For those in the healthcare technology space, ransomware is the biggest horror story of 2016, conjuring chilling headlines about hospitals shut down by an invisible enemy. It’s the story of technology being used against us, with the very computer systems we rely on transformed into prisons for our most precious data. The villains in this story are clever, leveraging fear tactics and trickery to rob their victims blind. It’s the perfect story for a media narrative, one that has captured the attention of major news services across the globe.
With health systems such as MedStar, Prime Healthcare, Hollywood Presbyterian Medical Center, Methodist Hospital, Desert Valley Hospital, and Chino Valley Medical Center caught in the web of ransomware this year alone, there’s no question that others will follow before 2016 comes to a close – and as a result, the sensational news coverage won’t just go away. And if the attackers are really as organized and powerful as it appears, maybe the scary headlines are justified.
Cybercrime evolved
Looking at the 2016 Internet Security Threat Report put out by Symantec, evidence seems to suggest that these cybercriminals are becoming far more legitimate and organized than you may think.1 The cyberspace villain, once imagined as a clever criminal in a basement – or an overseas scammer who casts out huge phishing nets in hopes of catching one fish – has become a team of cyber badguys who have set up companies modeled after legitimate business. In some cases, it appears they may enjoy set days off and other benefits similar to those of the American corporate sector.
“We started noticing dips and slow periods [in activity from cybercrime], and when mapped back to the calendar, it revealed that the bad guys seemed to be taking weekends off and regular holidays. You actually get a slow period over the Christmas holiday,” says David Finn, Health IT Officer, Symantec. “To me, that was actually one of the amusing parts of the study, except that it’s not amusing. They have really started to turn it into a profession. We talk about cybersecurity professionals – well this is kind of the dark side of cybersecurity professionals.”
Finn went on to add that, much like the lower-your-interest-rate phone scams that plagued past generations, cybercrime has become so ubiquitous that call centers are being set up to make the scam seem like a legitimate transaction. In some cases, these call centers may act as “customer service” departments for the less-organized bad guys who purchase the ransomware and hacking products from these “vendors” – whose products are readily available on the dark web through a Tor browser.
“When you look at the fact they’re running call centers, their documenting code [to continuously improve their products], and they’re taking weekends off – it really looks like there is a trade association out there for the bad guys,” Finn notes. “I think the scams are getting better, and it’s going to be harder for us to catch up – the bad guys don’t work under the same constraints as legitimate businesses.”
Their sophistication shows in the effectiveness of recent attacks. Early ransomware largely affected consumer PCs. A pop-up from what appeared to be the FBI would threaten the user over their “illegal activity,” demanding restitution for pirated movies or questionable browsing habits. To increase the effectiveness of the scare, some of these programs would activate the user’s webcam to make it seem as if Big Brother really was watching.
With FBI officers surely on the way to their door, users would pay their “fine” via some legitimate-looking PayPal rip-off and be on their way to freedom. More sophisticated users could probably reclaim their PCs with a little bit of work, as previous iterations of ransomware merely locked down computers and hid files. Today, those who fall victim to ransomware may not be so lucky.
Modern attacks, like the one that hit Methodist Hospital, lock down computer systems on the network, encrypting files and holding them hostage.2 Even if you’re able to remove the ransomware software, recovering the files may not be possible due to the strong encryption used by the invasive software. This leads many hospital systems to the simpilest remedy: Pay the ransom. This is typically done through the internet-based currency Bitcoin – which, while there is a public ledger of all transactions readily available, makes identifying the person or group receiving the ransom extremely difficult to trace.
All trickery and deceit is gone. With these enterprise attacks, there’s no pretense of being the FBI coming for torrented Jay-Z albums, nor a “representative of Microsoft” requesting payment for services rendered. This is an organized criminal enterprise paralyzing a health system and demanding money for the trouble of keeping computer files nice and safe during this whole invasion.
A terrifying HIPAA fine?
Interestingly, unlike other security breaches, ransomware attacks are not nearly as invasive. While the jury is still out on whether falling victim to these crimes counts as a reportable HIPAA violation, it’s important to note that ransomware software does not actually steal files. Instead, the unwanted program automatically seals off and encrypts saved data.
