How hospitals should confront the ransomware plague

April 14, 2016
Cybersecurity experts offer advice on preventing, responding to attacks

In February, the computer systems of Hollywood Presbyterian Medical Center in Southern California were held hostage by hackers demanding that the hospital fork over millions of dollars in digital currency known as bitcoin in order to have them unlocked. The hospital eventually agreed to pay the cyber extortionists $17,000 in bitcoins to have access restored to their personnel. For many, the incident served as a wake-up call about the threat posed by ransomware schemes, which cyber criminals have been employing with greater frequency recently.

However, ransomware is not a new phenomenon and it has been successfully used by hackers for some time. What has changed is not so much the scheme itself, but rather the factors that make it more inherently successful than in the past. According to the Cisco 2015 Midyear Security Report, the rise of bitcoin combined with the emergence of anonymization networks like Tor have made it both much easier and more profitable for cyber criminals to carry out ransomware attacks. And when it comes to selecting a target, hospitals rank at or near the top of every hacker’s wish list.

Rather than trying to extort a few hundred bucks out of the everyday citizen to have their Word docs and photos returned to them, hospitals that warehouse a treasure trove of sensitive data, including patient medical histories, billing records and personally identifiable information (PII) are far more lucrative targets. Because access to these files is of critical importance in the day-to-day operations of a hospital, they simply do not have the time or the luxury of trying to recover the files from an alternate source or of becoming bogged down in a long negotiation with hackers, so most simply pay up.

Stu Sjouwerman, founder and CEO of IT security awareness training firm KnowBe4, attributes to the recent spike in ransomware attacks at hospitals and other organizations to efforts by “cyber mafias” to muscle their way into this growing sector of the criminal underworld economy. Even those that were already turning a healthy profit in other criminal endeavors online have started to concentrate more resources on ransomware. Unfortunately, he said that hospitals historically have not defended themselves well against these and other types of cybersecurity threats because they have to spend so much of their time focusing on compliance with the Healthcare Insurance Portability and Accountability Act or HIPAA for short.                   

“The compliance load on existing employees is already quite exorbitant in the sense of training modules they need to step through to be compliant, so cybersecurity has been put on the backburner by hospitals because of this,” said Sjouwerman. “That’s why their employees are low-hanging fruit, which is now being exploited by the bad guys.”

Preventing Infections

Although it may sound simplistic, Sjouwerman said that hospitals have to make themselves a harder target if they want to prevent ransomware from infiltrating their networks. This includes having robust backups on all their mission-critical systems, being diligent about patching and conducting security awareness training for all employees.

“If you can treat your employees as a human firewall, that’s an incredibly effective step and it has a very good return on investment,” said Sjouwerman.

Irena Damsky, senior director of security research at cyber threat monitoring and mitigation platform provider ThreatSTOP, echoed Sjouwerman’s sentiments and emphasized the criticality of training in preventing ransomware infections.

“Most ransomware gets into the network using phishing emails that are sent to employees who then open attachments or click on links that lead them to infected sites,” said Damsky. “The main thing is employee awareness. Other than that, obviously security teams should consider multi-layer protections starting with endpoints through the network and of course having backups of data.”  

Responding to an Attack

Should a hospital fall victim to a ransomware intrusion, Sjouwerman said the steps they can take to mitigate the damage depend upon how well they are prepared in advance.

“If they have really good backups, then you go down for a day and you wipe out and restore the affected systems,” he said. “If you think you have backups and your restore fails, now you have a problem and it becomes a business decision whether you are going to pay the ransom or not. That is very often a no-brainer despite the fact it may be difficult to admit because downtime in a large organization or hospital is easily into millions of dollars a day [in losses]. Are you going to pay $18,000, $20,000 or even $50,000 in ransom to get your systems back up and running? It’s not really a hard decision.”  

Despite the many doomsayers who believe that paying the ransom is the only way to unlock computers taken over through this scheme, Damsky said affected hospitals should be in contact with federal authorities and evaluate all of their options before they decide to give in to the hackers’ demands.

“Once an infection is found, the first thing to do is to contact the authorities immediately and to try and disconnect as many machines from the network to stop the infection from spreading. Talk to U.S. CERT (Computer Emergency Response Team) and the FBI, who has a specific taskforce for handling ransomware attacks. Don’t necessarily go ahead and pay,” explained Damsky. “A lot of the ransomware [strains] in the news recently have been reversed and exploits inside the ransomware were found by security researchers allowing us to decrypt that data. Also, be aware of timers. There has been a new ransomware variant that not only encrypts your data but also deletes it if you don’t pay in time.”

Should Ransomware Attacks be Reported?

There’s also another large question hanging over this explosion in hospital ransomware infections and that is whether or not they should be legally reported the same as a data breach. In most of the incidents publicized to date, hospitals and organizations have reported that none of their data appears to have been extracted by the hackers. Of course, there are no guarantees that this won’t be the case in future incidents, especially considering the high-value medical records can fetch on the black market.

In a whitepaper written on behalf of KnowBe4, Michael R. Overly an attorney at the law firm of Foley & Lardner LLP, said that the law is also unclear on how organizations should handle the reporting of ransomware infections.

“Most current laws and regulations requiring notification to consumers and, potentially, regulators relate to instances where there has been an unauthorized use or disclosure of protected information. The question is whether a particular attack results in such activity. In many instances, the hacker responsible for the attack may have access to the target’s data. In such a case, the target of the attack would have a notification obligation. On the other hand, if the attack is of a kind where neither the target nor the attacker can access the data, there is something of a gray area,” wrote Overly.

As it relates to healthcare environments specifically, Overly quoted an unnamed representative at the U.S. Department of Health and Human Services who said that under HIPAA, an “impermissible use or disclosure of protected health information is presumed to be a breach” unless the healthcare provider can prove “there is a low probability that the protected health information has been compromised based on a risk assessment.”

“As such, the healthcare provider must conduct an assessment to determine whether such a low probability exists. At least one member of Congress is contemplating whether the breach notification requirements under HIPAA need to be clarified or updated to reflect the ransomware threat,” wrote Overly.

Ransomware Infections to Persist

Sjouwerman believes that ransomware attacks will continue to plague hospitals and other organizations at the current pace for the foreseeable future.

“This is only the beginning. You have to look at this from a slightly larger context. Criminal business models come and go but it is a large wave,” he added. “Ransomware is only the start. A little further down the line, I wouldn’t be surprised if your TV gets infected and you’re going to have to pay a ransom to see your favorite show.”    

Thus far in 2016, Damsky said they have already seen 10 new variants of ransomware which is nearly as many were discovered in all of 2015.  

“Right now it is on the rise, it is not going anywhere,” she said. “Probably until a new method of getting money quickly out of victims is found, ransomware is here to stay.”

About the Author:

Joel Griffin is the editor of and a veteran of the security industry.