Why Ransomware Hospital Attacks are on the Rise
In early 2016, a Los Angeles hospital reported having “significant IT issues” that crippled its computer systems for over a week. The event forced the center to declare an internal emergency and divert its patients—including even 9-1-1 emergency patients—to other hospitals up to an hour away. As the story unfolded, it became clear that this wasn’t any ordinary IT disaster. It was a ransomware hospital attack that had locked the hospital’s data and demanded $3.4 million in bitcoin to restore it.
In the end, Hollywood Presbyterian Medical Center (HPMC) needed to shell out only $17,000 to get its data back. But ultimately the hackers won, and the story catapulted ransomware into the national spotlight.
Within two months, four additional hospitals were hit in California, Kentucky and Maryland, causing the FBI to release a warning about the rise of ransomware on hospitals, as well as businesses, school districts, government agencies and other organizations.
Why are Ransomware Hospital Attacks Becoming More Common?
The attack on HPMC proved that ransomware hospital attacks can be very lucrative for the attackers behind them. Even though the culprits only got a tiny fraction of the $3.4 million they asked for, the $17,000 was still a big pay day for an attack that typically only extorts between $500 and $2,000 from victims.
In an interview with NBC News, Kevin Haley, director of Symantec Security Response, explained, “This was a very public case of a hospital paying a great deal of money to make a problem go away. I think it led to the targeting of these organizations.”
But beyond simply the exposure of this one incident, hospitals make compelling targets for ransomware attacks due to the mission-critical nature of its computer systems.
Medical records are increasingly digital. That data—including everything from patient medication dosages to insurance documents—are crucial for providing patient care, especially in intensive-care environments. Additionally, medical providers must comply with strict HIPAA regulations to protect patient privacy—so in theory they may be more willing to negotiate with attackers to prevent a situation from worsening.
For these reasons, some hospitals are willing to pay a ransom if it means restoring operations faster and ensuring that sensitive information hasn’t been compromised. Officials at HPMC, for example, said in a statement to NBC News that it paid the ransom in the “best interest of restoring normal operations.”
That’s exactly what the attackers want.
To make matters worse, hospitals and other healthcare facilities are known for lagging behind other sectors for cybersecurity. In 2014, the FBI warned that lax cybersecurity at these facilities makes them more vulnerable to a wide variety of attacks: “The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.”
Anatomy of a Ransomware Attack
A typical ransomware hospital attack unfolds like this:
- A networked computer is infected with the malware, generally due to an email or website containing malicious code. Often, the email contains a suspicious attachment, disguised as an invoice, fax, shipping confirmation, travel itinerary or other “urgent message.”
- A message window pops up, notifying the user that all their files have been encrypted and that they can only be decrypted with a special decryption key. To receive the key, the user must pay a fee by following the instructions on the screen. In some cases, the message is also disguised as a notification from the U.S. Department of Justice, demanding the user pay a “fine” for having illegal content on their computer.
- Typically, the infection will work quickly to encrypt every file it can get its hands on—on the machine, on any attached devices and over the network.
- The ransom money is often requested in the form of bitcoin and the user is sometimes given instructions on how to obtain bitcoin and where to transfer it.
Files are typically encrypted with RSA-2048, a level of encryption that is virtually impossible to break. For most hospitals, the only options are paying the ransom or restoring files from a clean backup (which often isn’t possible if the facility lacks a secure data recovery system).
This is what makes hospitals such an attractive target. “If you have patients, you are going to panic way quicker than if you are selling sheet metal,” said Stu Sjouwerman, CEO of the security firm KnowBe4, in an interview with Wired.
Locky Ransomware: A Hospital’s Worst Nightmare
The most common form of malware used in a ransomware attack is known as Locky. Locky works by not only encrypting ordinary files but also searching for backup files known as Volume Shadow Copy files on Windows machines. These are backup files that Windows produces automatically, even from files that are open and actively being worked on. Locky deletes these files.
Locky attacks also employ more sophisticated measures, beyond the traditional phishing emails described above, to locate and take over control of critical servers. As Wired explains, the attackers “use tools like backdoors and keystroke loggers to steal administrative credentials and gain access to core systems. Once they do, they’ll lock up file-share servers where hundreds of employees in the organization might access shared files.”
The Decision to Shut Down Hospital Computers
In March 2016, a ransomware attack hit MidStar Health, which operates 10 hospitals and more than 250 outpatient clinics throughout Washington, D.C., Virginia and Maryland.
Employees lost access to email and its patient record database, forcing it to treat some patients without access to their records and also turn some patients away from the hospital.
At the time, hospital officials declined to characterize the event as a ransomware attack. Initially, according to Wired, the company posted to its Facebook page that its network “was affected by a virus that prevents certain users from logging-in to our system.”
But the Washington Post later reported that employees had confirmed “seeing a pop-up message on their computer screens seeking payment in bitcoin.” One employee shared an image of the message, which demanded $19,000 in bitcoin to restore access.
In one example of the impact on hospital operations, the Post wrote: “Because lab results were taking so much longer to process, [a nurse] continued to give one patient a powerful antibiotic — with a number of potentially serious side effects — that should have been discontinued [eight hours earlier].”
The organization shut down most of its network operations to contain the infection and work on a solution. It did not pay the ransom.
While the decision to turn off network operations—effectively shutting down access to email and critical patient data—may be difficult for hospitals, experts agree that it is the right call. The FBI advises:
“Infected systems should be removed from the network as soon as possible to prevent ransomware from attacking network or shared drives. Isolate or power-off devices that have not yet been completely corrupted. This may afford more time to clean and recover data, contain damage and prevent worsening conditions.”
Preventing an Attack
Because of the increasing threat of attacks on hospitals, healthcare organizations are wise to put new focus on ransomware within its existing business continuity planning. Hospitals should thoroughly analyze the specific risks of ransomware, business impact, solutions and company-wide procedural response to an attack.
Remember that there are typically only two options after an attack:
- Pay the ransom, or:
- Restore data from backups
Having a secure backup system is a crucial safeguard for restoring data (and operations) after an attack. As an added layer of security, leading data-protection providers like Datto are adding ransomware detection directly into their backup technologies, so that administrators can be alerted to the first sign of an infection.
What can hospitals do to prevent an attack in the first place? Here are a few important tips:
1. Educate employees on how to prevent an attack
You can greatly reduce the chances of a phishing email being opened or a malicious link being clicked on by training staff on what to look for. Everyone in the organization should receive this training. Go over examples of malicious emails, protocols for handling email attachments and the seriousness of a ransomware attack.
2. Implement reliable email spam filters and anti-malware software
With the right spam and IP filtering software, you can also significantly reduce the number these malicious emails actually reaching inboxes. And if they do, strong anti-malware solutions can often prevent the ransomware from executing after a malicious attachment is opened.
3. Grant write-access to only those who need it
Access controls, including file, directory and network share permissions, can prevent a user from opening a malicious file or enabling an infection to write to other directories. Configuring these controls across the organization can greatly curb the risks of a widespread ransomware infection.
4. Use application whitelisting to block unknown applications
By using application whitelisting, administrators can limit which applications can be opened, thus preventing certain malicious files from being executable.
Take Preventative Steps Now
For more information on solutions to protect your healthcare organization from ransomware and other attacks, contact the business continuity experts at Invenio IT. Visit www.invenioIT.com, call (646) 395-1170 or email us at [email protected].