Israeli Health Ministry inspectors put on protective gear before they go up to the apartment of a person in self-quarantine as a precaution against coronavirus spread in Hadera, March 16, 2020. Photo: Reuters / Ronen Zvulun.

The recent cyber ransom attack on the Hillel Yaffe Medical Center in Hadera should not be mistaken as just another cyber incident.

The group behind the attack, Deep Blue Magic, is a top-level cyber-offensive outfit that has caused havoc and chaos around the world.

While previous high-profile cyber-strikes on Israeli targets, such as the November 2020 ransom attack on the Shirbit insurance company, were widely believed to be Iranian proxy attacks on Israel disguised as criminal incidents, the ransom attack on Hillel Yaffe appears to be authentic — and likely a game changer.

Hillel Yaffe is a government-owned hospital, meaning that it is the government — in this case, the Health Ministry backed by the Israel National Cyber Directorate — that is responsible for responding. The attackers likely were not aware that a government-owned hospital would opt to not pay the ransom, unlike some privately-owned hospitals that might be tempted to choose a faster solution. It appears that many details about this incident have not come to light.

Until now, most ransom attacks in Israel have either been tests of capabilities, or decoys to distract attention from larger cyber operations.

There have been few instances of actual ransom attacks, in which attackers usually ask for small amounts of money to return critical servers and files to the victim.

Within hospitals, there are usually two types of computing systems. The first system is a logistical system, which handles functions such as registration, the monitoring of drug distribution, and other activities. These activities represent around half of all patient care. These networks also contain the private medical details of patients.

The second type of system — the more “frightening” kind of target — is operative, and is used to keep surgery theaters, life support, dialysis, and medical robotic machines running. Some hospitals disconnect such systems from one another, creating independent computing systems — but this is far more difficult to defend against cyber attacks. Other systems run on a single, holistic cloud server, and here, defense is easier.

Yet neither of these models are immune to Internet attacks. Over the past five years, health systems have been the number one target of cyber-attacks in the United States. Those attacks have mostly seen data privacy breaches, but there have also been more severe types of incidents.

The Hillel Yaffe hospital attack falls under the category of a severe attack.

The importance of awareness

During the incident, a hospital can switch to manual care for patients, and this is likely what Hillel Yaffe chose as its initial response. Surgeons can still operate, and doctors can still prescribe medicines without computers. But in the modern world, this setup cannot continue for more than a day or two.

The Hillel Yaffe hospital’s back-up computer system also appears to have been taken out, meaning that this option for returning to normal is not available.

As a result, the Hillel Yaffe incident is a serious source of concern, and does not represent “more of the same” in cyber security incidents. The level of disruption is extensive, and not easily neutralized.

Medical computing systems are often used by personnel who are simply not aware of the security world. This lack of awareness constitutes a serious problem. Nurses who hit “enter” after distributing blood pressure pills need training on how to keep the system secure.

Financial organizations like banks have already grasped the importance of awareness, and know that without it, they will lose money. But hospitals can lose patients without sufficient awareness.

It seems reasonable to assume that cyber authorities in Israel are gathering forensic information in an effort to track down the attackers.

Yet days after the incident began, it had not ended, and this is a reflection of how extraordinarily disruptive the attack was.

The fact that the Health Ministry, which is responsible for hospital cybersecurity, did establish a solid protection system, backed by the Israel National Cyber Directorate, and that the attack still occurred is evidence of the severity of this event.

As the forensic investigation makes progress, Israel and other countries around the world will have to be on even higher alert for such incidents.

We have reached an important junction. A powerful hacking group has created chaos in a government-owned hospital, and even when Hillel Yaffe returns to normal, the cyber war will not end. When the next incident will occur is just a matter of time.