When it comes to cybercrime, online attacks often follow seasonal trends. So as the kids head back to school, it’s safe to assume that cybercriminals have learned and developed some new ransomware tricks that will be coming to a computer near you this fall.
If you are like most healthcare organizations, you’re probably not prepared to deal with this new wave of attacks. Amongst the endless flow of sensationalistic cyberattack headlines, including NotPetya and the Erie County Medical Center, it’s easy to become numb to the threat of ransomware—choosing to believe that your organization is either too small to be a likely target or that your existing cybersecurity measures provide adequate protection. Unfortunately, this optimism has led to the peril of many healthcare providers and in turn the patients they serve.
When a ransomware disaster struck A1Care 12 years ago, CEO Percy Syddall wasn’t sure how hackers evaded his company’s defenses. All he knew was that A1Care’s computers were locked down and the perpetrators who promised to restore the system upon payment kept changing their demands. Each day the problem went unsolved further disrupted the in-home elderly care, facility placements and case management services that A1Care’s clients depended upon and threatened to destroy the business Syddall had worked so hard to build.
The Rise of Ransomware
The biggest cybersecurity concern used to be hackers invading healthcare systems to steal sensitive patient data and then selling it to the highest bidder. But today, one of the easiest assaults on a computer system is ransomware—a debilitating attack through which an anonymous criminal encrypts your files and then forces you to pay them whatever amount they request in order to regain access to your system—and all the important files it may contain.
SonicWall recently reported there have been 181.5 million ransomware attacks during the first six months of 2018, which marks a 229 percent increase over this same time frame in 2017. Encrypted threats are up 275 percent over last year.
Why has ransomware become the primary cyber threat out there? Most experts point to four primary factors:
Finding a buyer: The key to any successful transaction is finding a buyer that is willing to pay to acquire whatever it is that you are selling. When it comes to selling data on the dark web, searching for a buyer is tricky and comes with many risks. Selling something directly to the person you stole it from improves the odds of getting paid quickly and quietly.
The US government: In 2017, Shadow Brokers compromised government security defenses and delivered to the world the tools the NSA had been using to break into computers of its adversaries. Created at a huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and are being used against businesses and civilians. The WannaCry attack was born from these tools, as was the Petya attack which shut down millions of computers across the globe with demands for payments in order to restore access.
Cryptocurrency: In the old days, collecting a ransom involved suitcases full of cash (containing bills that could be marked) or wire transfers (which could be tracked). The cash then had to be laundered, which meant only large criminal organizations typically had the necessary resources. Today, anyone can sign up for a cryptocurrency wallet in a matter of minutes—some criminals even provide their victims with simple to follow instructions. With cryptocurrency, neither the wallet nor the resulting transactions can be easily connected to any real-world identities.
Ransomware-as-a-Service: Once upon a time, cybercriminals had to develop their own malware, which required coding skills and at least some knowledge of operating systems, networking and hardware. Now, easy-to-use “ransomware as a service” can be purchased cheaply on the darknet. Some vendors even offer customer support for buyers of their malware. And would-be hackers who want customized ransomware can hire black-hat coders for its development.
Healthcare is a favorite target for hackers
Smaller healthcare organizations are an easy target for hackers because most don’t have adequate financial or technical resources to defend themselves against the onslaught attacks. According to Cryptonite, healthcare organizations have reported an 89 percent year-over-year increase in ransomware attacks.
No healthcare provider wants to be a victim of an ransomware attack, but cybersecurity is a complex problem that requires multiple layers of defenses. Many owners of healthcare organizations feel they can’t afford to keep their practice safe because it typically requires deploying sophisticated endpoint technologies such as antivirus, anti-malware software and firewalls to keep intruders out and then hiring resources to keep up with frequent software, data backups and equipment security updates, as well as providing security training for staff.
Industry experts estimate that an organization with 50 employees may have to spend upward of $50,000 to have the best possible protection against cyberthreats and then thousands of dollars each year to keep everything up to date. But even when organizations make this investment in security, they might still have a breach.
Minding the security gap
Hackers are becoming extremely resourceful and have found ways to circumvent even the most advanced antivirus and anti-ransomware solutions. These solutions cannot protect against Fully UnDetectable (FUD) threats that were conceived by cyber criminals to directly evade existing security layers and harm data.
