Resisting ransomware


Pay up, or else.

The proverbial ransom note might seem a cliché limited to action movies and kidnappings. But ransoms have evolved, with health care data becoming a popular hostage over the past few years.

To seize control of a hospital's system, hackers use a form of malware called ransomware, with which they encrypt and block access to computer files. They then send their victims a digital ransom note, which typically asks for a tidy sum in exchange for a key that will supposedly decrypt the data.

This year, the number of ransomware detections spiked an average of 11% per month from March through May, according to the Solutionary Security Engineering Research Team Quarterly Threat Report, 2016. Roughly 88% of all detected ransomware in the second quarter of 2016 was found in health care, according to the report, published by Solutionary (now known as NTT Security), a worldwide managed security service provider.

Photos by Thinkstock, design by Michael Ripca
Photos by Thinkstock, design by Michael Ripca

There are a few reasons why hospitals are likely targets of these attacks, said Douglas Fridsma, MD, FACP, CEO of the American Medical Informatics Association. With the relatively recent move to electronic health records (EHRs), health care is “a little later to the game” than other industries, and some systems may have been implemented in less sophisticated ways, he said.

Plus, patient care is an important and time-sensitive activity. “There is a sense of vulnerability that if those systems are compromised in some way, patients could be harmed, and people that work in hospitals don't want that to happen,” Dr. Fridsma said.

Perhaps this is why some hospitals have paid up. In February, Hollywood Presbyterian Medical Center in Los Angeles paid hackers $17,000 in bitcoin after receiving demands for the hard-to-trace digital currency. In another attack in May, administrators at Kansas Heart Hospital in Wichita paid an undisclosed amount to hackers—only to receive another demand for money in lieu of full access to the files.

Upon hearing the news of the attack at Hollywood Presbyterian, Irv Loh, MD, medical director at the nearby Ventura Heart Institute in Thousand Oaks, Calif., said he was astounded at how vulnerable the hospital's systems seemed to be versus what the stakes were. “The astonishing thing to me was the fact that it was apparently pretty easy to shut down an entire health care ecosystem,” he said. “These are patient lives at stake here, and if this is the warning shot, this is going to happen lots of times because other bad actors in this space may be way more sophisticated.”

The rise of ransomware

Experts agreed that ransomware attacks are certain to continue and likely to become more advanced. Although they have been happening for 2 or 3 years, the recent escalation of these attacks over the past year has increased awareness among the health care and cybersecurity communities, said Amar Yousif, MBA, chief information security officer at the University of Texas Health Science Center in Houston.

Under extreme circumstances, ransomware can paralyze EHR capabilities and force hospitals to revert to paper records, as seen in prior ransomware cases, he said. “If there is no backup process or, for whatever reason, the backup is corrupt and you cannot retrieve from backup, only then you would go to the paper process, which is not as efficient and will delay the delivery of patient care,” Mr. Yousif said.

Patient outcomes are at risk any time one deviates from the way care is usually provided, said hospitalist Elmer Bernstam, MD, FACP, professor and associate dean for research at the UTHealth School of Biomedical Informatics and professor of medicine at the University of Texas McGovern Medical School in Houston. “We call operations surgical procedures...emphasizing the importance of doing the same thing the same way every time to minimize error,” he said.

In addition to changing care processes, losing EHR capabilities would deal a heavy blow to those who have come to rely on features that are not available on paper, said Dr. Bernstam, a member of ACP's Medical Informatics Committee. “Decision support, dose checking, legibility—when those go away, it's worse than not having had them in the first place,” he said.

And losing EHR access isn't the only threat. Hackers are also interested in cashing in on patient data, said Thomas Payne, MD, FACP, a professor of medicine at the University of Washington and medical director of IT services at UW Medicine in Seattle. “Health care might be more attractive as a target because the value of patient information is rising from the perspective of the criminals....It's valuable because it includes identifiers that can be sold to others, and it can be leveraged to get even greater access to financial information,” he said, adding that clinician data is also a target because of its utility in submitting fraudulent claims.

