Ran­somware scare: Will hos­pi­tals pay for pro­tec­tion?

Modern Healthcare - - NEWS - By Joseph Conn

On April 4 an or­di­nary look­ing e-mail ar­rived in a clin­i­cal worker’s Mi­crosoft Out­look in­box at a small In­di­ana hos­pi­tal. In the “From” field was the name of the hos­pi­tal’s new printer and fax ma­chine paired with its of­fi­cial e-mail do­main. The sub­ject line was sim­ply the word “In­voice.” That is, it all looked mun­dane and le­git—like a rou­tine doc­u­ment sent from the de­vice.

But that e-mail, sev­eral of which made it past the hos­pi­tal’s fire­wall, un­leashed a virus that en­crypted files on the worker’s com­puter hard drive and con­nected to a server. A win­dow popped up giv­ing instructions and links to re­trieve a key to un­lock the files.

King’s Daugh­ters’ Health in the small town of Madi­son, Ind., was the vic­tim of a so-called ran­somware at­tack. A se­ries of such at­tacks in re­cent weeks, in­clud­ing dis­abling the com­puter sys­tems at MedS­tar Health, a much larger and more so­phis­ti­cated or­ga­ni­za­tion based in Columbia, Md., have star­tled hos­pi­tals across the U.S.

Health­care or­ga­ni­za­tions, for a va­ri­ety of good and bad rea­sons, are slow to adopt and up­date their in­for­ma­tion tech­nol­ogy. And the cy­ber­crim­i­nals know it.

“It’s a quick and easy way to mon­e­tize weak­nesses in health in­for­ma­tion se­cu­rity,” said Dr. Eric Lie­der­man, di­rec­tor of med­i­cal in­for­mat­ics at the Per­ma­nente Med­i­cal Group. Deal­ing with ran­somware adds one more item to an al­ready crowded to-do list for clin­i­cal IT lead­ers, Lie­der­man said. “My job is to try to find that bal­ance” be­tween clin­i­cians’ work­flow needs, pa­tient-safety re­quire­ments and se­cu­rity de­mands.

As hos­pi­tal IT teams spend much of their time and money fig­ur­ing out how to mean­ing­fully de­ploy elec­tronic health records and har­ness the data for emerg­ing pay­ment and de­liv­ery mod­els, the bad guys con­tinue to hone their tech­nol­ogy and cal­i­brate their at­tacks, cre­at­ing boom times for data de­fend­ers. With at least six hos­pi­tals tar­geted in the past month, health­care lead­ers are scram­bling for pro­tec­tion.

These avail­able wares in­clude le­gal ser­vices, se­cu­rity con­sul­tancy, train­ing, sys­tems test­ing, cy­ber in­sur­ance, se­cu­rity soft­ware that runs on and de­fends com­puter sys­tems, and re­mote-hosted soft­ware and ser­vices that can in­clude fully staffed se­cu­rity oper­a­tions cen­ters that pro­vide com­put­er­ized and hu­man watch­dogs on the look­out for cy­berthreats 24/7.

“Busi­ness is boom­ing,” said El­don Sprick­er­hoff, founder and chief se­cu­rity strate­gist at eSen­tire, a Cana­dian provider of re­mote-hosted se­cu­rity ser­vices.

At King’s Daugh­ters’ Health, the em­ployee who un­wit­tingly re­leased the mal­ware quickly no­ti­fied the IT de­part­ment, which shut down all of the hos­pi­tal’s com­puter sys­tems, in­clud­ing its elec­tronic health record sys­tem. The EHR sys­tem was un­scathed, although it was open on the in­fected com­puter. Still, the at­tack forced the hos­pi­tal to go with­out e-mail and use pa­per to doc­u­ment pa­tient en­coun­ters un­til the sys­tem’s cor­rupted files could be deleted and re­placed.

“We knew we had a backup—I think we han­dled it as well as we could have,” said Linda Dar­nell, se­nior di­rec­tor of tech­nol­ogy and health at the 77-bed hos­pi­tal. “We saw sto­ries from other or­ga­ni­za­tions that were hit, and those sto­ries gave us the warn­ing to be pre­pared.” The hos­pi­tal added some se­cu­rity soft­ware to mon­i­tor its sys­tems but paid no ran­som.