Recent Tenable research reveals, “cybercriminals have a median seven-day window of opportunity during which they can exploit a vulnerability to attack their victims.” Ponemon’s 2017 State of Endpoint Security Risk Report suggests that 69 percent of organizations don’t believe their antivirus can stop the threats they’re now seeing. Even FireEye reports “… in 100 percent of the breaches to which [they] responded … firewalls and antivirus protections were up to date.”
Antivirus software monitors for the signatures of known threats, so it can’t deal in real-time with all of the fresh attacks constantly evolving in dark web incubators. Other behavior-based security approaches use machine learning to identify threats. For example, if an email attachment tries to access a large number of files quickly or an unexpected file starts encrypting files, a behavior-based approach tries to shut it down. Today’s attackers simply avoid detection by changing the predictable characteristics of ransomware—slowing down or randomizing encryption or lying dormant for a period of time before executing the attack.
In time, this particular attack did manage to spread internationally from Europe over to America, but that only provided further evidence that ransomware, and cyber attacks more broadly, are a threat of seemingly unlimited potential. The failings of American healthcare to get its data safely organized look far less damning when the scale of cyber risk is made explicitly global, and even the NSA is caught off-guard by their own tools being turned into weapons in enemy hands.
Not Alone, but Not Ahead
Of course, that American hospitals weren’t the primary targets for once doesn’t remotely get them off the hook; nor does the jarring impact of this particular incident reflect a growing resilience among health data security in the U.S. American health data may not be alone in its vulnerability or attractiveness to thieves, but neither are our health systems leading the pack in protecting against ransomware, or any other form of cyber attack. Sadly, this wakeup call seems more likely to be heard outside of healthcare than within it; the scale makes it almost universally noteworthy, but otherwise it resembles a new status quo for data leaks in modern health systems.
Credit card data is relatively to protect; thieves are easily and quickly locked out of accounts, if not caught, thanks to everything from increased scrutiny by lenders and processing companies as well as consumer-facing transparency and 24/7 account monitoring via mobile credit card alerts and apps. Health data, by contrast, remains largely vulnerable. Clinics are not particularly good at recognizing fraud when thieves have a person’s medical data; hospitals have proven themselves no better at keeping that data secure in the first place. So compared to traditional identity theft leveraging plastic, digital health data presents a softer and more lucrative target end to end.
Why should physicians and providers care about the possibility of a ransomware attack? There are several reasons. First, it is disruptive both to patient care and to the revenue cycle. Second, it is costly in terms of time, IT capital, and if the attacker is paid, money. Finally, the time it takes to correct the attack, implement paper charting and communication, and subsequently revise the electronic medical record system can be arduous.
To understand the necessary precautionary measures and what to do in the event of an attack, it is first necessary to identify what ransomware is and how it works. A common definition of ransomware is “a type of malicious software designed to block access to a computer system until a sum of money is paid.” A ransomware attack may target a business or an individual. The two categories of attacks are Denial of Service (“DoS”) and Distributed Denial of Service (“DDoS”). A DoS attack affects a single computer and a single internet connection, while a DDoS attack involves multiple computers and connections. According to PC World, three types of ransomware programs top the list – CTB-Locker, Locky and TeslaCrypt.
A common question that arises is whether or not to pay the ransom in order to have the data returned. The FBI advises not paying the ransom, advice that has been echoed by statistics.
“Kaspersky’s research revealed that small and medium-size businesses were hit the hardest, 42 percent of them falling victim to a ransomware attack over the past 12 months. Of those, one in three paid the ransom, but one in five never got their files back, despite paying. Overall, 67 percent of companies affected by ransomware lost part or all of their corporate data and one in four victims spent several weeks trying to restore access”
This leads us to the best ways to defend against an attack, as well as steps that should be taken if an attack occurs.
Proactive steps include: educating employees about social engineering, phishing and spear phishing, continuously making sure that software updates are installed, creating a layered approach to security defenses, limiting access to the network, making sure that policies and procedures are comprehensive and updated, and ensuring that data is backed up daily.