Health care records fetch $300 to $400 on average, said Mark Mouradian, a senior security consultant for NTT Security. “When compared to stolen credit card numbers, which go for around $5 in the U.S. and $25 to $30 in Europe, it's easy to see where the value lies,” he said. “Buyers of the stolen medical record can do much more damage than with a credit card” because the protected health information can be used in identity theft and insurance fraud, Mr. Mouradian said.

Depending on the type of information obtained, a ransomware attack would also qualify as a data breach under HIPAA, he added. If patient data gets into the wrong hands, hospitals could potentially incur fines from the Department of Health and Human Services' Office for Civil Rights or have data breach lawsuits filed against them. “The risk of compromise depends on how quickly the organization can react to the attack....If the attack is not caught in a timely manner, the risk is critical because it is most likely too late to stop the attack,” Mr. Mouradian said.

In the event of a security breach, an EHR vendor's role is not entirely clear. This is particularly due to the “hold harmless” clause in many EHR contracts, which is designed to protect the vendor from liability in case something goes wrong with the product. Whether the clause is enforceable or not depends on the facts and circumstances of the individual case, as well as the jurisdiction where the legal dispute is brought, so “It's hard to say what the ultimate outcome would be,” said Jonathan Ishee, JD, a practicing attorney and assistant professor at the UTHealth School of Biomedical Informatics.

All EHR vendors certified by the Office of the National Coordinator for Health Information Technology must follow security standards set by the National Institute of Standards and Technology, but the susceptibility of a hospital's system is actually more dependent on the organization itself than the vendor, said Michael McCoy, MD, CEO of Physician Technology Services, Inc., a health IT consulting firm in Lawrenceville, Ga.

For example, he said, software will often run on many versions of an operating system, but if a hospital hasn't moved to the latest version of the operating system and kept up with the appropriate security patches, “the resistance and resilience to such attacks will not have been enabled,” Dr. McCoy said. “That makes the possibility of ransomware or any other kind of hack much more likely.”

Inside the hack

In cybersecurity terms, the way in which malware is delivered to the final destination (e.g., desktop, server) is called the infection vector, and once the malware is delivered, the payload is what that malware is going to do (e.g., encrypting the data and then asking for a ransom, or stealing the information), explained Mr. Yousif.

Currently, the most common infection vector begins with social engineering, he said. “[Hackers] send e-mails that appear to be legitimate to our community, and if you click on a link in that e-mail...that link will deliver a malware to your computer. That malware would exploit vulnerability in your browser, taking control of your computer and ultimately, perhaps, encrypting your computer or delivering whatever that payload is,” Mr. Yousif said.

The hackers carrying out these attacks are very clever, Dr. Payne said, noting that they can send e-mails from an address that appears official. “Sometimes they have insider knowledge of our electronic chatter and they can leverage that knowledge to attempt to trick us into doing things that we wouldn't knowingly ever do,” such as disclosing account usernames and passwords, he said.

The click-happy employee who initiates the ransomware process wouldn't necessarily realize his or her mistake because of the surreptitious nature of these attacks, Mr. Yousif said. “It is in the criminal's interest for the attack to be as stealthy as possible until encryption is completed,” he said. “Once encryption is completed, then the attacker would reveal himself or herself by demanding a ransom to release the data that is held hostage.”

Encryption is typically a function that runs in the background, and how long it takes depends on the size of the hard drive or server being attacked, Mr. Yousif said. “Your typical hard drive would be encrypted entirely within less than an hour,” he said, adding that the ransom note appears once encryption is complete. “Sometimes, if you pay the money, they would decrypt that data and give you back your data,” he said. “And other times, they won't. They just take the money and don't decrypt the data.”

Some encryption processes take seconds while others take hours, but it wouldn't take hours to cause big issues for a busy health care organization, Dr. Payne said. “We are heavily reliant on our electronic systems for delivering care, for entering orders, for reviewing laboratory results, for reviewing and entering documentation, so any interruption to these systems is a big threat to patient safety. It wouldn't require that the entire database of the EHR be encrypted,” he said.

