Cybercriminals had been inside Hospital Clínic systems 'for days, weeks, or months' - expert

After Hospital Clínic, one of Barcelona's biggest hospitals, saw much of its normal activity come to a halt following a cyberattack that was detected on Sunday, cybersecurity has been at the top of the agenda. 

David López, a cybersecurity expert with more than 20 years of experience focusing on IT security and data protection, believes that the threat of such cyber attacks is something that the world is going to have to learn to "coexist" with and that companies and organizations need to invest more in protecting their vulnerabilities in the face of this constant danger. 

In the wake of the attack that has dominated the news cycle over the past couple of days, López, who works at cybersecurity firm IPM, spoke with Catalan News about what we know about the Hospital Clínic attack, ransomware attacks more broadly, and what the future holds for this growing segment of cybercrime.

What are ransomware attacks?

López explains that ransomware attacks usually come from organized crime groups that are looking to compromise the data of companies to then ask for a ransom in exchange for giving the data back safely. 

"They are organized cybercrime groups that may have started off in this world or they may have come from other types of organized crime, such as arms or drug traffickers," the IPM expert says. He adds that these criminals that come from other domains of organized crim "view this market as more profitable and less dangerous for them because there are nearly never arrests and everything is done remotely from countries where it's difficult to detect them." 

Sunday morning is when the attack on Hospital Clínic was detected but López is certain that "the criminals had already been inside the organization for days, weeks, or even months, because a ransomware attack doesn't happen in one day, it has various phases and the last phase, decrypting the data, is the last phase when the company being attacked realizes it."

How is the attack affecting the hospital? 

"From what we know, the attack hasn't affected the hospital's critical data, but it has affected their access to that data. By today, they don't have access to the clinical history of patients, they cannot input data, they're doing everything manually," López says. 

The cybersecurity expert also says that emergencies have been diverted to other hospitals to ease the burden on Hospital Clínic and let them work on containing and solving the problem. 

How are attacks such as the Hospital Clínic one commonly carried out? 

At this point in time, it's too early to tell how Hospital Clínic's data was compromised. But, López says that phishing is one of the main access points for cyberattacks of this sort. "Maybe in recent weeks, one user received a phishing email and through this, [the criminals] could take control of a corporate computer," López says, explaining how ransomware attacks often start. 

"Once inside they could work on identifying where the important data is located, what vulnerabilities exist inside the system, and how to exploit them and move around from the compromised device."

This kind of task is work that can take weeks for the criminals to eventually culminate in the sort of attack we're seeing now at Hospital Clínic. 

What do we know about RansomHouse, the group behind the Hospital Clínic attack? 

David López says we do not know very much about this specific group who carried out the Hospital Clínic cyberattack, RansomHouse. "They move on the dark web, that's where they come up with their plot and work on their strategy." 

According to López, there are 32 major cybercriminal groups in existence currently, but RansomHouse are not known to be one of the biggest or most active. 

How can this issue be resolved?

David Lopez's company have helped out in similar cases within the health field. They helped out with a hospital in Ourense, a city in Galicia, that was compromised after the login details of a worker were stolen. Their systems were accessed and the criminals even managed to delete backup copies of data, making the process much more difficult. 

In this case, Hospital Clinic say backups have not been affected. The next phase the hospital has to do is contain the damage, to stop their systems and isolate them completely, and see how exactly they've been affected. The next phase will be to see how they can go about restoring services, and an analysis will need to be done to see if their latest backup files have been compromised. 

How well or poorly protected is Catalonia and Spain from these kinds of attacks? 

Catalonia has had a cybersecurity agency in existence since 2019, but we've still seen major incidents and disruptions caused by cyberattacks in the time since then, including an attack on the services of the Autonomous University of Barcelona. 

"I think Catalonia and all of Spain is investing a significant amount into protecting companies" from these kinds of attacks, López believes. "But logically, we're a little bit behind. Cybercriminals are improving their techniques and their ransomware attacks, so all these improvements companies are making are often not enough. Almost every day, news comes out about companies being attacked and compromised." 

"Health and education are two sectors that are being most attacked these days. In healthcare systems, it's not very easy to make improvements to security systems, they're critical and very specialized systems, and any change would need a lot of time and investment to improve their safety."

What does the future hold in the field of cyberattacks such as ransomware?

"It's a very profitable business" for the cybercriminals, López says. The expert believes we'll have to end up "coexisting with" these kinds of problems in the short term, as ransomware attacks are now on the agenda and no company is 100% safe. 

If companies are attacked they should have procedures in place to minimize the damage, López argues. His company, IPM, are working to help companies become more "cyber-resilient" and he says that we can't stop attacks like ransomware from happening, but we can help the attacks become less intrusive on day-to-day operations. 

"It's very important to have a good policy of protection, as well as a good policy of recovering data in a fast and safe way."