How hospitals are preparing for ransomware attacks

Driving the news: Semperis, a cybersecurity unicorn that focuses on identity protection, hosted its first hospital hack tabletop exercise on the sidelines of the Black Hat conference in Las Vegas last month.

• Dubbed "Operation 911," the exercise gathered a group of cyber specialists, health care professionals and law enforcement officers to act out a fictitious ransomware attack.

Inside the room: Participants spent close to two hours in a hotel suite at the Mandalay Bay Hotel running through a scenario in which hackers have taken a Las Vegas hospital offline.

• A group of about 10 cybersecurity professionals investigated a third-party IT vendor account that was coming online at odd hours and exfiltrating heaps of data.
• Their response was typical for any health care organization: They isolated the affected systems, called in the FBI for help, and, once the intrusion was identified as ransomware, stalled the hackers by negotiating a payment price for as long as possible.
• But they faced a huge setback that other infrastructure sectors don't normally struggle with: They couldn't just turn off all of their systems. Doing so could disrupt patient care — or even lead to death.

The other side: The red team — which represented the ransomware gang targeting the hospital — sat in a separate room of the hotel suite. Their goal was to remain undetected for as long as possible so they could exfiltrate sensitive patient records and the hospital's financial documents.

• Each of these documents could help the hackers extort the hospital for as much money as possible.
• To remain undetected, the red team focused on moving data laterally and banked on the hospital monitoring only what was coming in and out of its systems — rather than what was moving between internal networks.
• The red team also focused on stealing administrators' passwords so they could log in as legitimate users.
• And the red team duplicated all of the files it stole first so it would be harder for the blue team to notice what had been exfiltrated.

Admittedly, the red team of former hackers, police officers and cybersecurity executives had an easier job: keep squeezing the hospital for more money.

• For instance, the red team chose to reach out to local journalists and give interviews about its antics — creating more public pressure for the hospital.
• "It's totally asymmetric, it's really painful [for hospitals]," one of the red team members said.

Between the lines: Once a malicious hacker is inside a health care system's networks, it's really difficult, if not impossible, for a victim organization to walk away with any sort of win.

The big picture: Ransomware targeted 85% of health care organizations in the last year, according to Semperis' 2024 ransomware risk report.

• "People still have gaps in their understanding of what an actual incident would look like," Semperis CEO Mickey Bresman told Axios during the event. "It typically becomes very quickly very chaotic."

The bottom line: Not having a plan for responding to ransomware can have deadly consequences.

• Bresman recommended that all health care executives run training exercises so they're prepared to make tough choices if they face ransomware.