Written by HITRUST Independent Security Journalist Sean Martin.
Look out, healthcare organizations: Ransomware is infecting your facilities. It’s your IT and other data systems — not your patients — that are getting sick. Think of ransomware as a chronic superbug threat that simply won’t go away. Antivirus tools won’t work. Firewalls won’t stop the disease. In fact, because ransomware is mutating and evolving rapidly, there’s no single surefire way to stay safe – or even minimize the harm.
Medical professionals, such as doctors, nurses, orderlies and lab technicians, are trained in hygiene to protect their own health against a patient’s illness or infection – and to avoid spreading diseases from one patient to another. There are practices designed to protect against human contact, either directly (such as by touching an infected patient) or indirectly (such as by touching a doorknob). There are other practices for protecting against droplets (like coughs) and airborne risks.
The same should be true of anyone in a healthcare organization that touches any computer equipment that’s connected to a network. Bad digital hygiene can result in not only infection of the user’s computer, but can potentially spread infection to the organization’s data center, servers, databases, security systems and even cloud storage services.
The threat is real, and ransomware is the Methicillin-resistant Staphylococcus aureus (MRSA) of today’s infectious malware. When a system loads the ransomware code, most often the malicious software does many things, such as:
- It investigates the system and its network to look for vulnerabilities and other systems to infect
- It encrypts the user’s data — rendering the computer unusable and its data inaccessible
- It demands a ransom (payable in an untraceable currency like Bitcoins) to decrypt the data
- If the data is paid, the data is decrypted… but the malware itself still remains on the system in a dormant state (at least for awhile)
There is no guarantee that this is all that will happen. It could be worse. There is nothing to prevent the ransomware from installing a keylogger to capture passwords to secure resources for example. The malware could spy on the network or provide remote access to IT resources for remote hackers. It could steal patient data or other protected information. And… there’s no guarantee that even if the organization pays the ransom that the data will actually be decrypted. It’s not like you can call the hacker’s tech-support line and ask for assistance or a house call if the decryption process fails.
Healthcare organizations are huge targets for ransomware. While there is no indication that this is deliberate, the vast number of users of hospital systems, the poor computer-security training of those users, and a focus on spending money on new lab equipment instead of new security equipment, can exacerbate the problem.
Some examples of recent ransomware attacks in the news:
NBC News, April 2016: “Infected by ransomware, hospitals around the country have been forced to pay hefty sums to criminal hackers. One of the most extreme cases took place in February, when Hollywood Presbyterian Medical Center handed over $17,000 to hackers who took over its systems. Since then, two other hospitals in California, as well as in Kentucky and Maryland, were also hit.”
Healthcare IT News, April 2016: “San Diego-based Alvarado Hospital Medical Center was hit by a “malware disruption” on March 31, the San Diego Union-Tribune reports. A spokesperson for the 306-bed hospital confirmed the cyber attack, but would not say which systems had been affected. Alvarado was the third hospital owned by Prime Healthcare Services to be hit with malware in March; Chino Valley Medical Center and Desert Valley Hospital had also been affected by viruses but were able to recover systems with minimal disruption and without having to pay ransom.”
NetworkWorld, May 2016: “Kansas Heart Hospital in Wichita was hit with ransomware last week. The ransomware attack occurred on Wednesday, and the KWCH 12 news video from Friday night said some files were still inaccessible by the hospital. Hospital President Dr. Greg Duick refused to disclose the ransom amount and the ransomware variant. He said, “I’m not at liberty because it’s an ongoing investigation, to say the actual exact amount. A small amount was made.”
The story gets worse at Kansas Heart, continued NetworkWorld: “Yes, the hospital paid the ransom. No, the hackers didn’t decrypt the files—at least it was described as not returning ‘full access to the files.’ Instead, the attackers asked for another ransom. This time the hospital refused to pay because it was no longer ‘a wise maneuver or strategy.’ ”
That’s the tip of the iceberg. According to Healthcare IT News in April 2016, “As many as 75 percent of U.S. hospitals responding to a poll this week could have been hit with ransomware in the last year… and a chunk of those might not even know it.”
What can you do? First, practice good digital hygiene:
- Back up servers and desktop computer regularly – and ensure that the backups are secure and can’t be overwritten by malware.
- Although they are not perfect, have secure anti-virus, web filtering and firewall systems in place – and make sure they are active and always updated to the latest version.
- Make sure that end users don’t have network privileges to write directly to server files, so if they are infected with ransomware, the servers won’t be encrypted.
- Screen emails at the server for phishing or other unwanted email.
- Install web content blockers that will not let users visit infected websites.
- Train end users not to click links in email messages.
- Plan your response, so that if you are infected with ransomware, you know what to do.
Second, stay informed on the latest ransomware threats through the monthly HITRUST Cyber Threat Briefing Reports, and also take advantage of the Cyber Threat XChange, which offers a data-driven approach to speeding the detection and response to attacks.
Ransomware is the MRSA of malware. It’s a chronic superbug. There is no one-time vaccine, no permanent cure: You must stay ever vigilant to stay healthy.