The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: A nonprofit is providing free ransomware protection to private U.S. hospitals

with Aaron Schaffer

Ransomware attacks against hospitals have dramatically spiked during the coronavirus pandemic. The ransomware epidemic, as it was recently described by Homeland Security Department Secretary Alejandro Mayorkas, has made the issue a key focus for both cybersecurity nonprofit organizations and government agencies. 

As a part of the effort to combat the rise in attacks, nonprofit group Center for Internet Security (CIS) this month launched a free ransomware protection service for private U.S. hospitals.

The Malicious Domain Blocking and Reporting Service (MDBR) uses security services from Akamai to proactively look for traffic from domains associated with malicious activity, including ransomware attacks. If it detects a malicious domain trying to connect with hospital networks, the software blocks the connection. 

The tool isn't a panacea; it won't stop more sophisticated hackers seeking to target a particular institution. But it can decrease the risk of hackers succeeding in more simple attacks against embattled hospitals during the pandemic, such as phishing emails tricking employees into clicking malicious links.

Ransomware attacks can be launched against any institution, and they're mainly done for money. But they pose potentially life-or-death consequences inside hospitals already under tremendous strain.

The free software program is targeted at underfunded hospitals in the United States lacking their own basic cybersecurity services, says Ed Mattison, executive vice president of CIS operations and security services.

“Cybersecurity is always a hard sell because success in cybersecurity is that you spend money on products and services and then something doesn't happen,” says Mattison. “And so it's very hard for cybersecurity professionals to get the funding and the budgets they need.”

In 2019, health-care providers spent just five percent of their information technology budgets on security, according to research from Gartner.

The project, which is funded by CIS directly, builds off the success of a federally funded pilot project launched through CIS with funding from the Multi-State Information Sharing and Analysis Center, a private-public partnership.

The pilot program last year provided ransomware prevention tools to state and local government organizations. The program covers more than 1,000 government organizations, including election infrastructure, public health organizations and K-12 schools. Since the program began, the service has blocked more than 748 million attempts by malicious domains, CIS says. In December alone, it blocked nine domains tied to ransomware criminals from public health organizations using the service.

Andrew Maurer, a systems architect at Madelia Community Hospital and Clinic, which has been using the service since November, called the domain-blocking tool painless to implement.

It just works, and in IT that's a rare thing to say, he says. The software detected almost 3,000 malicious domain server requests in just its first week, Maurer noted.

Ransomware attacks have surged during the pandemic.

In October, the Health and Human Services Department, the Cybersecurity and Infrastructure Security Agency and the FBI issued a warning about increased cybercrime threats to the public-health sector. IBM X-Force researchers noted in their annual report that cyberattacks on health care, manufacturing and energy doubled from the year prior. Vaccine distribution has only increased opportunities for cybercriminals, experts warn.

Although ransomware isn't a new threat to hospitals, the dramatic spike in activity has increased awareeness of it, says John Riggi, senior adviser for cybersecurity and risk for the American Hospital Association (AHA). AHA represents about 80 percent of U.S. hospitals and works with its members to provide cybersecurity guidance, among other things.

Hackers appear to be taking advantage of the high stakes at hospitals, which make them more willing to pay a ransom, ensuring they are lucrative targets. 

Riggi says AHA's members include having to divert patients to nearby hospitals and shutting down certain IT services for roughly a month as a result of ransomware attacks. He couldn't say how many AHA members have suffered such breaches but explained he receives a call “at least every couple weeks” about an attack.

The attacks increase financial pressure on hospitals at a time when many are struggling under the weight of the virus, say Mattison, a former chief information security officer with two different hospital systems. 

A recent earnings report confirmed that Universal Health Services, one of the largest health-care providers in the United States, lost $67 million from a cyberattack last fall.

There's increasing risks to patient privacy, too. 

More hackers are turning to a form of ransomware sometimes called “double extortion” in which they threaten to leak the data they've locked up if the ransom isn't paid. Given the sensitive medical information collected by hospitals, the risk of a leak adds even more pressure to pay. 

Riggi says nearly ever recent attack he's aware of used this method.

Riggi and other experts warn there's no one solution to ransomware attacks.

“We in cybersecurity still we talk about defense and depth and having this added layer provided at no charge to hospitals I think is a pretty significant positive development,” says Riggi. So certainly it can add value to existing cybersecurity programs.”

Josh Corman, CISA's chief strategist for health care and covid-19, said the success of MDBR in protecting election infrastructure shows the technology is a low-cost, high-impact way of shoring up basic cybersecurity defenses. Although the program won't stop all attacks, Corman says hospitals should avail themselves of every resource they can get.

