Ransomware is a new twist on an old crime
Hackers and malware are routine threats for most healthcare organizations, but this year saw criminals add a devastating tool to their arsenal: ransomware.
Although the dramatic increase in ransomware attacks against healthcare organizations is largely a recent phenomenon, ransomware itself is not new. According to the FBI, it’s been around for several years, but the agency began to see an uptick in ransomware attacks in 2015, particularly against organizations. Early this year, the Department of Defense specifically warned healthcare organizations that they are a top target for ransomware. As ransomware continued to grab headlines and lawmakers called for official action, HHS released ransomware response and prevention guidance for healthcare organizations (www.aha.org/content/16/160620cybersecransomware.pdf).
State and federal lawmakers took notice as well. At a March 22 joint hearing of the House of Representatives subcommittees on Information Technology and Health Care, Benefits, and Administrative Rules, some lawmakers suggested HIPAA should be modified to specifically require covered entities and business associates to report ransomware attacks.
Security officers must act now to protect their organizations, and in turn, organizations must be prepared to invest in security and carefully follow related policies. The price for failing to do so could be high.
Learning about the threat
Ransomware is a sneaky, insidious attack, and it’s being used to target an industry where access to information can be a matter of life or death. Ransomware is a type of malware that encrypts files on an infected computer or networked device. When the rightful user tries to access files, such as a patient’s EHR, on an infected device, the user is told the files are locked and that access can only be regained by paying a ransom.
"Ransomware introduces a new twist to cyberthreats," says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts. "It’s old-fashioned kidnapping and blackmail in a new guise."
A number of healthcare organizations found themselves victim to ransomware this year, including MedStar Health, Maryland’s second largest healthcare provider. On March 28, when staff tried to access EHRs and other electronic files, a warning appeared on their screens informing them they were locked out and demanding ransom paid in bitcoin (a type of electronic currency that’s difficult to trace). The note warned that if the ransom wasn’t paid in 10 days, the ransomware-encrypted files would be permanently deleted.
Hospital staff and those at affected clinics were knocked back to the paper and fax age for a week. Without access to patients’ EHRs, they found themselves scrambling to piece together medical histories and contact information for other providers and patients’ family members. The radiation oncology department at University of Maryland St. Joseph Medical Center, which contracts through MedStar, canceled appointments, and some patients reported that the ransomware attack prevented them from having prescriptions refilled or even locating family members at the hospital. It took one man days to locate his wife, who was admitted to MedStar Union Memorial Hospital’s emergency department the day of the ransomware attack, the Baltimore Sun reported.
Networked encryption
Most security officers are veterans of the war against malware. However, unlike traditional malware, ransomware doesn’t necessarily steal or copy information, says Dwayne Melancon, CTO of Tripwire, a security and compliance software company based in Portland, Oregon. Instead, ransomware generally leaves the information in place and intact but quietly encrypts it.
"It’s stealthy," he says. "Once it gets on a system, you won’t know it’s there until after it’s already encrypted all of your information." Ransomware looks for any attached systems, even other systems on the network, and can spread to any networked device, Melancon says.
Although the Department of Defense’s warning contained information on specific types of ransomware, knowing the precise type won’t significantly help an organization protect itself, Melancon says. All types of ransomware generally use the same basic approach and function in very similar ways.
Most ransomware infections begin the same way other malware infections do: phishing or visiting the wrong website. Some phishing emails will have an attachment rather than a link, Melancon adds. These attachments are often cleverly disguised as invoices or other items that the recipient may have no reason to suspect. Opening the attachment allows the ransomware to install itself on the computer and begin encrypting data.
After the data is encrypted, the ransomware connects back to what’s known as a command and control server?the ransomware’s host server?and registers that the system is now encrypted. That’s when users will find themselves locked out of their own files.
However, the command and control server also offers the best way to shut down a particular type of ransomware, Melancon says. If the location of the command and control server is discovered, access to the server can be turned off. In some cases, governments have partnered with Microsoft to target and shut down these servers, he says. The longer a particular type of ransomware exists, the more likely its command and control server will be identified and shut off. Unfortunately, persistent hackers simply create new types of ransomware using new command and control servers if one is shut down, he adds.
Prevention is the best defense
Security officers have a number of tools to protect their organizations. As with any cyberthreat, educating staff is a top priority, Melancon says. Training staff to recognize and avoid phishing emails may be the best way to prevent ransomware.
Phishing test tools can be an effective method of teaching staff and identifying problems, says William Miaoulis, CISM, CISA, information security officer at Auburn University in Auburn, Alabama. These tools can test staff knowledge of ransomware and identify individuals who need additional training.
However, because human error is inevitable, technical controls can provide a valuable check on mistakes. Melancon suggests organizations adjust administrative privileges and take a close look at what’s on their network.
At many organizations, computers are set up so that the staff member who is assigned a particular computer is also that computer’s local administrator. That gives the individual broad authority to make changes to the computer, download files, and install programs. Although staff may prefer to have those privileges, this might not be the safest option, Melancon says. As a local administrator, if a staff member opens a file containing ransomware, the ransomware would be able to use the staff member’s access privileges to install itself and begin an infection that could easily spread through the organization’s network.
