Hacks targeting hospitals, coupled with the second wave of the pandemic, have prompted calls for addressing the weakest link in Czech IT security – the workforce.
On the morning of Friday, March 13, the duty nurses at the University Hospital in the Czech city of Brno received emergency guidelines on conducting essential meetings.
The Czech Republic had just declared a strict nationwide lockdown and organisations across the country were scrambling to move their meetings online. But the hospital in Brno, bracing for its first wave of Covid patients, was going the other way.
The emergency guidelines said all operational matters must be discussed face-to-face rather than online, in team meetings to be held at regular intervals several times a day.
The measures worked, and the virus – a form of ransomware that had paralysed the hospital’s computers – was eventually contained.
“You cannot prepare for a situation like that,” recalls Branislav Moravcik, the head nurse at the hospital’s Clinic of Anaesthesiology, Resuscitation and Intensive Resuscitation. “The key is not to panic.”
Moravcik learnt of the cyber-attack in the early hours of Friday morning. Upon reaching work, he backed up his most important data on a flash drive and shared the emergency guidelines with his team.
With computers and medical equipment linked to the IT network shutting down around him, he sent the guidelines using a personal laptop tethered to his mobile phone’s internet connection.
Were such an attack to happen again, Moravcik said, it would be helpful if staff could draw upon planned protocols, as well as mandatory training, to work out what to do.
Healthcare workers care for COVID-19 patient in the department of anaesthesiology, resuscitation and intensive care medicine (ICU) at General University Hospital in Prague, Czech Republic. Photo: EPA-EFE/MARTIN DIVISEK.
The incident at the University Hospital in Brno was one of several cyber-attacks or attempted cyber-attacks targeting Czech medical facilities this spring.
In mid-April, hospitals in Ostrava, Olomouc and Carlsbad reported malicious activity in their IT systems, just days after the National Cyber and Information Security Agency, NUKIB, had issued a warning signalling the imminent threat of such attacks. As is usually the case, there was no clue to the hackers’ identity beyond the strings of numbers denoting their IP addresses.
These incidents revived a debate in mainstream media outlets about the state of the Czech public sector’s IT infrastructure, accompanied by speculation that the hacks might have been the work of foreign powers such as Russia and China.
The Czech government responded by pledging to upgrade its cyber defences. But as the country faces a second, deadlier surge of coronavirus infections over the winter, cyber-security experts are once again questioning the healthcare system’s ability to withstand attack at a time of crisis.
Experts interviewed by the Balkan Investigative Reporting Network, BIRN, have said any investment in technical solutions must be accompanied by large-scale staff training in the basics of digital hygiene. Expensive upgrades, they argued, could only be as effective as the weakest links in the system – the tens of thousands of individuals who accessed public sector IT networks every day.
“The human factor plays a big role in cyber security,” said Michal Salat, Director of Threat Intelligence at Avast, a Prague-based provider of anti-viral software that helped Brno’s University Hospital deal with the aftermath of the attack. “It is easier to trick a person than it is to hack into a system.”
Hackers often use seemingly innocuous e-mails to convince individuals to provide the confidential details or download the infected files that end up compromising entire networks. Salat said stressed-out, busy workers – such as those staffing a hospital during a pandemic – would be particularly vulnerable to such “social engineeering” tactics.
To minimise the risk, he said, medical facilities should keep their software up to date, make constant backups of important data, and train staff in best practices for digital hygiene as they do for other forms of hygiene.
Digital-hygiene lessons would have to be repeated at regular intervals for their message to be re-enforced. Jan Kozanek, a cybersecurity specialist at the Accenture consultancy, warned of long-ingrained bad habits in the public sector, describing how any visitor to a local hospital was free to check standards for themselves with a little test. “Just count how many times you can spot passwords written on a piece of paper” near a computer workstation, he told BIRN.
‘Only an amateur would leave tracks’
Hospitals’ overwhelming reliance on IT systems to provide urgent care has made them popular targets for hackers seeking to extort money. Ransomware attacks, in which hackers encrypt data and demand payment for restoring access, have been reported at medical facilities across the US and Europe this year.