HMT reached out to HHS regarding whether or not a ransomware infection counted as a HIPAA violation, and received the following response:
“Because it is considered to be a breach if the information is merely acquired (e.g., hackers take possession) and it is a ‘disclosure’ under HIPAA if access has been provided (without regard to whether or not the information actually was viewed), covered entities (and their business associates) need to do the required analysis in each instance of whether a ‘low probability of compromise’ has been demonstrated, and ‘whether the [PHI] was actually acquired or viewed’ is only one of the factors.”
In other words – maybe? Presumably, lawyers and regulators will eventually hammer out an official position once all the evidence is in. But on that note, does ransomware actually allow prying eyes to view sensitive patient data?
“I am not aware of any ransomware that would allow anyone else to access that data,” Finn says. “Yeah, they’ve encrypted it … but I think there’s a lot that needs to be determined before we can say it’s an actual data breach.”
Face your fears and fight back
While certain forms of ransomware have seen their encryption broken,3 that defense is unlikely to be successful in most cases. Finn says most ransomware on the market today utilizes strong encryption that’s unlikely to be broken. As a result, defense must come in the form of a robust security strategy, complete with regular backups of all systems and vigilantly updating operating systems, software, and hardware.
“For a big organization like a hospital, that can be a huge task,” Finn says. “But every time you miss one of these key gaps, the opportunity for an attack just gets bigger. It really comes down to best practices and doing the basic blocking and tackling. And this is really where healthcare struggles – there’s so much to do … they’re so highly regulated, they can’t do everything all at once.”
For health systems that are overwhelmed by security challenges, the place to start is by adhering to basic computer hygiene: Don’t open files or click links you don’t recognize, and never allow unauthorized devices to gain access to the hospital network. It may be wise to teach any and all users how to utilize “sandbox” software, which allows unknown links to be opened in a secure environment.
“I think the biggest bang for your buck in fighting ransomware today is going to be training your people. Your computer doesn’t open mail for you; tablets don’t click links that come into them through an email – they don’t open files,” Finn says. “It’s not a malicious intent on the part of users, but I think it is a lack of awareness and a lack of training people on what they could be doing unintentionally [to trigger a cyberattack] when they get an unrecognized email with a file they don’t recognize, or they click a link that they don’t know what it is. You have to train your staff to know how to spot potential concerns.”
Part of that training includes making sure people don’t panic and become susceptible to the fear tactics used by ransomware attackers. For the criminals, turning on a device’s camera and pretending they’re a spy from the FBI is only the beginning. Some use horror movie images to taunt their victims,4 and other more annoying variations utilize loud noises and sound effects to create a sense of chaos.
For an organization that is trying to do business, undoubtedly such a disturbance can be overwhelming. Sometimes paying the ransom may seem like the best option, but there is an inherent risk associated with dealing with criminals – especially those who have already shown they aren’t afraid to be deceptive. Paying that ransom may not result in files being unencrypted, and it may just make you a target for future lockdowns.
For individual users and businesses alike, the first step is to take a deep breath and really examine the problem. Some of these ransomware programs are all bark and no bite.
“The user is seeing [stories of] hospitals shut down, police departments paying ransomware – and now they see it on their own computer. They figure if the big guys can’t fight it, I have no chance, so I’m just going to pay for it. But that isn’t always the best option,” Finn says. “We’ve got this new model we’re calling ‘Bluff Ware,’ where there’s really no code underneath it. They just lock your screen and say, ‘Pay the ransom.’ And people pay the ransom, but if they had just rebooted their machine, they’d be fine. But the panic level is so high in society that there are guys out there leveraging that. “
And why shouldn’t they? If it wasn’t working, these cybercriminals wouldn’t be acting like organized, professional businesses. Much like their legal counterparts, the laws of capitalism apply to the black market – paying the ransom only increases the frequency and effectiveness of attacks, as it gives the criminals more money by which to improve their tactics. The only defense is fighting back via preventative measures, such as system backups, firewalls, secure end-point access to all hospital systems, and well-trained users.
With every day that passes, the bad guys are getting stronger – especially if their profit margins continue to rise due to an increase in ransom payments. There is no blanket, one-size-fits all solution to battling ransomware, but with education and by being vigilant about security best practices, hospitals can significantly reduce their risk of falling victim. There are health systems and individuals who repel attacks every day – but those stories don’t make for bone-chilling news.
References