“It’s a trou­bling trend,” said Kather­ine Keefe, head of breach re­sponse ser­vices for Bea­z­ley, which sells breach in­sur­ance,

in­clud­ing cov­er­age for ran­som pay­ments. “We had our big­gest (breach) in­ci­dent month last month, and a lot of it was at­trib­ut­able to ran­somware.”

Fer­nando Blanco, vice pres­i­dent and chief in­for­ma­tion se­cu­rity of­fi­cer at Irv­ing, Texas-based Chris­tus Health and a mem­ber of an HHS health IT se­cu­rity task force, said he is get­ting about 200 e-mail so­lic­i­ta­tions a day from ven­dors and con­sul­tants.

The new­est tech wrin­kles in ran­somware are called Locky and Sa­mas, both used this year against health­care or­ga­ni­za­tions, ac­cord­ing to a threat alert on ran­somware is­sued March 30 by the U.S. De­part­ment of Home­land Se­cu­rity and the Cana­dian Cy­ber In­ci­dent Re­sponse Cen­tre.

Locky uses e-mail as a vec­tor. It de­ploys a virus hid­den in a doc­u­ment that, when opened by an un­wit­ting email re­cip­i­ent, launches other soft­ware that moves through an in­fected com­puter sys­tem, scram­bling com­puter files with near-bul­let­proof en­cryp­tion, then posts a de­mand that the vic­tim pay a ran­som to the hack­ers.

Its sig­na­ture, the .Locky ex­ten­sion, at­taches to the data files it en­crypts. It was Locky that struck King’s Daugh­ters’ Health in Madi­son.

Sa­mas prop­a­gates through vul­ner­a­bil­i­ties in an or­ga­ni­za­tion’s Web servers. Ac­cord­ing to the federal alert, the server of an un­named health­care or­ga­ni­za­tion was com­pro­mised this year by Sa­mas, which up­loaded ran­somware that in­fected its net­work.

And Sa­mas was likely the virus that at­tacked MedS­tar Health in late March, ac­cord­ing to the As­so­ci­ated Press. MedS­tar’s Ge­orge­town Univer­sity Hos­pi­tal in Wash­ing­ton and other fa­cil­i­ties were af­fected, forc­ing clin­i­cians to re­turn to pa­per record­keep­ing and knock­ing out at least some of its com­puter sys­tems for more than a week. MedS­tar was not com­ment­ing about the na­ture of its at­tack.

The cy­ber­se­cu­rity com­mu­nity doesn’t know yet who’s be­hind the lat­est ran­somware at­tacks, said Joseph Lawlor, as­so­ciate man­ag­ing di­rec­tor for the U.S. cy­ber in­ves­ti­ga­tions and in­ci­dent re­sponse prac­tice at K2 In­tel­li­gence. “The im­por­tant thing to un­der­stand here is these aren’t am­a­teurs,” said Lawlor, a for­mer FBI agent as­signed to cy­ber­crimes. “This is not a kid in his mom’s base­ment. They’re well­trained pro­fes­sion­als, and they’re all over the world.”

And the gam­bit is ex­tremely suc­cess­ful. In 2012, Sy­man­tec Corp., the Moun­tain View, Calif., se­cu­rity soft­ware de­vel­oper, es­ti­mated ran­somware was yield­ing $33,000 a day. “I would sus­pect they’re mak­ing a lot more now,” Lawlor said.

Like as­tute busi­ness­men, data kid­nap­pers are ex­per­i­ment­ing with var­i­ous price points in their ran­som de­mands to see what the mar­ket can bear.

So far ran­som de­mands have run from a few hun­dred dol­lars to a few thou­sand, so that vic­tims will do the math and de­cide “it’s the most ex­pe­di­tious thing to do” to make the pay­off, said Collin Hite, leader of the in­sur­ance re­cov­ery group and co-chair of the data pri­vacy and se­cu­rity prac­tice at Hirschler Fleis­cher, a Rich­mond, Va., law firm.

