Hospitals show little resistance to ransomware virus

With lives ultimately at stake, medical facilities need cybersecurity triage

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Every­one in the tech/security world knew this was com­ing, we just hoped we were wrong. Hack­ers are now hold­ing hos­pi­tals hostage around the country.

Dur­ing the past sev­er­al weeks, small­er hos­pi­tals have been sub­ject­ed to ran­somware attacks by hack­ers and virus writ­ers. Ran­somware attacks have been around for a long time. The idea is sim­ple: dis­able a victim’s com­put­er or data some­how, then demand payment—ransom—for its release.

Free resource: Plan­ning ahead to reduce breach expenses

Ran­somware attacks gained steam about two years ago when a virus called Cryp­toLock­er infect­ed seem­ing­ly mil­lions of vic­tims around the globe. The tool clev­er­ly encrypt­ed data and demand­ed pay­ment for the key to decrypt it. ZDNet esti­mat­ed that between Octo­ber and Decem­ber 2013, vic­tims paid $27 mil­lion to get a key to their data. Even gov­ern­ment agen­cies were hit by the virus.

Con­sumers are small pota­toes, how­ev­er, and rarely have life or death data on their com­put­ers. Who does have that type of data? Hospitals.

Reporter Bri­an Krebs first start­ed writ­ing about hos­pi­tal vic­tims after Hol­ly­wood Pres­by­ter­ian Hos­pi­tal was hit. It report­ed­ly paid $17,000 to regain access to its systems.

A grow­ing sickness

Then last week, Hen­der­son, Ken­tucky-based Methodist Hos­pi­tal declared a “state of emer­gency” after falling vic­tim to a ran­somware attack.

Now this week, a Wash­ing­ton D.C.-area chain of hos­pi­tals appears to be hit. Med­Star Health put this mes­sage on its Face­book page Monday.

Ear­ly this morn­ing, Med­Star Health’s IT sys­tem was affect­ed by a virus that pre­vents cer­tain users from log­ging-in to our sys­tem. Med­Star act­ed quick­ly with a deci­sion to take down all sys­tem inter­faces to pre­vent the virus from spread­ing through­out the orga­ni­za­tion. We are work­ing with our IT and cyber-secu­ri­ty part­ners to ful­ly assess and address the situation.”

Med­Star, which oper­ates 10 hos­pi­tals and 250 out­pa­tient facil­i­ties, hasn’t attrib­uted the attack as ran­somware yet, but the signs are there. Its sys­tems remain down.

It’s impor­tant to note that all vic­tim hos­pi­tals say only admin­is­tra­tive com­put­ers are impact­ed. Med­ical care is not.

Cur­rent­ly, all of our clin­i­cal facil­i­ties remain open and func­tion­ing. We have no evi­dence that infor­ma­tion has been com­pro­mised. The orga­ni­za­tion has moved to back-up sys­tems with paper trans­ac­tions where nec­es­sary,” Med­Star says.

But you can bet a lot of doc­tors and nurs­es are swear­ing as they do all their tasks on paper. But so far, no one can attribute an ill­ness or death to hack­er activ­i­ty. On the oth­er hand, it’s hard to imag­ine a com­put­er lock­out isn’t caus­ing seri­ous stress with­in these health care facil­i­ties, akin per­haps to a pow­er outage.

Infec­tion could harm patients

When it comes to med­ical equip­ment, ran­somware can be excep­tion­al­ly dan­ger­ous in a hos­pi­tal envi­ron­ment,” says John Kuhn, senior threat researcher, at IBM Secu­ri­ty. “Many of these devices run Win­dows as the base oper­at­ing sys­tem, allow­ing them to become sus­cep­ti­ble to these attacks. Once mal­ware infects a crit­i­cal device, it would become com­plete­ly inop­er­a­ble and has the pos­si­bil­i­ty to put lives at risk. With the evo­lu­tion of ran­somware in hos­pi­tals, it’s hope­ful­ly a wake­up call for the health care indus­try to focus on security.”

Could this be a sin­gle gang using the same trick over and over? That’s pos­si­ble, rais­ing hope that the attacks could be stopped if law enforce­ment tracks down the crim­i­nals. But hack­ers are noth­ing if not copy­cats. You can bet the suc­cess of these attacks means oth­er gangs will imi­tate them.

Ran­somware exists for the same rea­son oth­er virus­es exist: mon­ey,” says Kevin Wat­son, CEO of Net­su­ri­on, a provider of remote­ly man­aged secu­ri­ty ser­vices for health care orga­ni­za­tions. “It is designed to prey upon the unsus­pect­ing, but rather than suck data out of a net­work, it cuts to the chase and asks for the cash up front.”

More sto­ries on health care security:
As hack­ers tar­get health care data, sec­tor must get proactive
Health care sec­tor finds cure for dig­i­tal attacks elusive
Cloud use increas­es data secu­ri­ty risk for health care organizations


Posted in Data Security, Featured Story