Recently, ransomware attacks on various hospitals and other healthcare facilities became mainstream media news. Today’s hackers aren’t only interesting in locking the computers of high profile companies, but target the health industry by demanding Bitcoin payments in exchange for unlocking their PC’s. Hospitals provide critical care and rely on the latest patient records. The patient-care can get delayed or halted, which can result in death or lawsuits against the hospital. According to S. Sjouwerman they ”have not trained their employees on cybersecurity and hospitals don’t focus on cyber-security in general.” They focus on HiPAA compliance, which are the federal requirements about patient privacy protection. In this article you read about: why internet security software companies aren’t taken aback about these recent events and what kind of measurements hospital facilities can take to combat digital extortion.
For example Hollywood Presbyterion Medical Center in LA (USA) paid $17.000 in Bitcoins to unlock their computers, which were kept hostage by the ransomware called Locky. After the Globe ransomware attack on the Barths Health NHS Trust hospital group 2.800 patient appointments were cancelled. The hospital group exists out of 5 hospitals across East London: Mile End hospital, New University hospital, the Royal London hospital, St. Bartholomew’s hospital and Whipps Cross University hospital. Methodist Hospital in Henderson, Kentucky (USA) was also struck by Locky, but didn’t pay a cent instead they simply restored the patient files from their backups. It took three days before the hospital could be restored to their usual routine. MedStar Health, which operates 10 hospitals and more than 250 out-patient clinics in the Maryland(DC) and Washington area (USA) was hit with a ransomware virus. Some couldn’t access their patient email, records or database and others saw a demanding pop-up Bitcoin payment locked screen.
“We have the tools to catch these attacks nowadays, but you cannot do it with a single product, you need a multi-layer defense strategy – if your end-point protection doesn’t stop a ransomware hit, for example, then maybe your network protection will get it. Maybe a ransomware hit comes in through a web gateway rather than an e-mail, or maybe through a jump-drive someone got from who knows where. You cannot just look at e-mail and say all the bad stuff is coming in this way, you have to have multi-layered products, correlate data from these products, and use that intelligence.” according to D. Finn, health IT officer at Symantec.
”When ransomware hits a hospital, you don’t have to lock an entire network,” S. Sjouwerman,CEO of the security firm KnowBe4, says. ”You just need to find where are the critical files in a network—what servers are serving up the millions of files that most workers use…. And you only need to lock maybe two or three file servers to essentially block the whole network.” For example MedStar gave the proper response by shutting down most of its network to prevent spreading. And it reverted back to the paper route for scheduling and records. According to S. Sjouwerman you need to disconnect infected systems from a network, remove extern hard drivers, USB sticks and disable Bluetooth and Wifi. Bare in mind, that there may be information published online by security firms to resolve the ransomware situation. And last but not least is: have back-ups. It can be formal back-up or you can restore data using Shadow Copy files or other methods.
Healthcare organization must have internal cybersecurity experts and external team of experts to combat ransomware according to G. Whitley, director of the Georgia Center of Innovation for IT: “You might think it seems so obvious, but look at the ransomware cases. Ransomware is getting more brazen, and ransomware works when organizations do not backup their data and thus have no choice but to pay in order to get it back. Healthcare organizations must make sure they are routinely backing up their data. There are many cases where organizations simply have not backed up their data.” These named prevention tools are straightforward. However, you can prevent massive spreading, which forces attackers to work harder to lock down more servers by following prevention tools. First mail servers need to block zip and other malicious likely files. Then you restrict permissions to network areas by breaking thousands of files into smaller groups with different computers. Next, your employees follow a security awareness training. For example to recognize and preventing them to click on phishing emails. In Sjouwermans company he saw a decrease in clicks form 15.9% to 1.2%.
Use strong passwords, update IT security policies, develop time patches to access the data, back-up offline, encrypt medical equipment applications in the local network in case of an unauthorized access to the trusted area and inform personnel that running patient information must be a separate business PC, which isn’t accessed by your own private applications. For example H. Clinton used her personal PC for her work resulting in a public email scandal. Putting your security plan forward is all well and good, but health organizations must test and train their personal, like it’s a fire drill. Also, their personal must train for recognizing malicious activities on their daily routine computers and whitelist all their applications to prevent ransomware installing. This can be a tenacious task and meets opposition, because every PC needs to be scanned.“Doctors are gods and don’t let anybody tell them what to do, so enforcing whitelisting in an organization [and telling doctors they can’t run certain applications] is a political exercise not just a technical one. It is fraught with organizational ‘challenges’,” said Sjouwerman. Lastly, if all these measurements being taken, keep being informed about the latest data breaches, such as ‘Hacking Health: Security in Healthcare IT systems’ by J. Hopkins and professor A. Rubin, at the 2016 USENIX Enigma infsec conference.
According to the IBM Managed Security Services report healthcare organizations are targeted more, because their attackers experience relatively success. These organizations pay for the description to continue operating for risk averse situation, such as a woman in labor or operation.”Organizations used used to have an internal network and they could secure the outside of it to make sure an external hacker could not penetrate it,” said E. Frantz, CEO of ethical hacking firm Vitue Security “It’s easier than ever to gain access inside a hospital’s network and compromise a device.”