An attack on a hospital in the German city of Dusseldorf in September was investigated for having caused the death of a seriously ill patient, in what was thought to be the first such case of its kind. The investigation was however dropped as there was not enough evidence that the hack had led to the death. The best-known such attack remains the 2017 “Wannacry” hack that plunged the UK’s National Health Service into crisis, leaving computer screens frozen with messages demanding ransom payments.
This year’s cyber-attacks in the Czech Republic fit within this global trend, as well as within a narrower trend for hacks targeting the country’s public sector IT infrastructure. In June last year, for instance, NUKIB reported that the Czech foreign ministry’s e-mail servers had been targeted by hackers. This April, the country’s main travel hub, the Vaclav Havel Airport, said it had thwarted an attack on its IT system.
Healthcare workers transport a COVID-19 patient to Motol University Hospital after transfer from Zlin region, in Prague, Czech Republic. Photo: EPA-EFE/MARTIN DIVISEK.
Both the EU and the US issued statements criticising the cyber-attacks in the Czech Republic this spring. Several Czech media outlets went further, accusing Russia of orchestrating the hacks – a claim described by the Russian embassy in Prague as a “provocation”. Russia has major business interests in the country and its government is frequently accused of trying to influence Czech politics, as well as public opinion through disinformation campaigns. Similar accusations have also been directed at China, another global player with interests in the Czech economy.
Experts are however cautious about claims that foreign governments are involved in the recent hacks. According to Yuval Ben-Itzhak, the former CEO of Israeli cyber-security firm, Finjan, who currently heads the Prague-based digital marketing company, Socialbakers, state actors prefer making discreet inroads into IT infrastructure over high-profile hacks. “Governments want to have access on a long-term basis, not visibility in the news,” he told BIRN.
Alexandra Alvarova, a writer on disinformation tactics in the Czech Republic, said claims of Russian involvement in the hacks would most likely remain unverified unless there was a high-profile defection from the ranks of its intelligence service. “In this business, only an amateur would leave tracks, and Russian intelligence hackers are some of the best in the world,” she told BIRN.
Czech lawmakers are currently seeking to amend laws in order to give NUKIB a bigger role in defending hospitals from cyber-attack. NUKIB spokesman Jiri Taborsky said the legislative changes are a response to a “long-term, unsatisfactory situation” in the Czech healthcare system’s cyber-defences.
“This situation in turn reflects long-term under-investment in hardware and software infrastructure, as well as in human resources,” he told BIRN in an emailed statement. “NUKIB has been warning of this every year in its annual report on the state of cyber-security.”
The agency said it was also providing “educational materials and courses to help medical staff nationwide educate themselves” about the cyber threat.
‘Working crazy hours’
While claims of foreign involvement in specific hacks are rarely proven, the view that the Czech Republic is lagging behind in cyber-security matters has become a vote-winner.
The 2017 general election delivered a breakthrough for the Pirates Party, a new political formation that won the third-largest share of votes with a tech-savvy message that appealed to younger voters. A legislator for the party, Ondrej Profant, told BIRN that the country’s older governing class simply “did not understand the digital world – they lack the elementary habits”.
He acknowledged that the government had prioritised cyber-security following the attacks this spring, and praised NUKIB’s new digital-hygiene guidelines for staff at public offices. However, he warned, more training was needed.
“We are willing to invest in expensive technologies which improve our security by some margin against highly sophisticated attacks, but we forget about the staff at the main entrance,” he said. “It is as if we are building a very high wall to protect ourselves but leaving the door unlocked.”
It is moreover uncertain how much of an impact additional training will have on everyday habits in Czech hospitals. Apolena Rychlikova, a journalist who has reported on the healthcare system, said the effectiveness of digital-hygiene training would also depend on variables such as staff members’ age and workload.
“In general, medical facilities were understaffed and people were working crazy hours – and that was before the pandemic,” she told BIRN.
Albin Sybera is a journalist and Visegrad Insight fellow based in Ljubljana. This article was edited by Neil Arun. It was produced with a Reporting Democracy grant for stories that reveal how the Covid-19 crisis is reshaping politics and society in Central, Eastern and Southeast Europe.