2016 has been another year of cyberattacks and ransomware for the healthcare industry. In March, MedStar Health in Columbia, Maryland reported that a malware infection had caused the entire system to shut down. The virus in question prevented users from logging into the system. While the hospital’s IT team acted immediately and took down all computer interfaces to prevent the infection from spreading, it is believed that some ransom was involved to resolve the situation.
Health care data theft has increased by 1100% during 2015. Nearly 100 million records have been compromised worldwide as reported by the 2016 IBM X-Force Cyber Security Intelligence Index. That means one in three people may have had their health care records compromised. Surprisingly, healthcare spending on security is as little as one-tenth of the amount spent by other industries. This makes healthcare an even easier target for cybercriminals.
This was only one of the many cases of ransomware threats against hospital institutions. Soon after the MedStar incident, Methodist Hospital in Henderson, Kentucky was a victim to cyber criminals. During this ransomware attack, hackers locked patient files and demanded ransom in exchange for giving the hospital access to these records. To get hold of the data, the hospital management had to pay $17,000 ransom to the hackers.
As if this wasn’t enough, two other healthcare institutions in California run by Prime Healthcare Management Inc.were attacked by hackers. Chino Valley Medical Center and Desert Valley Hospital had their computer systems compromised. The hackers in question gained access into the computer systems and spread a malware program that encrypted their data. This resulted in a halt in the hospital’s services as well as its affiliate healthcare providers. All shared systems were taken offline, putting clinicians and healthcare IT experts alike to the test.
The malware infection was later identified as Locky, the same type of malware that took Hollywood Presbyterian’s system offline in February. The virus also prevented some of Prime’s external service providers from accessing the systems and affected part of its VOIP telephone system.
While the hackers demanded a ransom in crypto currency, the hospital spokesperson claimed no patient or employee data was compromised at either of the facilities. Prime’s in-house IT experts immediately acted by implementing protocols and procedures to mitigate the disruption. Patient safety was not affected by the system reinstating actions and the hospitals remained operational.
The above examples demonstrate that the healthcare industry has been especially under attack in the recent months with cases of ransomware attacks besieging almost one-third of the hospitals across Canada and the US. Proofpoint, a cyber-security company tracking malware and developing protective solutions, have tracked a new RAA virus targeting healthcare data. According to them, RAA follows the same pattern as other types of now ‘classic’ malware such as Dridex, Locky, Cryptxx, Teslascrypt and Cryptowall in its use and is a mixture of both ransomware and data-theft.
The North American healthcare system was not the only victim of ransomware. In Europe, cyber attackers held hostagethe data of Lukas Hospital in Neuss, Germany. They locked access to the facility’s healthcare data and demanded that management pay ransom in exchange for it.
The IT team at Lukas managed to develop special software to scan and cleanse the entire system consisting of more than 100 servers and 900 devices and salvage the data without having to pay the ransom. Although some critical surgical procedures were postponed for security reasons, 85% of the patients requiring surgical intervention received treatment as scheduled.
How does it happen and why?
Healthcare has been under attack recently because cybercriminals have realized that medical records can make them a lot of money, not just by stealing the data, but by holding it hostage and demanding ransom. Obviously, hospital managers realize that it’s not just about the money. It’s about the hospital’s reputation, patient safety and the risk of possible fines if any damage results from breach of data and identity theft.
According to Jocelyn Samuels, Director of the HHS Office for Civil Rights, “One of the biggest current threats to health information privacy is the serious compromise of the integrity and availability of data caused by malicious cyberattacks on electronic health information systems, such as through ransomware.”
There are different ways that cybercriminals use to infect an IT system. The Methodist Hospital and Prime Healthcare, got infected through ‘phishing’ e-mails, while other care providers were taken down by malware hitting their Web servers running JBoss.
On close examination, it was found that the ransomware spread due to a network flaw which was eventually tracked. The virus, going by the name of ‘Samsam’, used public data directly out of JessBox, which is an open-source vulnerability testing tool for JBoss. Once the virus got into the server, it easily spread to all Windows machines connected to the same network.
Ransomware is more likely to hit hospitals, not necessarily because cybercriminals intentionally target healthcare data but because of the systems and types of applications used by healthcare providers. It is evident that malware developers scan for vulnerable servers on the internet and some of the easiest targets belonged to healthcare organizations. A primary reason for this vulnerability may be the fact that healthcare organizations do not have a proper IT security and maintenance system in place.There is also less focus on round-the-clock security on computer systems and very few full-time IT system administrators in healthcare facilities.
According to Alex Rice, chief technology officer and co-founder of HackerOne, organizations transitioning from paper-based records to using more technologically advancedsolutions including new software, are eager to implement the new systems but are not prepared to face the cyber security challenges that come with them. Furthermore, hospitals and medical equipment manufacturers never run penetration testing nor do they conduct regular risk assessments.
How to prevent malware
Several healthcare facilities have implemented private disclosure programs to improve their security systems. In addition, the FDA has also published new guidelines to urge medical device manufacturers to upgrade their software. However, this is a lengthy process and will require a totally different approach from the healthcare industry when dealing with ransomware and any other cyber security threats.
In Europe, the‘No more ransom!’ movement has been initiated by the European Cybercrime Centre of EUROPOL aimed at eliminating all types of malware taking hold of computer systems and encrypting data.
Expert advice invariably revolves around the following:
Back-up:implement a recovery system to impede any data corruption. Ideally create two back-up copies, one to store in the cloud (use automatic back-up service) and the other stored physically (external hard drive, thumb drive, secondary device etc.);
Usereliable, fail-safe antivirus software to protect the system against any malware. It is advisable not to deactivate the heuristic functions of the software to help it capture samples of the ransomware that may not have been detected yet;
Trust no one. Any account can be hacked into or be maliciously compromised through links presumably shared by friends on social media or even an online gaming partner. Never open attachments from people you don’t know. Often cybercriminals send fake email notifications that closely resemble offers from online shops, a bank, the police etc.
Enable ‘Show file extensions’ in Windows settings. This will make it easier for you to spot any potentially corrupted files that may spread the malware in your system. Refrain from opening and downloading files with extensions like ‘.exe’, ‘.vbs’, ‘.scr’
If you detect any rogue or unknown process running on your device, immediately disconnect from the Internet or home Wi-Fi network to prevent the infection from spreading.
Conduct routine security assessments to be able to identify any system vulnerabilities. Effort should be made to design security into each core process and keep connecting capability of devices limited to avoid any breach.
All devices should be updated and behind a firewall. The operational network should be separated from medical and personal data so that even if there is a breach, the data is protected. Default passwords should be changed as any neglect in this regard can result in breaches.
Overall, it is evident that the increase in cybercrime within the healthcare industry highlights the need for healthcare systems to become more vigilant and to implement cybersecurity strategies that would make their systems more secure. Investment in advanced IT systems, updated software and establishing a qualified and focused IT team is a must for hospitals in order to avoid security breaches and data theft. By becoming more proactive in cybersecurity, healthcare facilities can reduce their vulnerabilities and can become less of a target for cybercriminals around the globe.