Even though those targeted by ransomware are anxious to return to normal conditions, the FBI, which is investigating the aforementioned string of ransomware attacks on hospitals, discourages paying a ransom for several reasons. Paying up does not guarantee access to the data, could precipitate future attacks or higher demands, and could inadvertently encourage the criminal business model, according to the agency.

The proper response

Once an attack has occurred, a hospital's first line of defense would be restoring its digital environment from an offline backup, said Mr. Yousif. This would allow a hospital to recover its data and ignore the ransom note. “Obviously, you have to have a backup plan ahead of time because once the data is encrypted and you don't have a backup plan, it's too late,” he said.

Hospitals should back up critical data as frequently as is feasible, and backups should be part of daily business activity for the sake of disaster recovery and business continuity planning, Mr. Mouradian said. “To me, it makes sense that if you have a backup of the data being held ransom, why would you pay to get it back?” he said.

Mr. Yousif stressed that the backup should be offline and that replicating files to a secondary location does not equal backup. “If the original system is infected with ransomware that will then encrypt the data, that encryption will be ‘securely,’ so to speak, replicated to the secondary location,” he said. “And now you have your original data and your replica both encrypted, so that's not going to help you in the event of ransomware.”

After an attack, systems should be taken off the network—but not shut down—to prevent further spreading of the ransomware, Mr. Mouradian said. “Shutting systems down could prevent any preservation of evidence for a forensic team to investigate,” he said.

Hospitals should also ensure that monitoring systems are in place to detect the malware, and they should have an incident response team in place to respond to such alerts, Mr. Mouradian said. “Practice runs at reacting to this type of event will ensure proper and quick responses to the situation,” he said.

One of the easiest and most important best practices that hospitals can follow is training their employees, Mr. Mouradian said. “Employees need to be made more aware of how to recognize an attack....If an employee opens an e-mail from an unknown sender and it contains an attachment, the attachment should not be opened,” he said.

Mr. Yousif added that if an e-mail seems questionable, the employee should send it to the hospital's IT team for vetting. From a technical perspective, keep computer systems and browsers updated, and make sure antivirus software is installed, he said. Plus, clinicians who remotely access the EHR should work with their security teams to shore up their devices, such as by putting passwords on smartphones or encrypting the hard drives of laptops, Dr. Payne said. “Those devices that we personally own also need to be protected, and it isn't something we always think of,” he said.

Just like fires and natural disasters, it's worth practicing for the day when core systems are compromised, Dr. Payne added. “This is something organizations should be planning for and rehearsing so that if there were some loss of access to core patient information, we would know how to carry on,” he said. For example, in preparation for a downtime, clinicians should rehearse using paper records for entering notes, writing orders, and reviewing data, Dr. Payne said.

Organizations have long been developing, implementing, updating, and practicing contingency plans for downtimes, Dr. Bernstam noted. But, he said, “A lot of those came about due to the Y2K concerns, so around the year 2000, and some of those haven't been looked at since.”

Dr. Bernstam recommended that hospitalists review their procedures for planned and unplanned downtimes of varying lengths. “It's one thing if you know 3 days in advance that between midnight and 2 a.m., there will be a downtime, as opposed to it just happens right now,” he said.

Ransomware attacks will continue to rise until health care implements tighter security, Mr. Mouradian said. “Hospitals are currently easy targets because IT security funding is not always as important as it should be. The approach is always patient care first,” he said.

With this in mind, hospitals will be served well if they invest in information security, Mr. Yousif said. For example, he said, experts can help hospitals reverse social engineering and create “honey pots,” early detection systems that are set up to attract the bad guys. “So when a criminal hacker is already inside your organization, they would be attracted to a honey pot and then you could quickly react and disrupt their activity before they get to that crown jewel of your organization, which is the patient data,” he said.

But even as hospitals and consultants work to secure EHRs, hackers are busy searching for alternative methods of entry. “I suspect that criminal hackers will find a new way with which to attack our systems, and this way of encrypting your data and asking for a ransom is going to be no longer effective for them because there is a lot of focus on it now,” said Mr. Yousif.