In March, Hol­ly­wood Pres­by­te­rian Med­i­cal Cen­ter in Los An­ge­les paid about $17,000 to hack­ers who dis­abled its com­puter net­work. CEO Allen Ste­fanek said pay­ing up was the “quick­est and most ef­fi­cient way to re­store our sys­tems and ad­min­is­tra­tive func­tions.”

Some ran­somware at­tack­ers have even op­ti­mized their soft­ware to fa­cil­i­tate cus­tomer in­ter­ac­tions, such as pro­vid­ing vic­tims with easy-to-fol­low instructions on how to ac­quire and trans­mit bit­coins, a hard-to-trace elec­tronic cur­rency pre­ferred by cy­ber­crim­i­nals.

As any TV cop show afi­cionado knows, the weak­est link in a kid­nap­ping scheme comes when the ran­som pay­ment changes hands, but that prob­lem was ad­dressed in Septem­ber 2013. It was “the date ran­somware went main­stream,” said Stu Sjouw­er­man CEO of KnowBe4, a Tampa Bay, Fla.-based provider of cy­ber­se­cu­rity train­ing ser­vices.

“That’s when Cryp­toLocker (a ran­somware vari­ant) came out and took every­one by sur­prise with its busi­ness model of us­ing bit­coin as the pay­ment method,” Sjouw­er­man said. “It’s al­most un­trace­able.”

And data kid­nap­pers are mind­ful of their fur­ther busi­ness devel­op­ment needs. Thus, they ad­here to an honor code among thieves—re­li­ably re­leas­ing de­cryp­tion keys once their ran­som de­mands are met so vic­tims know their co­op­er­a­tion will be re­warded.

“They’re good crim­i­nals,” Hite said. “They have ev­ery rea­son in the world to en­sure that if you do your part and pay, they’ll do their part to make sure the next guy pays as well.”

One vul­ner­a­bil­ity so far un­ex­ploited in ran­somware at­tacks is with net­worked, com­put­er­ized med­i­cal de­vices. Last year the FDA and the De­part­ment of Home­land Se­cu­rity is­sued warn­ings about vul­ner­a­bil­i­ties in sev­eral in­fu­sion pumps, and the FDA fol­lowed last sum­mer with a rec­om­men­da­tion that hos­pi­tals stop us­ing Hospira’s Sym­biq med­i­ca­tion in­fu­sion pump be­cause of its vul­ner­a­bil­ity to hack­ing. (The com­pany re­moved the de­vice from the mar­ket and says it is work­ing with cus­tomers still us­ing the pumps to add pro­tec­tions.)

Jeremy Richards, se­nior vul­ner­a­bil­ity re­searcher at Saint Corp., a Toronto de­vel­oper of se­cu­rity scan­ning tools, has taken apart and an­a­lyzed the soft­ware con­trol­ling sev­eral pumps and med­i­ca­tion sta­tions and found their se­cu­rity want­ing—par­tic­u­larly on some pop­u­lar wire­less pumps.

“From the park­ing lot with a good an­tenna you’d be able to con­trol the pumps” on a net­work across an en­tire hos­pi­tal, Richards said. He’s heard of no ran­som de­mands yet, “but it’s scary.”

Sprick­er­hoff, of the se­cu­rity com­pany eSen­tire, wor­ries the in­dus­try might not be ca­pa­ble of mov­ing fast enough to keep ahead of the lat­est ran­somware threats. “I know con­sen­sus is a big part of de­ci­sion­mak­ing in health­care,” he said. But, he added: “This is a new an­i­mal. The sit­u­a­tion has changed so dra­mat­i­cally in the last six weeks. I’m hope­ful, but not op­ti­mistic they can do it.”

Like busi­ness­men,kid­nap­per­sas­tute are data ex­per­i­ment­ing with var­i­ous price points in their ran­som de­mands to see what the mar­ket can bear.

This is what vic­tims of of a Locky-based at­tack see when the mal­ware in­fects and en­crypts their data, ac­cord­ing to an alert from McAfee Labs.

Opinions

Comments

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.