Anything we can do to prevent preventable harm, we should do, Corman said.

Marc Rogers, co-founder of the CTI League, a group of worldwide volunteer professionals working to combat cyberattacks against health-care organizations, called it “a really good step forward.”

“The challenge however is that it's not a silver bullet,” Rogers, who is also vice president of cybersecurity at Okta, wrote in an email. "While this kind of technology can provide broad protection it has gaps,” he writes.

“Ransomware is a difficult problem because it can use so many vectors to get into an organization. Its encouraging to see free, sophisticated defensive capabilities made available, but we mustn’t lose sight of the fact we still have work to do,” Rogers writes.

The MDBR program is funded through the end of 2021, but CIS already is looking for new money for the program beyond that point. 

We want to show that if this program doesn't continue, they would likely go back to not having that protection, says Mattison. And that would be a bad thing for this critical infrastructure of the United States.

The keys

The Justice Department is looking into an Israeli spyware company.

It recently asked Facebook-owned WhatsApp about technical matters related to the messaging app’s allegations that the NSO Group targeted as many as 1,400 WhatsApp users, the Guardian’s Stephanie Kirchgaessner reports. Federal authorities reportedly have been looking into the spyware company since 2017, but the probe accelerated in the wake of a lawsuit by WhatsApp that alleged that the company hacked its users.

Researchers warn of the growing “hack-for-hire” industry.

Researchers say that understanding, shaping and limiting hack-for-hire transactions will be key to limiting the spread of tools and groups that use them, according to an Atlantic Council report on the largely uncontrolled world of offensive cyber groups. 

The report outlined the danger of such groups, such as the “ENFER” organization, working for U.S. adversaries such as Russia. The researchers suggested that countries pass “know your vendor” laws requiring companies to identify their vendors and customers before selling their technology and services to governments. They also suggested that these countries add stricter measures including technical restrictions.

SolarWinds says it is facing an SEC inquiry following insider stock trades.

The company says it is cooperating with an inquiry from federal regulators, Douglas MacMillan and Aaron Schaffer report. It wrote in its annual filing to investors that it is cooperating with “numerous” government investigations related to the cyberattack, including from the SEC, the Justice Department, and state attorneys general.

Relatively unknown just a few months ago, SolarWinds has been in the hot seat since hackers exploited vulnerabilities in its software to breach at least nine government agencies and about 100 companies. Last week, members of Congress questioned SolarWinds chief executive Sudhakar Ramakrishna about whether private companies like his can be trusted to protect the country from future attacks.

The SEC probe, which had not been disclosed previously, comes after the largest investors in SolarWinds sold $315 million in shares of the company days before the hack was revealed, as The Post reported.

Global cyberspace

Myanmar spent millions on a cybersecurity apparatus to crack down on dissidents.

The country spent tens of millions of dollars on surveillance technology in the past two fiscal years, the New York Times’s Hannah Beech reports. The surveillance tools are being scrutinized in the wake of a military coup in the country that the Biden administration has condemned.

Israeli, American and European surveillance technology made its way to Myanmar despite export bans in the wake of an exodus of hundreds of thousands of members of the country’s Rohingya minority. Arrest warrants for critics that were issued after the coup show that authorities appear to track their locations through social media posts and the locations of their Internet networks.

Mumbai power outage could have been cyber sabotage, says minister (Reuters)


  • Runa Sandvik, who worked as the New York Times’s senior director of information security, has been hired by the Norwegian Armed Forces Cyber Defense as a senior adviser.
  • Former House Foreign Affairs Committee Chairwoman Ileana Ros-Lehtinen, a Republican who represented Florida, has registered to lobby for cybersecurity company FireEye, along with three other lobbyists from Akin Gump. The registration was effective Feb. 1.
  • Jeff Greene, the director of the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence, has joined the National Security Council, where he’ll work on cyber and emerging technology “policy and implementation efforts.” Natalia Martin will be the center’s acting director.
  • Jameeka Green Aaron has joined Auth0 as the company’s chief information security officer.


  • Former CISA director Chris Krebs speaks at an Atlantic Council event on 2020 election misinformation on Wednesday at 3 p.m.
  • The Atlantic Council hosts a cybersecurity event with industry leaders on Thursday at 1 p.m.
  • House Armed Services Committee Chairman Adam Smith (D-Wash.) speaks at an event hosted by the Brookings Institution on Friday at 11 a.m.
  • Duke University’s engineering school hosts a seminar on cybersecurity threats amid remote work on Friday at noon.
  • U.S. Cyber Command executive director Dave Frederick speaks at an event hosted by the Intelligence and National Security Alliance on March 10 at 4:30 p.m.

Secure log off

Finally, some positive news.