In the Crosshairs

Brett Johnson, one of the world's best cyber thieves before he became one of the good guys, reads the headlines and know he's missing out on easy pickings. The pandemic put healthcare facilities on the map for cybercriminals, and news reports about providers paying astronomical sums to get back confidential patient information or unlock computer systems crucial to caring for patients are routine. The successful extortion schemes have reaped cyber thieves multimillion dollar ransoms and have cost healthcare systems billions of dollars.

Healthcare cyberattacks are going to increase and intensify, according to Mr. Johnson, whom the Secret Service nicknamed "The Original Internet Godfather." For a brief moment after the pandemic hit, the 51-year-old Mr. Johnson was tempted to come out of retirement.

"I'm the only fraudster on the planet who didn't get rich last year," says Mr. Johnson, who now consults for corporations to help prevent them from being victimized by the cybercriminals with whom he once conspired. "Everyone else did. It was such easy money."

Mr. Johnson's former life of crime began in Kentucky when he was 10 years old. His mother — a drug addict, alcoholic and con artist herself — left him and his sister alone with nothing to eat for days at a time. He learned how to steal food out of necessity and expanded his stealing over the years. Eventually, he created ShadowCrew, an online message board for cybercriminals that was a precursor to similar networking sites now prevalent on the dark web.

Mr. Johnson was on the FBI's list of most wanted cybercrooks when he was arrested in 2006 and charged with 39 felonies. He served seven years in prison and eventually became an FBI informant and consultant with the feds. He's been on the straight and narrow — "legal," as he puts it — for nearly six years.

Had he wanted to, Mr. Johnson could have been involved in the recent rash of cyberattacks on healthcare providers. A report from Comparitech, which reviews and compares cybersecurity products, says there were 92 ransomware attacks on healthcare facilities in the U.S. in 2020 — a 60% increase from 2019 – that affected more than 600 clinics, hospitals and organizations. The attacks involved more than 18 million patient records and cost facilities nearly $21 billion, most of which was from downtime due to crippled computer systems.

In October 2020, the FBI, U.S. Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency warned that healthcare facilities were being targeted by Ryuk and Conti ransomware gangs and TrickBot and Bazaloader malware for financial gain, and called the attacks an imminent threat.

Three months later, the IT vendor of Harvard Eye Associates and Alicia Surgery Center, both in Laguna Hills, Calif., paid hackers an undisclosed amount to regain the stolen data of nearly 30,000 patients. Scripps Health, a $3.1 billion nonprofit healthcare provider in San Diego, was victimized by a ransomware attack in May. Scripps took down its computer systems, which resulted in restricted access to patients' electronic medical records and disrupted operations at its hospitals and facilities. The cyber thieves made off with the personal information of nearly 150,000 patients. "We deeply regret the concern this incident has caused for our patients, employees and physicians," Scripps CEO Chris Van Gorder wrote in a recent San Diego Union op-ed. "There are important lessons to be learned — Scripps, like other healthcare systems, is taking further steps to enhance our information security, systems and monitoring capabilities, and adapt to this evolving cyber-threat landscape."

Cybersecurity threats go beyond health care. Facebook and CVS have had recent data breaches. In May, a Russian cybercrime group shut down the U.S. facilities of JBS, the world's largest meat processing company. The same month, Colonial Pipeline was shut down by a ransomware attack and reopened after the company paid the thieves $5 million. Before last year's elections, the U.S. Cyber Command conducted offensive operations to prevent interference by groups in nine countries, including Iran and Russia.

Mr. Van Gorder believes government help is needed to combat the issue. "Just as protecting the public's health during a once-in-a-century pandemic takes a village, so will protecting our hospital systems, critical infrastructure, schools, businesses and government entities from criminals who exist in the shadows," he wrote.

The traditional trajectory for cybercriminals is to start with credit card theft, according to Mr. Johnson. He says the pandemic led legions of these threat actors to engage in fraudulent schemes for unemployment and stimulus checks for the first time. The crimes were easy to commit and left many cyber thieves flush with money, which in turn gave them the time to innovate and brainstorm about what industries haven't been hit on a regular basis.