According to FBI Cyber Division Assistant Director, James Trainor, “These criminals have evolved over time and now bypass the need for an individual to click on a link. They do this by seeding legitimate websites with malicious code, taking advantage of unpatched software on end-user computers.” Hence, recognizing the avenues that cybercriminals use to gain access and taking appropriate administrative, physical, and technical precautions can reduce the risk of an attack.
Some people jokingly say they’re “addicted” to their smartphones or to browsing online. They use their devices to visit social media platforms and websites and send texts throughout the day. But the vulnerability created by these activities for employers is no joke, and the risks extend to every industry, including healthcare, since most data breaches are caused by human error.
In doctor’s offices and other clinical operations, the risk is especially acute for providers who use cloud-based systems that require constant connection to the internet. The always-connected nature of these solutions exposes offices to ransomware and malware designed specifically for Windows, which can exploit the internet connection to steal sensitive patient information.
While many high-profile hacking and ransomware incidents have occurred over the past several years, security experts project that 2017 will be even worse as cybercriminals exploit new vulnerabilities introduced by the Internet of Things (IoT) and hackers increasingly turn to Distributed Delay of Services (DDoS) attacks. These are techniques for data theft that are only used to compromise remote data centers with shared servers, commonly called ‘the cloud’.
Practice leaders can respond with training, instructing staff on how to avoid “phishing” scams, fake web sites, fake links, and other temptations and traps, but stopping hackers will take a concerted and comprehensive effort. Encryption, platform and common sense security measures can all play a key role in protecting patient data.
Encryption’s Role in Data Protection
Encryption — the use of an algorithm to make data indecipherable to criminals without an encryption ‘key’ — is an essential component of data security. To comply with HIPAA standards, practices should use software and/or hardware that utilizes Advanced Encryption Standard (AES), the only standard that can be called encryption according to the National Institute of Standards and Technology (NIST).
HIPAA requires that providers use secure, encrypted email. HIPAA also states that providers have a duty to encrypt electronic patient health information (ePHI) that is ‘at rest’ (i.e., on a server, terminal, backup device, etc.) and ‘in motion’(i.e., traveling through an office network or to and from remote connections, etc.) and that their database be further protected with a unique, encrypted password.
Unfortunately, most practice software does not have built-in AES encryption and some do not even have a unique password. Practices with software that does not have built-in encryption who use Windows will have to purchase outside expertise to implements and monitor security and make to help them be HIPAA compliant with regard to encryption.
Platform and Security’s Role in Keeping Data Safe
Practices that use Windows software without built-in encryption must pay for IT security services to deploy encryption on every device that houses ePHI. Mac users can handle the safety of data at rest by turning on FileVault in preferences. This is a glaring example of the difference platforms make in keeping data safe and the cost to the doctor.
Virtual private networks (VPNs) are an option for practices to compensate for practice management and EHR software that does not encrypt data in motion, but VPNs increase costs and complexity and can degrade network responsiveness. But even with a VPN, practices must make sure their software provides a unique, encrypted database password; otherwise, they’re well advised to get software that does.
Hacking is on the rise, and ransomware is a huge problem for practices that operate on Windows. In March 2016 alone, 56,000 Windows users reported attacks. Practices that use native Mac software have not been affected by ransomware. Macs are also less expensive to operate in the long run: IBM gave employees the option to use PCs or Macs and found that each PC required twice as much support and cost IBM $535 more than a Mac during a four-year period.
Cloud software and hosting server farms aren’t the solution: Malware, including ransomware, can infect every device that connects to an infected computer, including offsite cloud servers and backup devices. The FBI says the only sure way to recover is to restore data from an uninfected backup that is not connected, followed by reformatting devices.
Note about “the cloud”: You have heard from cloud vendors that “everyone is going to the cloud.” What you may not have heard is that 40 percent of organizations that migrated their data and applications to the cloud are now bringing all or some of them back because of security and cost concerns. Also a recent survey of dentists indicated that of the top dental software perhaps no more than 3 percent of dentists are using cloud software, although it has been available to them for eight years.
Guest post by Stu Sjouwerman, founder and CEO, KnowBe4.
A story about hospital ransomware or a compromised computer seems to emerge weekly. It is no surprise that healthcare breaches have been on a steady increase for the past five years. Loss of personal health information (PHI) poses a financial risk for health care institutions, expected to cost the industry in the neighborhood of 6.2 billion dollars.
