restrict or stop patient care. Later, the malware spread worldwide via the Ukrainian branch of the software company Nuance,³ also to US hospitals, which frequently use speech recognition software from Nuance, for example for documentation in digital patient records. However, the loss of existing data was not the whole story: Because the NotPetya infection initially went unnoticed, clinicians and nurses continued to work with the speech recognition software, resulting in numerous dictated epicrises and reports never appearing in the designated patient records. It cannot be determined with certainty how many diagnostic and therapeutic decisions were influenced or delayed as a result. 

A current concern is that collateral damage could hit the already severely weakened healthcare system in Ukraine and also affect medical care in other countries, since malware does not respect national borders. The American Hospital Association (AHA) therefore issued a warning at the end of February 2022, stating that the war in Ukraine also justified a heightened alert level in US hospitals. Threats to hospitals are categorised in three levels: Targeted attacks on healthcare infrastructure, collateral damage from uncontrolled malware, and thirdly the disruption of supply lines and external services that are essential for hospitals to maintain patient care. 

BSI warns against Kaspersky, CISA recommends geo-fencing

The US Cybersecurity & Infrastructure Security Agency (CISA) almost simultaneously issued a so-called "Shields Up" directive, raising the alert level for threats to the digital infrastructure for all domestic organisations. Concrete instructions from the AHA and CISA include specific measures for the current conflict, such as geo-fencing (a geographically defined blockade) of internet traffic from Ukraine and neighbouring regions. Most important, however, are general information security measures, from systematic monitoring of potential vulnerabilities to ongoing awareness campaigns and staff training on IT security. 

Since March, the German Federal Office for Information Security (BSI) warns of increased danger from cyberattacks on hospitals. The agency communicated the second-highest warning level, orange – explicitly not only for hospitals classified as critical infrastructure (KRITIS; meaning hospitals with more than 30,000 full inpatient cases per year), but for all hospitals in Germany.

As a consequence, these institutions must tighten their IT security (or introduce general measures in the first place). This is a challenge in itself, given the financial and personnel bottlenecks in the clinics still affected by the coronavirus. In addition, a specific warning was issued against antivirus solutions from Russian company Kaspersky, which are frequently used in Germany – also in the health sector. However, the BSI cautioned against a sudden deactivation of Kaspersky antivirus software without sufficient replacement, but rather switching to alternative products after prudent planning while accepting ‘temporary losses in comfort, functionality and security’. 

References: 

1. https://www.welivesecurity.com/category/ukraine-crisis-digital-security-resource-center/
2. https://extranet.who.int/ssa/Index.aspx
3. https://slate.com/technology/2019/11/sandworm-andy-greenberg-excerpt-notpetya-hospitals.html

16.06.2022

• data management (565)
• hospital (293)
• IT (873)
• security (446)