This week, more than 43,000 Americans have been hospitalized for Covid-19. In intensive care units across the country, patients are separated from their families and loved ones, some waiting in the hush punctuated by the beeping of monitors. But many are oblivious to another threat looming over them: a cluster of attacks from hackers, some allegedly Russian, targeting the hospitals fighting to save their lives.
In 2020, ransomware has become an increasingly prevalent threat as we see more cities, hospitals, and companies shut out of their operations.
The FBI has announced that hackers are attempting to break into hospitals’ systems using a botnet known as Trickbot in order to insert a malware called Ryuk to encrypt and hold hospital data hostage until a ransom is paid. The alleged Russian hackers had reportedly been circulating a list of 400 American hospitals they planned to target.
In 2020, ransomware has become an increasingly prevalent threat as we see more cities, hospitals and companies shut out of their operations. The victims of corporate or civic ransomware face a terrible choice: pay the ransomer’s demands or engage in the expensive, time-consuming and potentially futile effort to rebuild entire operations.
The U.S. government has struggled to figure out how to stop these hackers. Understandably, the government encourages victims to report these incidents and tries to dissuade them from paying ransoms so that the crime is no longer profitable. The U.S. military has been working to disrupt hackers’ cybertools, as has the private sector. These efforts have been effective at taking some attackers offline temporarily. But unfortunately, the government’s efforts have at best been temporary disruptions, and at worst made things far worse for the victims. This has been especially true for the latest wave of hospital attacks.
For hospital administrators responding to these ransomware attacks, accessing medical data is literally a life-or-death matter. Doctors may not be able to access patient medical histories or admit new patients. Ambulances may be diverted to other hospitals, increasing the time it takes patients to get access to life-saving care. Surgeries and other procedures may be delayed at cost to patients’ health. There are many reasons why a hospital might decide that the quickest, most effective way to get up and running is to pay the ransom. For many, when it comes down to saving a life or cooperating with the government, paying a ransomware is the responsible choice.
And amid the difficult decision of whether to pay the ransomer, a hospital under attack must contend with a further complication. On Oct. 1, the Treasury Department issued an advisory that if a victim pays a ransom and the perpetrator turns out to be from a sanctioned country like North Korea, Iran or Russia, the victim may be liable for violating U.S. sanctions law. The department does allow a victim to apply for a license to make said payment at the Office of Foreign Asset Control. But for a hospital administrator wrestling with the urgent question of whether to pay a ransom, applying and waiting for an OFAC license is an untenable bureaucratic delay when lives hang in the balance.
It’s not enough to disrupt the attacker’s systems or shame victims out of paying to get their data back. In order to permanently disrupt these ransomware attacks, you have to get to the people behind the attacks either by arresting them or convincing them to stop. Law enforcement and cybersecurity analysts point out that these attackers are often in countries like Russia, where Russian President Vladimir Putin’s government is uninterested in turning them over for prosecution and, in some cases, actively fights against the extradition of cybercriminals. Still, indictments are a powerful tool, even if another country is harboring the cybercriminal. Issuing an indictment makes clear that the U.S. is holding the individual behind the illegal acts accountable. By seeking an arrest and presenting a request for extradition, the U.S. would make clear that targeting hospitals is a violation of international norms, akin to the targeting of hospitals in wartime. A refusal by a country like Russia to honor such a request would make clear that they are willing to harbor those who would kill innocent people for greed. If nothing else, indictments could at least help apply international pressure on a foreign government. Issuing an indictment makes clear that the U.S. is holding the individual behind the illegal acts accountable. During the previous administration, President Barack Obama expressed his displeasure at Chinese hackers who target the intellectual property of U.S. companies by directly speaking with Chinese President Xi Jinping. The two governments reached an agreement, after which we saw a marked decline in Chinese hacking. Unfortunately, President Donald Trump has demonstrated his refusal to believe that the Russians are behind any hacks. And worse, he has refused to confront Putin over reports that the Russians were paying the Taliban bounties to kill American soldiers in Afghanistan. If Trump won’t stand up to Putin for the lives of American troops in the field, there’s little chance that he would confront Putin over targeting vulnerable patients in American hospitals.
Mieke Eoyang
Mieke Eoyang is the senior vice president of the National Security Program at Third Way, a Washington, D.C. think tank. She had previously served as a congressional staffer on the House Permanent Select Committee on Intelligence, the House Armed Services Committee, and as the Defense Policy Advisor to Sen. Edward M. Kennedy. She is an MSNBC national security contributor. 
