Don’t let your patients’ medical records be taken hostage.

By David Ellis
Ransomware is one of the fastest growing malware versions to grab the attention of cybercriminals worldwide (attacks grew 113% in 2014) and has the potential to seriously affect both small and large organizations, and the healthcare industry should be particularly concerned.

In the last year alone, data breaches against the healthcare industry have targeted major providers like Anthem, Premera Blue Cross, and Excellus, and compromised more than 99 million patient records.

How does ransomware work?

In a nutshell, ransomware is digital extortion.
Ransomware starts with malware typically downloaded via a phishing email or malicious site link.

ransomwareWhen activated, this ransom malware (ransomware) immediately encrypts all of the files on a computer, including:
  • Word documents
  • PDFs
  • Spreadsheets
  • Photos
  • Music
  • The operating system itself
Sometimes the malware locks the user out of the computer entirely, without being able to access files, applications, or even the desktop.

The attacker retains the decryption key and it’s veritably impossible for the user to access the files. The attacker will leave just one decrypted file on the computer. Included in the file is an explanation that the files have been encrypted, and the attacker demands a payment in order to provide the decryption key.

The instructions will include a deadline that, if not met, results in the attacker threatening to discard the decryption key, rendering the computer useless. According to the FBI, the initial ransom amount is anywhere from $200–$5,000, typically accepted only in Bitcoin crypto-currency.

Although there’s no guarantee the files will be decrypted using the key, it’s rare that an attacker has not decrypted the files after payment. After all, it wouldn’t be a very effective extortion tool if word got around that the hackers didn’t fulfill their end of the bargain.

Why ransom a hospital network?

The psychology behind ransomware is all about how much value the user thinks the computer’s data holds. For someone with a new personal computer that contains only a few files, paying a hacker $500 to restore locked files doesn’t make sense. It would be easier to wipe the computer and start from scratch.

But what if a hacker got a hold of all patient records for an entire hospital and encrypted them? There could be hundreds of thousands of patient files that suddenly become inaccessible.  If the hospital’s data wasn’t properly backed up (outside of the network) and the ransom wasn’t immediately paid, doctors wouldn’t have the vital information needed to treat patients. Records of patient and insurance payments would be lost, patient personal and credit card information would be compromised, and the list goes on.

The ensuing chaos could effectively ruin a hospital’s reputation.

In recent years attacks targeting healthcare organizations have become even more appealing to hackers because of the digitalizing of hospital records, motivated by movements like the EHR Incentive Programs that pay companies to move certain hardcopy health records to electronic format.  As more data is digitized, the more records an attacker will be able to affect on a given network, thus, the more lucrative and successful the attack becomes.

Ransomware removal 101

In theory, ransomware is not that sophisticated. However, the average user, or even average IT guru, probably couldn’t remove it without accidentally wiping a computer. Which means, the average user has two ransomware removal options: pay up, or wipe the computer.

At BlackHat USA 2015, Dr. Engin Kirda shared research that 61% of ransomware attacks leave files untouched, and only lock down the computer. In cases like these, a professional may be able to either extract your critical files or remove the malware off your computer without you handing out a ransom.

But, in cases where the malware has encrypted each file, paying the attacker is likely the only option.

However, ransomware survivors have no guarantee that the whole thing won’t happen again at some future date. After all, the hacker still has access to the computer either through the original vulnerability that allowed them to download malware in the first place, or because the attacker installed a covert backdoor for future system access.

Preparing your healthcare environment for ransomware

As shown, ransomware is a very real threat that has the potential to devastate healthcare organizations, and this malware is too effective for attackers to stop using it.

Here are a few things to keep in mind while preparing your networks, computers, and staff for the
possibility of ransomware:
ransomware removal
  • Store data in the cloud: If you’re using a Health Information Exchange (HIE) in the cloud, pat yourself on the back. As of today, no known ransomware has successfully attacked cloud-based systems.
  • Utilize backups: To thwart ransomware, back up files often and make sure that a recent backup is stored offline, so the backup cannot be impacted by ransomware or other digital attack vectors.
  • Train staff on data security: Staff members are the weak link in the ransomware equation. In most cases, malware is downloaded onto healthcare environments because of a workforce member surfing the web or opening a link in a phishing email.
  • Create a ransomware crisis plan: Each member of your staff that uses a company computer needs to understand and practice your organization’s data security plan in order to avoid the devastating affects of a ransomware attack.
Remember, you have a responsibility to protect not only your organization’s reputation, but also your patients’ sensitive and valuable health data.

Improving your data security measures to be able to fend off a ransomware attack may seem arduous, but it is a mere speed bump compared to the sheer roadblock that a successful ransomware attack may pose to your organization.

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.