'The whole country gets attacked' in cyberattacks against hospitals, expert says

It's only March, but 2023 has been a big year for cybercrime in Catalonia already. The Hospital Clínic ransomware attack has hampered medical staff from providing normal service, while it's also been confirmed that a pro-Putin Russian group targeted four Catalan hospitals with DDoS attacks.

The Hospital Clínic attack is the biggest cyberattack in Catalonia since 2021's ransomware attack against the Autonomous University of Barcelona (UAB). 

Marc Torrens, Associate professor at ESADE in the department of Operations, Innovation and Science, explains in an interview with Catalan News that public institutions such as hospitals and education centers are often targeted by cybercriminals because they usually host sensitive data in large quantities. 

Data on patients and students "has a lot of value and a high privacy value," Torrens says, adding that the fact that they are public entities means the criminals can have a lot of power in negotiating and ask for a lot of money "because the whole country gets attacked, it's not just a private organization that affects one business, but it affects the whole population." 

  

Tomàs Roy, head of the Catalan Cybersecurity Agency, told Catalan News that adversaries just need "one hole" to burrow their way into the systems of an institution they are targeting. At the moment, authorities do not know how exactly the Hospital Clínic attack was carried out, but the Cybersecurity Agency are investigating the access point.

Once the criminals found their way into the system, Marc Torrens says it would be relatively easy to then install malware, such as ransomware, which then encrypts the sensitive data once the cybercriminals identified it. 

On the ground, in the hospital, the cyberattack means that doctors and nurses are unable to access their own systems which would normally show them information on the patients sitting in front of them. Without knowing the patient's records and history, medical staff are partially blinded in how they are working. 

Roy adds that "we must assume that attacks will occur and they will succeed," something that Torrens agrees with, saying it's impossible to be 100% safe. 

Yet, for now, authorities are monitoring the dark web for any sign of the Hospital Clínic data being published and will work on having that data taken down if they detect it. Roy also explains that they are working with international law enforcement to try to block the hackers' own access to the stolen data. "It's something that delays them, it's winning a battle but not the war," Roy says, "because they can make a copy of this data and republish it anyway." 

"It must be said that normally also these cybercriminals look for countries that protect them, so we cannot always avoid it," Roy laments.

One thing authorities are sure about is they know they will not pay a cent to the criminals. Marc Torrens says it is in general very important not to pay ransoms such as this one for two main reasons: paying it encourages this type of behaviour and shows the world it is a profitable business, and paying would fund even more sophisticated forms of malware for criminals to continue wreaking havoc. 

Education is one of the first steps institutions and people can take to protect themselves. "There are some simple techniques like phishing that are pretty easy to avoid if people know about them," Torrens explains. "With a little bit of education on the topic, it can be easily solved."

But investment in firewalls and other such protection is also key. "The probability [an attack] will happen to you is quite small but the damage is huge," Torrens says. "The solution is to invest more. I'm sure it's an area we could always do better, but I don't think Spain or Catalonia is doing any worse than other European countries, I think in all of Europe we're in a similar situation."

Jordi Hernàndez, an IT official at the Autonomous University of Barcelona agrees having learned the hard way following the 2021 attack that knocked out the university's virtual campus for months. 

"The first lesson we learned is that we need to invest more in safety," he told Catalan News in a recent interview. "The second is that we have to update our systems as soon as possible. And the third is that users need to be sure of what they are doing on the computer and be aware of what they see."