Frank Plummer MBCS, cyber security consultant, explores the CIA triad – confidentiality, integrity and availability – and its impact on three recent cyber attacks in healthcare.

On 11 September 2020, one of the first cases of death by ransomware hit the news. The Düsseldorf University Hospital in Germany was attacked hit by a ransomware campaign that disabled the hospital’s systems to the extent where it could no longer accept new admissions to its accident and emergency department. Hospital staff were forced to re-route patients to Helios University Hospital in Wuppertal, a neighbouring city, which was 19 miles away. For one patient, a 78 year old woman who was suffering from an aortic aneurysm, this proved fatal. The re-routing of her ambulance delayed her treatment by an hour and she passed away. This was suggested to be the first instance of death by ransomware.

Ransomware attacks are not new

They encrypt data which can prevent systems from functioning properly. Attackers demand a payment – usually in a cryptocurrency like Bitcoin – in return for a key which allows decryption of the data (and a restore of a systems’ functionality). Whether that key actually works or not is a gamble – many attackers provide keys that simply do nothing, duping the victim and taking their money.

In most sectors, a ransomware attack is a critical event. It can cause a business to lose access to all of its data or systems that enable it to operate. This can halt production lines, cause online shopping platforms to crash or key project data be made unavailable. But in healthcare, where doctors and medical staff rely on access to the data to provide critical care, it can be life threatening.

Ransomware: Availability vs confidentiality

In cyber security, ‘availability’ of an asset (such as data) is one of the three elements of the CIA triangle. The others – ‘confidentiality’ and ‘integrity’ – relate to data being only accessible by authorised parties and data not being modified or changed without due control.

In 2020, ransomware that only impacted availability was common. It would encrypt data, render systems unusable and ask for a payment to restore access. What was rapidly gathering popularity, however, was ransomware that would impact data confidentiality.

Attack on mental health giant

In October 2020 a system developed and owned by a company called Vastaamo – containing mental health records – was attacked. A copy of all the data on the system was sent to the attacker including names, addresses, social security numbers, email addresses, therapist notes on each private session.

Mental health patients confide their deepest fears, secrets and most traumatic events with their therapist. They may not even share these with close family and friends. For many, a therapist is a lifeline supporting conditions such as anxiety, PTSD and depression.

The attacker had a choice. Either they contact the organisation who owns the software system (Vastaamo) or the 36,000 patients they now hold data on. It is often a cost/value proposition – what will yield the better return for the least amount of effort? Unsurprisingly, the attacker targeted Vastaamo. ‘€450,000 or the data is leaked online.’

Vastaamo chose not to pay the ransom. This very quickly led to two things happening:

One – patients received a ransom email demanding a payment of €200, increasing to €500 if not paid within 24 hours. The subject line was their name, social security number and the clinic they had visited to receive treatment.

Two – the attacker posted a 10 gigabyte archive on the dark web which contained clinical notes of around 2,000 patients. This was available for all to download and view. It was a warning – ‘I will do what I say, unless you pay me.’ Some patients did pay. But many did not.

Since the attack, Vastaamo has ceased trading. It is unknown the full extent of how patients have been impacted. Support services set up by the Finnish government and healthcare service have had 22,600 victims engage with Victim Support Finland. Anxiety, insecurity and stress have been identified as key health impacts as a result of this event. But, of the patients contacted by the attacker, it will likely never be known exactly how each individual was impacted by the event, or how their health or life has changed as a result.

Another attack, this time on the NHS

On 4 August 2022, the NHS 111 service in the UK was knocked offline. The service provider had suffered a major incident which later was stated to be a ransomware attack. NHS 111 is a non-emergency service that allows the general public to get access to healthcare advice over the phone. It is free at the point of use, is used by thousands of people each day and was a key service during COVID-19.

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

But, this attack at Advanced – the provider for NHS 111 – was not only limited to the 111 service. Clinical management systems for GP surgeries, care homes and mental health services all hosted by Advanced were affected. The largest system – Adastra – supported the care of around 40 million patients.

The primary impact of the Advanced attack is one of availability. Like the Düsseldorf University Hospital attack, systems were taken offline either by the ransomware itself or as a precaution. This rendered a lot of health services without access to data, and as a consequence impacted how patients received care.

At the time of writing, some healthcare services in the UK still do not have full access to their patients' data. They have resorted to pen and paper to keep records, using out-of-date information at best or no information at worst. In a post-COVID world where the NHS in the UK is already beyond breaking point, it is the latest in a series of events that put immense pressure on that vital healthcare service.

It is not clear whether the attack has resulted in confidentiality being impacted (making it akin to the Vastaamo attack) or if the systems were only knocked offline. If confidentiality was impacted and the data is now in the hands of the attackers, it may be the single biggest confidentiality compromise of patient data that healthcare has ever seen.

Who’s responsible for these ransomware attacks?

All three attacks described share common themes. They are all healthcare related, they all have a clear impact on delivery of care and they all fall into the ‘ransomware’ category.

When we consider who might be responsible, it is not uncommon for nation states or foreign intelligence agencies to be the scapegoat. Surely, to have this level of impact or to target patients at all, there must be significant funding or a political agenda at play? The reality is that most ransomware attacks are carried out by organised criminal groups. They come with supply chains, a savvy approach to business and a very low barrier to entry.

So why target healthcare?

Healthcare is integral to our welfare and survival. Our healthcare records are confidential and our lives depend on health professionals being able to reliably access systems to provide that care. There are very few industries that have such a direct impact on our welfare. If attackers can threaten that which keeps us alive, safe and healthy – why would we not pay the ransom?