In November 2015 the Cyber Threat Alliance reported over 400,000 ransomware computer systems attacks, which together resulted in $325 million in damages. This relatively new and profitable cybercrime technique is now moving to healthcare. As Wired noted, provision of critical care and reliance “on up-to-date information from patient records” make hospitals “the perfect mark for this kind of extortion.”
Recent ransomware attacks on the healthcare system have common features: the attackers infect a computer system with a virus that encrypts the files, making them inaccessible, and then demand ransom in Bitcoin to decrypt them. However, the attack vectors and hospital responses and outcomes have varied.
The First Disclosed Ransomware Attack
On February 5, 2016, the computer systems of Hollywood Presbyterian Medical Center in Los Angeles suddenly became inoperable. The hospital’s electronic health record (EHR), the vital repository of patient care information, lay paralyzed.
Persistent investigation by the systems information technologists revealed the computer network had been infected by the Locky virus and was being held for ransom by an unknown intruder or intruders.
With its care delivery computers inoperable, Presbyterian was forced to revert to using paper to document patient care and had to divert incoming patients to other facilities.
The extortionists demanded ransom for the code that would restore computer function. Considering the disruption of patient care and its limited response options, Presbyterian’s leadership agreed to pay the 40 Bitcoin ransom – valued at $16,664 on the day of the demand. Hospital computer operations were resumed following payment.
The Attacks Continue
Ransomware attacks continued over the next two months. On March 18, Methodist Hospital in Henderson, Kentucky, declared a “state of emergency” when it sustained a ransomware strike. Fortunately, Methodist was able to restore their data from backups and resume operation within three days. The four Bitcoin ransom, valued at $1,600 on the day of the demand, was not paid.
Struck by ransomware on March 31, Alvarado Hospital Medical Center in San Diego also responded quickly and was able to limit the effect on hospital operations. Ransom was not paid. However, efforts to manage the intrusion disrupted two of its other hospitals: Chino Valley Medical Center and Desert Valley Hospital, both in Victorville. These disruptions were also minimal and managed without payment.
On April 1, the Samsam ransomware virus disrupted MedStar Health, a 10-hospital system in Columbia, Maryland. The following ransom note appeared on the computer screens of a few of MedStar’s employees:
“You just have 10 days to send us the Bitcoin. After 10 days we will remove your private key and it’s impossible to recover your files.”
MedStar was able to control the attack by shutting down large portions of its network. According to a Medstar spokesman, despite the “many inconveniences and operational challenges … with only a few exceptions, we have continued to provide care approximating our normal volume levels.”
The Viral Vectors
Information is the currency of healthcare. With hundreds and sometimes thousands of patients in many U.S. hospitals at any one time, the amount of information collected is extraordinary.
Today’s healthcare is not possible without the free flow of medical information among each patient’s providers. Practically all of that information is digitally stored in servers connected to networks. With physicians, nurses, therapists, and other health providers requiring access, the number of users and entry points into a hospital computer system is large.
Extortionists can prey on unsuspecting clinicians to gain entry into computer systems. This may occur via an e-mail phishing attack (an e-mail appearing to be from a credible source containing a malware attachment) or a link containing a computer virus. At other times, a “malicious macro” in a Word document provides entry. Either way, once the virus enters, it usually has free reign within the system.
The Locky virus, used in the Presbyterian and King’s Daughters’ attacks, targets Windows computers but can spread to Apple and Linux computers. Once in the system, Locky can encrypt many file types including program source code, Office files, PDFs and images.
The Samsam ransomware virus used in the MedStar Health attack enters through unpatched vulnerabilities in certain types of servers and does not rely on deceiving the users. According to Virus Guides: “Users don’t have to perform an action like clicking on a malicious link to download the ransomware because hackers can trigger SamSam remotely through software flaws.” Using this approach, the Samsam virus achieves “much higher rates of successful infection.”
Controlling and Reducing the Risk
Digital storage of healthcare information in the radiology Picture Archiving and Communication System (PACS) and in the Electronic Healthcare Record has provided numerous healthcare delivery benefits. However, the transition from film and paper documentation left healthcare vulnerable to the risks of the digital world.
Until recently, cybersecurity was not a major focus of most hospitals or hospital systems. The recent rash of ransomware attacks has no doubt rattled hospital boards and elevated cybersecurity in importance. To mitigate the risk of attack, while speaking with NPR the FBI gave the following advice to healthcare systems and providers:
“Companies can prevent and mitigate malware infection by utilizing appropriate backup and malware detection and prevention systems, and training employees to be skeptical of emails, attachments, and websites they don’t recognize. The FBI does not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity, lead to other victimizations, or be used to facilitate serious crimes.”