By the numbers
Despite the prevalence of cybersecurity incidents, a study by Ponemon Institute in May 2016 showed that the majority of healthcare organizations and business associates were most concerned with negligent or careless employees causing healthcare data breaches.
Sixty-nine percent of healthcare organizations believe they are more vulnerable to a data breach than other industries.
When asked what the greatest threat was to healthcare data security, the majority of healthcare organizations stated employee inaction or error (69 percent). Rounding out the top three concerns were cybercriminals at 45 percent and the use of insecure mobile devices at 36 percent.
Employee error was also the top concern for business associates (53 percent), followed by use of cloud services (46 percent) and cyberattacks (36 percent).
Ransomware is currently one of the most prevalent threats to Healthcare. A June survey done by KnowBe4 of Healthcare IT professionals shows 44 percent of healthcare organizations have been hit with ransomware, 6 percent above the national average of 38 percent. 65 percent of these IT professionals know someone personally who has been hit and another 47 percent would pay the ransom if faced with a scenario of failed backups. With some healthcare ransomware demanding five figures, this can get pretty expensive.
Why hospitals are the perfect targets
I was interviewed by WIRED magazine’s Kim Zetter. She’s written a great article that analyzes why hospitals are perfect targets for ransomware. She started out with: “Ransomware has been an internet scourge for more than a decade, but only recently has it made mainstream media headlines. That’s primarily due to a new trend in ransomware attacks: the targeting of hospitals and other healthcare facilities.”
Now, Who Else Should Be Scared?
Hospitals have shown themselves to be soft targets and are under full attack by several cybercrime gangs using different attack vectors. The SamSam ransom gang attacks server vulnerabilities in JBoss apps using an open source pentesting tool called JexBoss, so these are targeted attacks are based on scans the bad guys did. Cisco technical background:http://blog.talosintel.com/2016/03/samsam-ransomware.html
That is an exception though; the vast majority of ransomware infections are caused by phishing emails. Next are malicious links and ads leading to compromised websites with Exploit Kits causing drive-by-infections.
Guest post by Justin Sotomayor, pharmacy informatics director, CompleteRx.
The field of health informatics has grown exponentially over the past 50 years. From Robert Ledley’s work paving the way for the use of electronic digital computers in biology and medicine in the 1950s, to the founding of the American Medical Informatics Association in the 1990s, to the launch of the Medicare/Medicaid Electronic Health Record Incentive Program in the 2000s, it continues to mark new milestones at an astounding pace, presenting both challenges and opportunities for the healthcare industry.
Three trends – in particular – will have a marked impact on patients and practitioners, and are certain to define health informatics in the near future, if not for years to come.
The end of Meaningful Use
In 2009, with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, came the launch of the Meaningful Use program – and the related requirement that healthcare providers show “meaningful use” of a certified EHR to qualify for incentive payments. With both Stage 1 (adoption) and Stage 2 (coordination of care and exchange of information) behind them, hospitals are fully responsible for Stage 3 (improved outcomes) by 2018. While, undoubtedly, the program has improved EHR adoption – in many cases, streamlining and enhancing patient care – it has been widely criticized. In a 2015 news release, the American Medical Association regarded Stage 2 as a “widespread failure,” suggesting it monopolized staff attention without commensurate benefit to patients, and hampered innovation.
Most recently, following highly-publicized remarks in January by CMS Acting Administrator Andy Slavitt that Meaningful Use would be replaced, the U.S. Department of Health and Human Services has proposed transitioning Meaningful Use for Medicare physicians to the “Advancing Care Information (ACI)” program under the Medicare Access and CHIP Reauthorization Act (MACRA). According to Mr. Slavitt, this program is designed to be “far simpler, less burdensome, and more flexible,” primarily by loosening the requirements to qualify for extra payments, and incentivizing providers based on treatment merit, known as Merit-based Incentive Payment System (MIPS). While this update doesn’t yet affect hospitals or Medicaid providers, and these groups should continue to prepare for full Meaningful Use implementation, it’s an indication that industry concerns over meaningful use are being heard and responded to, and that additional changes may be forthcoming.
