Ransomware Poses a Rising Threat to Hospital Operations
While many companies have agreed, in theory, that information sharing could help them deal with potential threats, most firms are reticent to discuss actual compromises. Despite requirements that health care organizations report certain types of breaches to the Department of Health and Human Services, a great number of compromises have gone unreported. "No one is talking," Nutkis told eWEEK. "We have reached out to get more insights about what happened and what their plans were … but no one was willing to speak about it, publicly or privately." Typically, only the loss of personal health information requires a health organization to report a breach. Yet, recent attacks have targeted health care organizations. Cisco's Talos research group has seen hospitals infected with a variant of ransomware, called Samsam. The program is pushed to vulnerable application servers after they are exploited using known vulnerabilities that many companies have not patched.Hospitals, doctors' offices and health insurers often suffer from poor information security, according to experts. Many organizations do not have a chief information security officer or even an information security manager. The result is that the health care sector has had historically low security ratings. In its 2014 ratings report, BitSight scored health care firms lower than finance, utilities and retailers. "Those systems are not always patched," said Stephen Boyer, CTO of BitSight. "We see Conficker [a 7-year-old network worm] on hospital networks because they are running some old version of Windows that no one is monitoring, and when it stops working, it is going to be a problem." Because most organizations may not have an option besides paying a ransom—even police departments have paid—the lucrative nature of the ransomware scheme is making it more popular. "Right now, $17,000 may not seem that significant, but for someone who is engaged in electronic crime, they see that trend and conclude that hospitals are definitely a vulnerable attack vector and willing to pay money to make this problem go away, which makes it likely that they will be targeted," Fusion X's Devost said. In a few years, ransomware will likely become more virulent, once inside a network and more capable of disrupting operations. With the increased sophistication will likely come high price tags to recover from an attack, Devost said. "My expectation is the dollar threshold on these payments is going to go up over the next year to 18 months," he said.
"Attackers are finding that the fastest way to convert their access to money is going the ransomware route," Matt Olney, manager of threat intelligence analytics for Cisco's Talos, told eWEEK.