The safer alternative, he says, is to set staff up as standard users who are still able to use the computer but do not have administrative access to install files or make other changes, he says. Even if a standard user opens a phishing email, the attached ransomware would not be able to download and install itself. Melancon notes that this option might cause some pushback, though.
"In a lot of cases, people might say, ‘Well, my users need to install things on their systems, or that’ll cause my help desk volume to go up because they’ll have to call to do everything,’ " he says. "There is a workaround to that. You can provide people with a secondary account on their systems where they can perform administrative actions on their systems, but by default that’s not running all the time."
If the user deliberately does something that requires administrative access, such as installing a new product or updating a program, he or she can enter the administrator password and complete the task. Once that task is complete, the user would revert back to his or her primary standard user account.
Network segmentation is another method an organization can use to protect itself. Segmenting networks limits the number of resources ransomware can reach, Melancon says, because under this setup, individuals have access to only the specific resources they need. Each staff member’s access should be evaluated based on job duties and limited accordingly.
Organizations can also use email security management tools that evaluate attachments and limit links within emails, Miaoulis says. Antivirus programs should be kept updated on all computers, he adds.
Ensuring programs are kept up-to-date and performing regular checks and tests will go a long way to reducing an organization’s vulnerability, Melancon agrees. "Providing fewer handholds for the criminals to get in and infect your system, and then making sure you have good hygiene, that won’t let you down," he says.
And the sooner organizations start preparing, the better, he says.
Getting the diagnosis
Ransomware is notoriously difficult to detect. "The challenge with this is ransomware products are really good at hiding themselves," Melancon says. "They can choose random file names. They can in a lot of cases evade standard antivirus or antimalware detection techniques."
However, some methods can give an organization a better chance at catching ransomware, Melancon says. A system integrity check, also known as file integrity monitoring, can be used to catch suspicious executable files and unusual background activity typical of ransomware. These checks aren’t automatic: File monitoring systems must be added to the system and regularly run. The process is typically best handled by an organization’s IT or security team, he adds.
Backup plan
Even with the best prevention measures in place, security officers must ensure their organizations will be ready to weather ransomware and keep patient care disruptions to an absolute minimum.
"With the advent of ransomware, it is important to consider each organization’s backup strategy and ever more important to store copies off the network," Borten says. "In addition to the potential breach, interfering with a provider’s access to patient data can have immediate, serious consequences for patient care."
Completing regular backups of data can be the difference between a bump in the road and a major disaster, Miaoulis agrees. "Back up, back up, back up," he says. "If you have sufficient backup, you move the data to an unaffected machine and move on."
Locating a safe backup may be a challenge, Melancon says, as the infection may have been present and undetected in the system for some time. If the system is wiped and an infected backup installed, the organization will be back to square one. However, this is a case in which knowing the type of ransomware can be helpful. Screening for traces of the ransomware, such as the program’s executable file, can help to identify a clean backup. At least some backups should be kept offline or detached from the network: A backup that’s connected to an infected network could easily become infected even if it was safe at the time of its creation.
Organizations are required by HIPAA to have detailed security and privacy incident response plans, and those plans should include ransomware, Borten says. Organizations should evaluate their risk and have a clear response planned in advance. (For more information on security incident response plans, see "Responding to privacy and security breaches" in the June issue of BOH.)
Although ransomware generally doesn’t copy or extract data, that doesn’t mean an organization can assume data hasn’t been breached in a ransomware incident, Melancon says. A thorough IT forensic analysis must be completed to determine if a breach occurred. It’s also possible that a hacker may develop a type of ransomware that does copy and transfer data, he adds.
Getting tough
When Hollywood Presbyterian Medical Center in Los Angeles was hit by ransomware, the organization chose to pay the $ 17,000 ransom. Since then, as ransomware attacks on healthcare organizations have increased, experts in information security and IT, as well as law enforcement, have warned healthcare organizations not to pay the ransom. This may be a difficult decision if EHRs and systems vital to patient care are being withheld.
"If you pay the ransom, it just encourages them to do more," Melancon says. "It should only be a last resort to pay the ransom."
With patients’ lives in the balance, it’s no surprise that some have opted to bargain with the criminals. However, as Kansas Heart Hospital in Wichita discovered, paying the ransom is no guarantee that the files will be restored. In May, the hospital lost access to files due to ransomware and paid an undisclosed sum?only to have the hackers demand a second ransom. Organizations should contact law enforcement as soon as possible rather than attempting to bargain with the hackers, Melancon says.
The rise of ransomware should be a security wake-up call, Borten says. Hackers may see healthcare as an easy target, and until organizations step up their security, that perception isn’t likely to change.
"Given the high street value of the data, the healthcare industry is definitely an increasingly major target for cyberattacks of all types, including ransomware," Borten says. "Unfortunately, unless or until security programs become mature across the healthcare industry, this will continue to be a trend as organizations pay the ransom to ensure continued access to patient and other confidential data and to avoid further disclosure of the data."