Hospital Ransomware Attacks Surge; So Now What?Experts Recommend Steps to Defend Against Uptick in Malicious Assaults
Ransomware attacks against hospitals are becoming commonplace this year, with at least five incidents revealed in recent weeks.
In each case, attackers encrypted data and demanded ransom to decrypt it. Most of the incidents reportedly involved the use of Locky ransomware, but at least one involved WinPlock, a new variant of Cryptolocker.
Only one of the five recently targeted hospitals has admitted paying a ransom to unlock data, while the others were able to resolve the situation relying on backups.
Security experts suspect that those five cases are only the tip of the iceberg, with many other cases being quietly resolved without grabbing headlines.
"Some get reported. Others are handled more discreetly," says Adam Greene of the law firm Davis Wright Tremaine. "Accordingly, while I think that we will continue to see a rise in ransomware, it's hard to say how many of these attacks will be in the headlines over the coming months."
Healthcare organizations can take specific steps to help prevent falling victim to these attacks, including backing up data and educating users about how to recognize phishing attacks that can result in compromised credentials, security experts advise.
The latest attacks coming to light this month targeted Methodist Hospital in Kentucky and two California hospitals operated by Prime Healthcare Inc.
Other recent ransomware victims include Ottawa Hospital in Canada and Hollywood Presbyterian Medical Center in California. The Hollywood hospital paid extortionists a $17,000 bitcoin ransom in February to unlock its data, which was maliciously encrypted by extortionists.
In the most recently revealed attacks, two of Prime Healthcare's hospitals in California - Chino Valley Medical Center and Desert Valley Hospital - reported "server disruptions" on March 18 that were linked to ransomware, a spokesman told Information Security Media Group on March 23.
"I can confirm that no ransom has been paid," he said. "As for what kind of virus or how it got into our system, I can't comment as the investigation is ongoing. What I can say is that our expert, in-house IT team was able to immediately implement protocols and procedures to contain and mitigate the disruptions. The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised."
As of March 23, most systems had been brought online, the spokesman added.
Meanwhile, in a March 18 statement about a ransomware attack, Methodist Hospital in Henderson, Ky., said the hospital's information systems department "responded quickly to the virus and immediately shut down the system to control the virus from spreading." While the system was down, a backup system was activated, the hospital says. "The backup system ran smoothly and allowed the hospital to continue its daily operations without interruption."
On March 22, a Methodist Hospital spokeswoman told Information Security Media Group, "the virus has been contained and there have been no further outbreaks. Our system is up and running." The incident was "a result of a malicious email that made it through the spam filter and was opened. No ransom was paid; they were asking for bitcoins. The situation has been reported to the Henderson Police Department in Kentucky and the FBI is investigating. No patient data or records were compromised."
Earlier this month, Ottawa Hospital in Canada contained ransomware infections on four of the hospital's 9,800 computers that were attacked over a three-week period, a hospital spokeswoman tells ISMG.
"No patient information was affected. The malware locked down the files and the hospital responded by wiping the drives," she says. "We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security."
Although other recent ransomware attacks affecting hospitals have reportedly involved the Locky malware, the Ottawa Hospital spokeswoman says WinPlock ransomware, a new variant of Cryptolocker, was involved in that hospital's recent incidents.
The string of recent ransomware attack revelations began in early February, when Hollywood Presbyterian grabbed headlines with its statement about paying a ransom.
Hospital officials said that on Feb. 5, the organization's IT department determined that "malware locked access to certain computer systems and prevented users from sharing communications electronically." After dealing with the problem for several days, the hospital's CEO, Allen Stefanek decided, "the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," according to a hospital statement. "In the best interest of restoring normal operations, we did this."
The Growing Threat
In a report released in January, the Institute for Critical Infrastructure Technology, a non-partisan, non-profit group of technology providers, cited ransomware as "the primary threat" to healthcare organizations in 2016. And the string of recent events seems to confirm that conclusion.
Plus, healthcare privacy and security experts say there likely have been a number of ransomware attacks that have not been publicized.
"I believe we are only learning about a small percentage of the incidents involving ransomware," says David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "Organizations that are successfully fending off these cyberattacks or discovering them before they can do damage are making strategic decisions to not publicize that they have been targeted."
Many organizations are falling victim to ransomware attacks because they "do not invest in the technologies or human resources needed to develop and maintain adequate information security protections," Holtzman contends.
The recent ransomware attacks on hospitals are the latest signs of a rise in external attacks against the sector, says regulatory compliance attorney Robert Belfort of the law firm Manatt Phelps & Phillips LLP.
"There's been a sea change in the industry's evaluation of security risk over the last two years," he says. "Before 2015, I would say most health insurers and healthcare providers viewed insider threats as their main concern. The external hacking that had been occurring in other industries hadn't really come to healthcare, but that radically changed last year," with the cyberattacks on Anthem Inc. and others.
Steps to Take
While it appears that most of the incidents that have been mitigated so far without paying a ransom were helped by the organizations having well-prepared backups, sometimes that's not enough.
Dan McWhorter, vice president of threat intelligence at security vendor FireEye, said at the recent HIMSS 2016 Conference that healthcare entities need to be particularly wary of more sophisticated ransomware attackers who destroy backups of databases, then encrypt and lock up main databases.
To help safeguard against those scenarios, Aryeh Goretsky, a researcher as security firm ESET, says, "A backup system must have robust versioning control, and also have an offline component so that in case the backup accounts or computers are affected, recovery is still possible by creating those and using the offline backups."
Also, because fraudsters waging ransomware attacks often steal credentials of privileged users through phishing attacks, workforce education is critical.
"Healthcare providers, regardless of their size or complexity of their IT resources, should educate their staff and physicians on their critical role in preventing cyberattacks," Holtzman says. "Ransomware is often downloaded into the organization's information system when a user clicks on a link contained in an email message from sources they do not recognize, or responding to invitations for free services or apps," he notes. "Educate users on what they are doing and the choices they are making."
Other essential steps, Holtzman says, include hardening systems, updating and patching software and operating systems and improving configuration management.
It's also important to apply software updates promptly, including those for operating systems, browser software and plugins, suggests Lysa Myers, another ESET security researcher. "Use anti-malware software, and make sure it, too, is regularly updated and scanning your files."
Hospitals should also assess their exposure level by performing an audit of platforms and systems to identify potential points of vulnerability, she adds.
James Maude, senior security engineer at endpoint security provider Avecto, suggests: "If we move away from trying to detect the constantly evolving undetectable threats and control the common attack vectors through least privilege, whitelisting and sandbox isolation, then we can not only handle today's threats but tomorrow's as well."
The Department of Health and Human Services' Office for Civil Rights recently offered advice on how healthcare providers and their business associates can avoid becoming victims of ransomware and other scams (see OCR Cyber Awareness Effort: Will it Have an Impact?).
Should Ransom Ever Be Paid?
While experts generally advise against paying extortionists, sometimes entities believe they have little choice in order to get their operations back to normal as soon as possible.
Making the decision to pay a ransom "really depends on the value of your data, and whether you have a viable backup," says ESET's Myers.
Still, even paying a ransom doesn't guarantee the malware problems will be solved, she warns. "Keep in mind that another component of the malware which may not work as expected is decryption. It's possible that your files may still be corrupted beyond repair, even if you do pay the ransom."