Live from PHI Protection Network Conference: Reducing the Risks of Ransomware

March 21, 2016
At the PHI Protection Network Conference in Philadelphia this week, FBI officials and security consultants described the increasing threat from ransomware and how some healthcare providers are responding.

At the PHI Protection Network Conference in Philadelphia this week, FBI officials and security consultants described the increasing threat from ransomware and how some healthcare providers are responding.

The recent and highly publicized Hollywood Presbyterian Medical Center ransomware event may be just the tip of the iceberg.The criminals got paid for doing that with very little risk,” said James Christiansen, vice president for information risk management at Optiv Inc. “We are going to see a lot more of that.” In fact, several people at the conference told anecdotal stories of hospital systems responding to ransomware attacks. Since they don’t involve the “exfiltration” of patient data, health systems are under no regulatory requirement to make these attacks public.

Ben Stone, an FBI supervisory special agent who heads up the cyber criminal squad in the FBI’s Philadelphia Office, said the criminals using Cryptowall 4.0 to encrypt and hold health system files for ransom have evolved their tactics. Originally, it was easier to determine which files were affected. “Now you have no ideas of the files and folder names, so you don’t even know what you have lost,” he said. Also, he said, the attacks used to be untargeted. “But now my belief is that it they are specific and targeted.”  Stone said one of the biggest challenges the FBI faces is that the really bad stuff is going on overseas in places like the Russian part of the Ukraine, and other countries where U.S. officials get little cooperation from law enforcement.

The criminals also have grown more sophisticated at “social engineering” to determine which individuals to target with phishing campaigns, and how to make a deceptive e-mail seem realistic, so employees will click on an attachment with malware. One ploy that is running rampant during tax season involves hackers “spoofing” the chief financial officer’s e-mail address and asking someone in accounts payable to send them all the employees’ W-2 forms. Employees comply without thinking, he said. “It is human nature to do what a boss is asking you to do.”

Jonathan Fairtlough, managing director for Kroll Cybersecurity and a former Los Angeles County Prosecutor working on high-tech crimes, explained why the ransomware situation is getting worse. Once the attackers get access to your network, they can use internal tools you have in place to turn off backups and antivirus, and then do the encryption. “They are making so much money that they are expanding and choosing targets for whom loss of data is unacceptable,” he said.

 “It is spreading and so laser-focused on healthcare organizations because the systems in a healthcare structure are disorganized, and poor at talking to each other,” Fairtlough said. Another industry weakness is the large number of mergers and acquisitions happening. When a well-run IT shop buys a smaller group, the IT integration starts, and the larger organization finds it has inherited older devices and risky practices and brought them into its network, he said.

Keith Fricke, the principal consultant for tw-Security, described some experiences he has had in the trenches helping health systems dealing with ransomware. Initially, help desks get a call from users getting error messages that files wouldn’t open. This would leave two files, one in txt and one html with messages you had been hacked and instructions on how to pay, said Fricke, who was formerly CISO at Mercy Health System (formerly known as Catholic Health Partners and an information security manager at Cleveland Clinic Community Hospitals.

His team did a triage process and confirmed there were 42,000 files encrypted that they had to recover. By looking at the metadata, they could see a list of files, date modified and by whom. That became a key step in containment and cleanup. They found the workstation and user credentials used, and quickly unplugged that workstation, identified all files encrypted and restored from backup, then began the investigation into how it got infected.

The next time they dealt with it, in patient financial services, the attackers had removed the metadata, so they couldn’t easily tell which files have been touched, and there was no information about the last person to touch it or the creation date. The only option, he said, was to unplug all the workstations, and bring in a SWAT team to find which were infected. It took 16 hours to recover and resume business the next day.

Fricke said one thing he worries about is the potential for patient portals to spread infections in “watering hole” attacks. That is, if a patient’s home PC gets infected with malware, by coming to the portal they may spread the infection to the health system and other users. “I am telling people to have extra diligence when partnering with a vendor on a portal solution, whether they are hosting it or not. I think this is coming as an attack vector. The patients will want to blame the hospital, and you will spend time and money proving it started with the individual’s PC. IT is a train wreck waiting to happen.”

Fricke offered a hand-out with 10 recommendations for reducing the risk of ransomware, including:

• Educating the workforce.

• Ban all personal webmail and surfing on corporate devices.

• Implement a data backup plan with a longer retention cycle. (The longer the timespan between the last full backup copy and the ransom demand, he said, the greater the odds are that the organization cannot fully recover from backups alone, thus being forced to pay the ransom. Require the workforce to store all work-related data on a network drive rather than a local hard drive.

• Create incident response procedures, with specific playbooks to address the most common types of attacks.  Conduct a tabletop exercise or drill.

• Filter internet traffic more closely. Consider restricting inbound and outbound traffic by creating a blacklist/whitelist. Block inbound email traffic from new domains. Typically attackers use domains that are less than 72 hours old to launch phishing emails.

• Consider next-generation malware tools that use advanced math to predict malware.

• Evaluate advanced persistent threat tools.

• Implement intrusion protection systems.

• Patch vulnerable versions of PDF viewers, Flash players, and web browsers.