By Doron Tamir

The recent cyber ransom attack on the Hillel Yaffe Medical Center in Hadera should not be mistaken as just another cyber incident.

The group behind the attack, Deep Blue Magic, is a top-level cyber-offensive outfit that is well versed in bits and bytes and has caused havoc around the world.

While previous high-profile cyber-strikes on Israeli targets, such as the November, 2020 ransom attack on the Shirbit insurance company, were widely believed to be Iranian proxy attacks on Israel disguised as criminal incidents, in the case of Hillel Yaffe, the ransom attack appears to be authentic – and likely a game changer.

Hillel Yaffe is a government-owned hospital, meaning that it is the government – in this case the Health Ministry backed by the Israel National Cyber Directorate –  that is responsible for responding. The attackers likely were not aware that a government-owned hospital would  opt to not pay the ransom, unlike some privately-owned hospitals that might be tempted to choose a faster solution.  

The hospital remains under attack, and it appears as if not all of the details about this incident have come to light.

Until now, most ransom attacks in Israel have either been tests of capabilities, or decoys to distract attention from larger cyber operations. There have been few instances of actual ransom attacks, in which attackers usually ask for small amounts of money to return critical servers and files to the victim. Usually, in such cases, the attackers ask for a few thousand dollars – and they do this from many victims, rather than seeking millions from a single target.

Within hospitals, there are two types of computing systems. The first system is a logistical system, which handles functions such as registrations, the monitoring of drug distribution, and other activities. These activities represent around half of all patient care. The networks also contain the private medical details of patients.

The second type of system – the more ‘frightening’ kind of target – is operative, and is used to keep surgery theaters, life support,  dialysis, and medical robotic machines running. Some hospitals disconnect such systems from one another, creating independent computing systems – but this is far more difficult to defend against cyber events. Other systems run on a single, holistic cloud server, and here, defense is easier.

Yet neither of these models are immune to cyber-attacks in any way. Over the past five years, health systems have been the number one  target of cyber-attacks in the United States.  Those attacks have mostly seen data privacy breaches, but there have also been more severe types of incidents.

The Hillel Yaffe hospital attack falls under the category of a severe attack.

The importance of awareness

In the immediate timeframe after the incident, a hospital can switch to manual care for patients, and this is likely what Hillel Yaffe chose as its initial response. Surgeons can still operate and doctors can still prescribe medicines without computers. But in the modern world, this set up cannot continue for more than a day or two.

The hospital’s back-up computer system also appears to have been taken out, meaning that this option for returning to normal is not available.

As a result, the Hillel Yaffe incident is a serious source of concern, and does not represent ‘more of the same’ in cyber security incidents. The level of disruption is extensive, and not easily neutralized.

Many of the medical computing systems are used by personnel who are simply not aware of the security world. This lack of awareness constitutes a serious problem. Nurses who hit ‘enter’ after distributing blood pressure pills need training on how to keep the system secure.  

Financial organizations like banks have already grasped the importance of awareness, and know that without it, they lose money. Hospitals can lose patients without sufficient awareness.

It seems reasonable to assume that cyber authorities in Israel are now gathering forensic information in an effort to track down the attackers.

Yet days after the incident began, it has not ended, and this is a reflection of how extraordinarily disruptive the attack has been.

Incident management is a key area in the cybersecurity world, and it is an area organizations must be prepared for in the event that prevention efforts fail.

An Israeli company called Demisto enables automated responses to cyber-attacks, and is an example of where cutting-edge technology is headed in this regard. Demisto’s system, once activated, scans the attacked computer system, identifies weaknesses and locates the presence of malicious programs, thwarting them – all without human intervention.

The fact that the Health Ministry, which is responsible for hospital cybersecurity, did establish a solid protection system, backed by the Israel National Cyber Directorate, and that the attack still occurred is evidence of the severity of this event.

In addition, the fact that the attack has yet to be resolved also testifies to the seriousness of the event.

As the forensic investigation into the attackers makes progress, Israel and other countries around the world will have to be on even higher alert for such incidents.

The Hillel Yaffe incident has generated significant public relations for ransomware attackers, and could serve as encouragement for more.

We have reached an important junction. A powerful hacking group created chaos in a government-owned hospital, and even when Hillel Yaffe returns to normal, the cyber war will not end. The next incident is just a matter of time.

Brigadier General Doron Tamir General Doron Tamir had a distinguished military career spanning over 2 decades in the Intelligence Corps and Special forces - as the Chief Intelligence Officer in the Israeli military, where he commanded numerous military units in all aspects of the intelligence field, from signal, visual, and human intelligence, through technology and cyber, to combat and special operations. Read full bio here.