Hospital Ransomware Attacks Surge. So Now What?
Victoria Startseva | Jul 7, 2016
Title: Writer
Topic category: Fabric Networking

In each case, attackers encrypted data and demanded ransom to decrypt it. Most of the incidents reportedly involved the use of Locky ransomware, but at least one involved WinPlock, a new variant of Cryptolocker.

Only one of the five recently targeted hospitals has admitted paying a ransom to unlock data, while the others were able to resolve the situation relying on backups.

Security experts suspect that those five cases are only the tip of the iceberg, with many other cases being quietly resolved without grabbing headlines.

"Some get reported. Others are handled more discreetly," says Adam Greene of the law firm Davis Wright Tremaine. "Accordingly, while I think that we will continue to see a rise in ransomware, it's hard to say how many of these attacks will be in the headlines over the coming months."

Healthcare organizations can take specific steps to help prevent falling victim to these attacks, including backing up data and educating users about how to recognize phishing attacks that can result in compromised credentials, security experts advise.

Recent Attacks.

The latest attacks coming to light this month targeted Methodist Hospital in Kentucky and two California hospitals operated by Prime Healthcare Inc.

Other recent ransomware victims include Ottawa Hospital in Canada and Hollywood Presbyterian Medical Center in California. The Hollywood hospital paid extortionists a $17,000 bitcoin ransom in February to unlock its data, which was maliciously encrypted by extortionists.

In the most recently revealed attacks, two of Prime Healthcare's hospitals in California - Chino Valley Medical Center and Desert Valley Hospital - reported "server disruptions" on March 18 that were linked to ransomware, a spokesman told Information Security Media Group on March 23.

"I can confirm that no ransom has been paid," he said. "As for what kind of virus or how it got into our system, I can't comment as the investigation is ongoing. What I can say is that our expert, in-house IT team was able to immediately implement protocols and procedures to contain and mitigate the disruptions. The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised."

As of March 23, most systems had been brought online, the spokesman added.

Meanwhile, in a March 18 statement about a ransomware attack, Methodist Hospital in Henderson, Ky., said the hospital's information systems department "responded quickly to the virus and immediately shut down the system to control the virus from spreading." While the system was down, a backup system was activated, the hospital says. "The backup system ran smoothly and allowed the hospital to continue its daily operations without interruption."

On March 22, a Methodist Hospital spokeswoman told Information Security Media Group, "the virus has been contained and there have been no further outbreaks. Our system is up and running." The incident was "a result of a malicious email that made it through the spam filter and was opened. No ransom was paid; they were asking for bitcoins. The situation has been reported to the Henderson Police Department in Kentucky and the FBI is investigating. No patient data or records were compromised."

Canadian Attack

Earlier this month, Ottawa Hospital in Canada contained ransomware infections on four of the hospital's 9,800 computers that were attacked over a three-week period, a hospital spokeswoman tells ISMG.

"No patient information was affected. The malware locked down the files and the hospital responded by wiping the drives," she says. "We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security."

Although other recent ransomware attacks affecting hospitals have reportedly involved the Locky malware, the Ottawa Hospital spokeswoman says WinPlock ransomware, a new variant of Cryptolocker, was involved in that hospital's recent incidents.

The string of recent ransomware attack revelations began in early February, when Hollywood Presbyterian grabbed headlines with its statement about paying a ransom.

Hospital officials said that on Feb. 5, the organization's IT department determined that "malware locked access to certain computer systems and prevented users from sharing communications electronically." After dealing with the problem for several days, the hospital's CEO, Allen Stefanek decided, "the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," according to a hospital statement. "In the best interest of restoring normal operations, we did this."

The Growing Threat

In a report released in January, the Institute for Critical Infrastructure Technology, a non-partisan, non-profit group of technology providers, cited ransomware as "the primary threat" to healthcare organizations in 2016. And the string of recent events seems to confirm that conclusion.

Plus, healthcare privacy and security experts say there likely have been a number of ransomware attacks that have not been publicized.

"I believe we are only learning about a small percentage of the incidents involving ransomware," says David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "Organizations that are successfully fending off these cyberattacks or discovering them before they can do damage are making strategic decisions to not publicize that they have been targeted."

Many organizations are falling victim to ransomware attacks because they "do not invest in the technologies or human resources needed to develop and maintain adequate information security protections," Holtzman contends.

The recent ransomware attacks on hospitals are the latest signs of a rise in external attacks against the sector, says regulatory compliance attorney Robert Belfort of the law firm Manatt Phelps & Phillips LLP.

"There's been a sea change in the industry's evaluation of security risk over the last two years," he says. "Before 2015, I would say most health insurers and healthcare providers viewed insider threats as their main concern. The external hacking that had been occurring in other industries hadn't really come to healthcare, but that radically changed last year," with the cyberattacks on Anthem, Inc and others.

Steps To Take

While it appears that most of the incidents that have been mitigated so far without paying a ransom were helped by the organizations having well-prepared backups, sometimes that's not enough.

Dan McWhorter, vice president of threat intelligence at security vendor FireEye, said at the recent HIMSS 2016 Conference that healthcare entities need to be particularly wary of more sophisticated ransomware attackers who destroy backups of databases, then encrypt and lock up main databases.

To help safeguard against those scenarios, Aryeh Goretsky, a researcher as security firm ESET, says, "A backup system must have robust versioning control, and also have an offline component so that in case the backup accounts or computers are affected, recovery is still possible by creating those and using the offline backups."

Also, because fraudsters waging ransomware attacks often steal credentials of privileged users through phishing attacks, workforce education is critical.