"Many determined that the medical community was wide open for attacks," says Mr. Johnson. "Anyone who thinks healthcare ransom attacks have peaked is completely wrong."

When Mr. Johnson was running ShadowCrew, cybercriminals often showed up with stolen patient data that they couldn't give away. Now, the thieves are seeing that it could have value and Mr. Johnson believes mass attacks are inevitable.

"Cybercriminals see healthcare systems as easy targets, because they're almost forced to pay the ransoms," he says. "Not doing so could be a matter of life and death for patients."

Many healthcare systems practice good cyber hygiene by investing in strong firewalls, regularly updated anti-malware software and ongoing employee training. Still, gaps in cybersecurity remain, partly because healthcare workers who are rightfully focused on providing patient care undervalue the importance of maintaining a noncorrupted computer network. Convincing them to emphasize cybersecurity is an important challenge for healthcare leaders.

"Outpatient facilities have to be as concerned about protecting their data as they are about the physical welfare of their patients," says Mr. Johnson. "The entire industry doesn't understand the magnitude of the dangers associated with data compromise."

Kathy Hughes monitors Northwell Health's cybersecurity dashboard and knows some threats are going to slip through the security technology in place at New York State's largest healthcare provider.

Emails sent to Northwell's 70,000 employees at 23 hospitals and more than 830 outpatient facilities remain the biggest concern for Ms. Hughes, the company's chief information security officer. But the threat is spreading to medical devices and other automated systems that provide hidden doors through which cybercriminals can access the health system's financial records and confidential patient information. COVID-19 amplified that threat.

"The healthcare industry has been heavily targeted for several years, but it got much worse when COVID-19 hit and threat actors realized the pandemic made us much more vulnerable," says Ms. Hughes. Cyber thieves know that the deep desire healthcare workers have to help patients brings with it a built-in level of naivete that makes it hard for them to sniff out a con artist, especially when emails arrived during an unprecedented health crisis about the availability of personal protective equipment, vaccines and cures. "Staff members were desperate and looking for solutions, and they were responding to these types of messages," says Ms. Hughes.

The danger of clicking on links or opening files in phishing emails is that it gives cybercriminals access to entire computer systems. Once inside, the thieves can lock important data and ask for a ransom to unlock it.

These types of threats subsided after the pandemic's initial wave, but an uptick in malicious emails returned shortly after the FBI's imminent threat warning in October. "Most of the messages were about vaccines before they were readily available, and emails remained the primary way they tried to deliver malware to lock up our systems and make them unusable," says Ms. Hughes. "Cybercriminals took advantage of the urgency of the pandemic response to lock down the systems of an already overwhelmed industry that couldn't afford to have clinicians unable to render patient care."

Cybercriminals are also beginning to access healthcare systems' computer networks via medical devices. It's an angle similar to how the thieves have accessed other industries through computerized HVAC or cash register systems, which often don't have the level of malware protection found on desktops, laptops and mobile devices.

"When our clinical people look at a medical device, they see something that can produce diagnostic and therapeutic results for patients," says Ms. Hughes. "I see it as a computer that plugs into our network and transmits data, which makes it a threat to our security."

Healthcare IT professionals need to apply the same amount of rigor to protecting these devices as they do for computer workstations. "Medical devices need anti-malware software that gets patches with updates and have encrypted technology just like every other kind of computer," says Ms. Hughes. Getting healthcare professionals to understand the severity of cyber threats is half the battle. "They enter into this industry because they're caring people who want to help others," says Ms. Hughes. "When they get an email in a pandemic about an allegedly dying relative, they want to respond. Their first instinct isn't to realize that protecting the computers is a key component of patient care, so you have to educate them."

Mr. Johnson believes it's only a matter of time until your facility is targeted by a cyberattack. "You may have already been hit and not know it," he says. "There's more stolen data out there than there are criminals to sell it to. Just know they're coming. They'll try to get you at some point."

Mr. Johnson regrets his past and wants to protect businesses and individuals from the type of person he used to be. By his own admission, the straight and narrow is a difficult line to walk. So, who knows? The cyberattacker who infiltrates your facility might even be him. OSM