Criminal cyber attacks on healthcare institutions are on the rise. How can hospitals prevent them? Experts offer strategies.
Imagine a hospital where doctors cannot access patient records, test results cannot be sent or received, even emails cannot be sent. Patients are turned away from appointments, and staff members are scrambling to see that patients in the hospital get the care they need.
That was the scene at MedStar Health in March, 2016 when the 10-hospital, $5 billion system headquartered in Washington, DC, experienced a ransomware attack.
During such an attack, operations in hospitals become painfully slow, as personnel must revert to rarely-used and often incomplete paper records, lab results must be either faxed or delivered by hand.
The Washington Post reported on the MedStar attack, during which the attackers demanded 45 bitcoins, which is about $19,000, in exchange for a digital key which would unlock the data being held hostage by malicious software, known as malware.
They further threatened that after 10 days the key would be removed and it would no longer be possible to recover the data.
The hospital has said it did not pay the ransom, but has not denied the attack had an impact.
There has been a three-fold increase in attacks since 2015. There have been an average of 4,000 attacks daily since early this year.
In February, 2016 Hollywood Presbyterian Hospital in California (photo, right) paid $17,000 in bitcoin ransom to hackers who shut down its computer system..
According to the Washington Post, the FBI in 2015 investigated nearly 2,500 attacks, not just on health-care systems, ones that cost victims $241 million.
Attackers target all sectors of the economy, and even home users, but for healthcare organizations, where the personal health information of patients is stored, the attacks can be particularly damaging.
Law enforcement is fighting back. There have been convictions, such as one that led in April, 2016 to a seven-year prison sentence for a Russian national who was the ringleader behind attacks with a malware known as “Blackhole”. Some progress is being made.
The federal government is worried, and in July issued an eight-page document telling health-care institutions what ransomware attacks are and how to prevent them. The Department of Health and Human Services (HHS) fact sheet describes how the attacks work.
The attacks tend to be perpetrated by people or groups with mysterious aliases like The Dark Overlord.
The attacks come to light in healthcare settings because they constitute a breach of patients' privacy under the Health Insurance Portability and Accountability Act (HIPPAA)., so under the law patients must be informed and, hospitals have no hope of keeping an attack out of the press. That means an attack goes beyond the inconvenience and expense of losing access for a day or two while a backup is restored, and even beyond the financial loss from paying the ransom.
To avoid a HIPPAA penalty, the organization has to show definitively that patients' personal health information was not accessed.
Ransomware is an international problem and the attackers and their targets could be based anywhere. The malware that infected Hollywood Presbyterian Medical Center is called Locky ransomware and also was used to hit hospitals in Japan, Korea, and Thailand, internet security blogs have reported.
The attacks begin when the perpetrators, the so-called bad actors, gain access to a facility’s computer network. There are several ways to do that. One is by making a phone call posing as a help desk worker then convincing the person on the line to share his or her log-in information.
Another tactic is sending an infected email attachment, which, when opened, releases the malware. Infected thumb drives provide another way the perpetrators gain access. The thumb drives may be left on a table, in a waiting room, on the floor, in the parking lot, or anywhere else in or around a facility where they might be found. An unsuspecting employee picks up the thumb drive and puts it into a device to see what’s on it, and the bad guys are in the system.
Once the bad actors have access to just one computer, they begin to infiltrate the entire network. The rest of the process is automatic, but it is not instantaneous. In a process that can take up to 48 hours, the malicious software spreads by searching for mapped drives, which lead to network directories, and connections within the network.
After the network is fully infiltrated it is locked down. No one in the organization can access any files within the system, including patient records.
That is when the perpetrator demands a ransom, usually payable in a “cryptocurrency” like bitcoin. Cryptocurrencies are decentralized, anonymous, and allow for payment that is hard to trace non-recallable.
In some of the earliest cases of ransomware attacks, hospitals were advised to pay the ransom.
Unlike the banking industry, or other vulnerable targets, in healthcare lives are at stake, so it made sense for facilities to take the quickest route to getting their data back and operations underway.
Attorney Matt Fisher, (photo, above right of Mirick O’Connell in Worcester, MA, says that contingency planning is one of the requirements of HIPAA’s security rule. He says the question of how to minimize the damage in the event of a ransomware attack is critical for a robust contingency plan.
Hardeep Singh, MD, MPH, (a patient safety researcher at the Michael E. DeBakey VA Medical Center and Baylor College of Medicine, and Dean Sittig, PhD, of the School of Biomedical Informatics at the University of Texas, published a paper titled, “A Socio-technical Approach to Preventing, Mitigating, and Recovering from Ransomware Attacks”, published in Applied Clinical Informatics on June 29, 2016, which outlines the steps facilities should take in order to avoid ransomware attacks. They say that the most effective measures are also matters of common sense.
Singh says, “When we had the paper reviewed, one of the reviewers said some of the information was too obvious, but that is kind of the point.” Another basic building block of adequate security is education. Sittig jokes that it’s important to train users to not click on the message from the Nigerian prince, adding, “It’s classic spam and we’re still doing it.”
Fisher says that having multiple systems in place is a good strategy, adding, “You can have the strongest spam filter in the world, but the messages are getting more sophisticated.” He says that educating users and constantly pushing awareness are also important when it comes to security.
One of the ways that bad actors have gained access to systems is by going into a hospital cafeteria and leaving thumbdrives loaded with ransomware on tables. People find them, and think, “oh, look, here’s a USB drive. I wonder what’s on it?” In order to protect against such infiltration, some organizations are only allowing approved USB drives.
Singh says that in his organization, every email message has a big caution, reminding users to be aware of suspicious emails. Although it’s easy to spot obvious spam and most people are aware of the danger,
(photo below, right)
Sittig says the messages are getting more sophisticated, and says that this is a good example of something health IT professionals thought was people understood, but they don’t. Educating people, he says, “is harder than you think.”
Failing to update operating systems and antivirus software often present another area of vulnerability. Sittig says, “It turns out that each piece of ransomware has a signature -- some characteristic that you can identify.” There are two important implications. First, so-called “zero day events” when ransomware no one has ever seen before is deployed, are especially dangerous because there’s no security software looking for it.
Second, each time a new ransomware signature is identified, the antivirus software and operating system manufacturers issue updates and patches that scan for the new threat. If the updates aren’t performed by the users, there is a chance the ransomware can get through.
Finally, Sittig says that it is important to “make sure people have the least amount of privilege necessary to do their jobs.” Removing administrative privilege from local desktops, which prevents users from installing software, is one example.
Creating and testing backups of the system is the best way to protect data. A recent backup, that is disconnected from the rest of the network, will allow the system to be restored in the event of a ransomware attack.
However, Sittig says, “You can make a backup, but if you don’t test it, you can’t be sure it can be reinstalled.”
Most healthcare organizations have multiple computer systems, which are all connected. Sittig says his organization endured a ransomware attack. “At our hospitals, they weren’t able to attack our EHR, but they did attack a fileserver with images and through that they could get into the EHR.” There are a lot of different systems attached to an EHR, and sometimes those systems are less protected. In this case, there was an adequate backup, but it took two days to install, so the entire system was without data for two days.
Some critics have called hospital IT systems "low-hanging fruit" for bad actors, saying the industry is often slow to update computer security.
Singh says, “Users may think that ransomware is an IT problem, so they don’t have to worry about it, but that is not right.”
Sittig agrees, adding that he believes in shared responsibility, and the idea that users have a responsibility to not click on those spam messages, or to not use found USB drives, and the IT department has a responsibility as well. “We are going to have to work together to solve this problem,” he says.