"Healthcare providers, regardless of their size or complexity of their IT resources, should educate their staff and physicians on their critical role in preventing cyberattacks," Holtzman says. "Ransomware is often downloaded into the organization's information system when a user clicks on a link contained in an email message from sources they do not recognize, or responding to invitations for free services or apps," he notes. "Educate users on what they are doing and the choices they are making."

Other essential steps, Holtzman says, include hardening systems, updating and patching software and operating systems and improving configuration management.

It's also important to apply software updates promptly, including those for operating systems, browser software and plugins, suggests Lysa Myers, another ESET security researcher. "Use anti-malware software, and make sure it, too, is regularly updated and scanning your files."

Hospitals should also assess their exposure level by performing an audit of platforms and systems to identify potential points of vulnerability, she adds.

James Maude, senior security engineer at endpoint security provider Avecto, suggests: "If we move away from trying to detect the constantly evolving undetectable threats and control the common attack vectors through least privilege, whitelisting and sandbox isolation, then we can not only handle today's threats but tomorrow's as well."

Should Ransom Ever Be Paid?

While experts generally advise against paying extortionists, sometimes entities believe they have little choice in order to get their operations back to normal as soon as possible.

Making the decision to pay a ransom "really depends on the value of your data, and whether you have a viable backup," says ESET's Myers.

Still, even paying a ransom doesn't guarantee the malware problems will be solved, she warns. "Keep in mind that another component of the malware which may not work as expected is decryption. It's possible that your files may still be corrupted beyond repair, even if you do pay the ransom."

Marianne Kolbasuk McGee
Tags: #healthcare
comments powered by Disqus
Learn about Avaya solutions for Heathcare IT
Watch our video: The Future of Healthcare

Visit Avaya's Healthcare Portal and discover:

Support care team coordination by mobilizing staff and improving collaboration. Streamline admitting, prescription, and other workflows—helping to enhance safety and quality.

Deliver better patient experiences and reach more patients in more places with mobility, telemedicine, and proactive patient outreach.

Create better care team utilization through automation and collaboration via telemedicine and virtual healthcare.

Improve security and data protection while keeping information accessible with a network that segments guest WiFi access, medical devices, and payment systems.

Learn more about enhancing and managing your Customer Experience. Review our infographic to learn 6 Critical Trends in Smart Healthcare Technology.

It’s Time for Healthcare IT to Evolve.

Get our whitepaper detailing how applying a Software-Defined Networking model for the network edge can close the Complexity Chasm and help IT organizations enable the latest healthcare innovations securely and simply.

Use Communications Technology to Help Care Teams Collaborate, Increase Productivity, and Drive Better Patient Experiences
Heathcare: The Brave New World of Network Security

Security breaches, such as hospitals being immobilized and held for ransom, were unimaginable a year ago. The FBI recently recognized the significance of the ransomware epidemic and has asked business and software security experts for help. As a result of these trends, cybersecurity is top of mind for IT leaders across the globe in all industries.

Unfortunately, no company is immune from suffering a security breach. Furthermore, there is no one-size-fits-all security strategy. What’s right for you is based on the industry you are in, the data you need to protect, how and when the data needs to be protected, the expectations of your customers, employees, partners and other stakeholders, the regulatory requirements, your network infrastructure, the competitive condition of your market—the list is virtually endless.

The good news is that there are several simple steps that you can take to help protect your enterprise from costly network breaches. At Avaya, we bring the expertise that comes from decades of experience implementing smart, cost-effective network security controls for leading enterprises.

Avaya has delivered advanced security solutions that provide the secure foundation that is leveraged in industries with strict security and compliance requirements, such financial services, healthcare and manufacturing. Avaya secure network infrastructure, based on the industry leading Fabric Connect technology, has stood the test of time against penetration tests administered by financial and government institutions.

To learn how you can implement smart, multilevel security capabilities that simplify access control, overcome the inherent vulnerabilities in the IP protocol and enable new levels of network segmentation and isolation, download ‘The New World of Network Security’ white paper.

Avaya’s industry-leading solutions, such as Fabric Connect, Identity Engines and SDN FxTM Healthcare break new ground in enabling enterprises to mitigate the trade offs between security, cost and agility.

To learn more, visit us at the Avaya Technology Forum 2016 in Orlando or Dublin and see our security solutions in action.

In light of highly-publicized data breaches that have shaken some of the world’s top brands, where should IT leaders focus their security efforts?
6 Critical Trends in Smart Healthcare Technology

Did you know?

• 3 out of 4 healthcare providers expect to increase their technology spending from the last year
• 94% of U.S. hospitals surveyed have leaked data in the last two years
• 85% of healthcare organizations surveyed say their doctors are using mobile devices to access patient data
• 87% of consumers said they would seek medical advice through telemedicine

Download the full infographic here for all the trends.

Mobility is becoming increasing important to the evolution of healthcare. The healthcare industry has rapidly been evolving to a digital model. Hospitals and other caregiving facilities are under tremendous pressure to lower costs but are also required to maintain or even improve the quality of patient care. However, the legacy processes in most healthcare institutions were put in place decades ago, and they are slow and error prone.

The key to improving the efficiency of clinicians is to enable information mobility:

Technology powers every piece of the healthcare sector across the world now. Get the top-line trends here.

How technology can create stealthy networking service.

A prime example is health care environments, where the protection of personal medical records and data is government mandated. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) places specific obligations on businesses operating in such environments.

Delivering and maintaining a converged HIPAA-compliant network can be dramatically simplified by leveraging the Avaya VENA Fabric Connect technology to create stealthy networking services. Get our whitepaper...

Download our whitepaper: Leveraging Stealth Networking to Facilitate HIPAA-compliance.