Yearly, companies spend nearly $100 billion on computer security, but it remains common: the hospital ransomware and personal data leaking online. Since 2005 ransomware is being used for digital extortion which originated form Eastern Europe. It developed into ransom crypt-ware, which encrypts files on the PC and the attackers possessing the only private key to unlock it. According to security researchers at FireEye the numbers of Locky ransomware downloads is increased and that the hackers change their tools and techniques constantly, delivering it in different formats. “These latest campaigns are a reminder that users must be cautious when it comes to opening attachments in emails or they run the risk of becoming infected and possibly disrupting business operations,” says FireEye researcher R. Chang.
In a study ‘corporate IT security risks survey under corporations‘ form Kaspersky lab 39% of organizations aren’t confident that they have adequate IT security safeguards in place, 16% rely on built-in hardware protection. Many organisations assume they’re protected from these : 30% believes that their data center or infrastructure partners prevent the DOSS attacks and this is 40% for Internet Service Provider (ISP) protection. A third of the organisation failed to take action, because they believe they’re unlikely to be targeted. “The reality is that any company can be targeted because such attacks are easy for cybercriminals to launch. What’s more, the potential cost of a single attack can be in the millions,”according to the report. “Online services and IT infrastructure are just too important to leave unguarded. That’s why specialized DDoS protection solution should be considered an essential part of any effective protection strategy in business today.”
Furthermore, Google collaborated with A. Vance, an associate professor at Brigham Young University, to test new displaying security warnings that are less likely be dismissed by people. In order to reveal the unconscious mechanisms behind how we perceive or ignore the warnings Vance used functional brain MRI scans. In a multitask situation people were three times less likely to properly respond to the pop-up security warning. Another problem was that people rapidly became used to security warnings. This is called the habituated effect. But by slightly changing the appearance of the security message, it was possible to reduce this effect.”Security professionals need to worry not only about attackers but the neurobiology of their users,” and “Our security UI should be designed to be compatible with the way our brains work.”
In the end there’s still some denial (under healthcare board members) about the probability of ransomware attacks on their local community hospitals. However, cyber-attackers don’t discriminate particular business (small or big companies) nor do they favor countries. Examples are the Hollywood Presbyterian, MedStar Health in Washington DC, King’s Daughters Health in Indiana, Methodist Hospital in Kentucky and three Southern California hospitals owned by Prime Healthcare Services. All of them are located in the USA, but there are incidents in Canada, China, Japan, South Korea and the UK. It would certainly help if this issue comes to the lime light with the help from government rules and regulations to make cybersecurity in the health industry a must, a guarantee and a standard.
- Griffiths, S., Could hackers kill hospital patients? Cyber security experts prove they can steal patient data, fake results and damage equipment, Internet, 20 April 2016 (dailymail.co.uk)
- Kumar, M., Hundreds of operations canceled after malware hacks hospital systems, Internet, 2 November 2016 (thehackernews.com)
- Leetaru, K.Hacking Hospitals And Holding Hostages: Cybersecurity In 2016, 29 March 2016 (forbes.com)
- Leyden, J., UK’s largest hospital trust battles Friday 13th malware outbreak, Internet, 13 January 2017 (theregister.co.uk)
- Manzuik, S.,How Hospitals Are Getting Hacked And How To Prevent It From Happening To You, Internet, 26 May 2016 (healthitoutcomes.com)
- Palmer, D., Trojan malware blamed for cyberattack at Barts Health NHS hospitals, Internet, 16 January 2017 (zdnet.com)
- Palmer, D., ‘Massive’ Locky ransomware campaign targets hospitals, Internet, 19 August 2016 (zdnet.com)
- Pham, T, The year of the healthcare hack: 98% of Stolen Medical Records due to hacking, 11 February 2016 (duo.com)
- Simonite, T., Neuroscience Explains Why We Get Hacked So Easily, Internet, 2 February 2017 (technologyreview.com)
- Siwicki, B., Cybercriminals deploy malware for half of successful cyberattacks, IBM study finds, Internet, 2 February 2017 (healthcareitnews.com)
- Siwicki, B., Tips for protecting hospitals from ransomware as cyberattacks surge, Internet, 9 April 2016 (healthcareitnews.com)
- Smith, J., Hospital pays hackers $17,000 in Bitcoins to return computer network, Internet, 18 February 2016 (zdnet.com)
- Unknown, USENIX Enigma 2016 – Hacking Health: Security in Healthcare IT Systems, Internet, 26 Januari 2016 (youtube.com)
- Weldon, D., Many organizations lack direction on cyber security, Internet, 3 February 2016 (healthdatamanagement.com)
- Yaraghi, N., A Health Hack Wake-Up Call, Internet, 1 April 2016 (usnewstoday.com)
- Zetter, K., Why Hospitals Are the Perfect Targets for Ransomware, Internet, 30 March 2016 (wired.com)