Guest post by Mike Baker, founder and principal, Mosaic451.
Over the past couple of months, hospitals and other healthcare facilities have come under siege by cyber-criminals. However, the hackers aren’t after patient data; they never even access it. Instead, they are infecting computers with ransomware, a type of malware that locks down a system and prevents the owner from accessing their data until they pay a ransom, usually in Bitcoin. Among the high-profile attacks that have made headlines:
In February, Hollywood Presbyterian Medical Center in Los Angeles fell victim to the Locky virus, which disabled the organization’s computers and kept employees from accessing patients’ electronic health records (EHRs). Access was restored a week later, after the hospital paid a $17,000.00 Bitcoin ransom to the hackers.
Shortly afterward, Methodist Hospital in Henderson, Kentucky, also fell victim to Locky and was forced to declare an internal “state of emergency.” However, instead of paying the ransom, the hospital reported that it was able to restore its data from backups.
In late March, Maryland/DC-based MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics, was hit by an undisclosed ransomware virus that forced the organization to revert to paper records. Like Methodist Hospital, MedStar did not pay the ransom and restored its system using backups.
Although any organization can fall prey to ransomware, lately healthcare facilities have been the primary targets. Some experts feel the problem has reached crisis levels – and hackers are only getting started.
Why Ransomware Attacks are on the Rise
Ransomware is growing in popularity because it is far more lucrative than more traditional cyberattacks where hackers access and steal data. Once the data is stolen, the hacker must find a buyer. Then, the hacker has to negotiate a price. Conversely, in a ransomware attack, the hacker has a built-in “buyer” — the owner of the data, who is not in a position to negotiate on price.
Ransomware is also a simpler and quicker mode of attack than a data breach. Once a hacker has breached a system, downloading a large data set can take some time, during which the attack could be identified and halted. Because ransomware never actually accesses a system’s data – it just locks it down – it works far more quickly and covertly. Victims have no idea they have been compromised until they find they cannot access their system.
Guest post by Cody Jaster, digital marketing manager, Netsurion.
The word “ransomware” has been in the headlines quite a bit this year. The Institute for Critical Infrastructure Technology (ICIT) has even called 2016 the year of ransomware.
Ransomware is a company’s worst nightmare. This malware infects computers and restricts the users from accessing any of their data until paying the ransom. Imagine a hospital unable to access patients’ data or a financial institution unable to manage their customers’ accounts? What would you do to get that data back? Victims of ransomware have been presented with the following choices: Restore their backups (if they had any and if they do, it takes quite a few days to retrieve it all) or pay the ransom to get the data back. Assuming they get the data back, at that point these businesses have had operations grind to a halt for days, spent money on retrieving this data and most of all, their reputations have taken a hit.
Take action before being the next victim. In addition to having remote-managed network security as your first line of defense against ransomware, here are a few things you can do yourself to protect your business.
Preventative and Proactive
The number one preventative measure calls for regularly updated system backups (stored off-site or cloud-based)
Keep software updated, including patches, antivirus, firmware, flash, etc. A large number of malware or ransomware access systems via security gaps posed by out-of-date software.
If possible, filter incoming mail with .exe, .vbs, or .scr attachments to a quarantine folder if these types of files are normally contained in everyday business communications, otherwise, mark as spam or auto-delete
Ensure your business locations have a properly configured and actively managed/monitored firewall
Staff Training and Education
Build a culture of security by having employees and staff educated to identify and refrain from opening suspicious attachments in email
Update computer system settings to show file extensions and train staff to recognize suspect files. This will help expose many executable files that have been disguised as .doc.exe or .pdf.exe to appear as legitimate and safe files when settings do not show the entire extension.
Provide individual accounts for each user, with minimal privileges for only necessary system access. Educate staff to not share user accounts and passwords.
Disable public-facing remote access for all critical systems
For systems with remote access, enable two-factor authentication to prevent attacks
Properly configured network segmentation prevents the spread of ransomware from compromised machines to other critical systems and devices on the network
Quite a few ransomware programs require an encryption key from external Internet sites to encrypt your files. Enact strict firewall rules with web filtering to limit access to these sites
Ensure your managed firewall is actively managing and monitoring all inbound and outbound traffic