When Hollywood Presbyterian Medical Center admitted in February to paying a $17,000 ransom to decrypt data scrambled by malware, the only surprise was that the hospital’s ordeal had become public.
Health care organizations, such as HPMC, are under attack by cyber-criminals looking for easy money and nation-state actors seeking data. More than half of all midsize hospitals have signs of malware infections, according to data collected by the Health Information Trust Alliance (HITRUST). Much of the activity, however, has gone unreported.
Yet, those same organizations are finding it difficult to remain mum as criminals turn to ransomware, a far more disruptive tactic. Already, some 18 percent of midsize hospitals have been infected with crypto-ransomware, according to the HITRUST study. While many businesses can continue to operate if their data is effectively destroyed, hospitals’ operations are far more sensitive to disrupted access to data.
“Most advanced malware and previous attacks [on hospitals] were intentionally conducted to not raise alarms—they focused on thievery,” Daniel Nutkis, CEO of HITRUST, told eWEEK. “[C]rypto-ransomware—that creates a different dynamic; it wakes you up immediately.”
Ransomware has evolved into a serious threat. Starting with early programs that locked Windows systems more than a decade ago, the increasing use of encryption-enabled malware shows how ransomware has become more sophisticated.
Because of the potential to disrupt their operations, hospitals are logical targets for attacks. If infected, they may have little choice but to pay the ransom—and quickly, said Matt Devost, CEO of security consultancy FusionX, which is now owned by Accenture.
“If I target a midtier, medium-sized business and encrypt their data, there is probably a period of time during which they can operate without access to their data,” he told eWEEK. “With hospitals, that is not the case, and that makes them a ripe target.”
The attacks have worried officials so much that in early April, the United States and Canada issued a joint advisory warning all businesses of the danger.
“Infections can be devastating to an individual or organization, and recovery can be a difficult process that may require the services of a reputable data recovery specialist,” the U.S. Department of Homeland Security (DHS) and Canadian Cyber Incident Response Centre (CCIRC) said in the statement.
The HITRUST study, which placed network security equipment inside the networks of 30 hospitals to monitor for malware, found that 54 percent of the midsize hospitals had a malware infection. Almost 35 percent of those infected—18 percent of all hospitals in the study—had been infected with crypto-ransomware.
The HITRUST data should be considered conservative. Double the number of health care organizations that participated—more than 60—refused to have their data incorporated into the study after they received the results, according to HITRUST’s Nutkis.
Ransomware Poses a Rising Threat to Hospital Operations
While many companies have agreed, in theory, that information sharing could help them deal with potential threats, most firms are reticent to discuss actual compromises. Despite requirements that health care organizations report certain types of breaches to the Department of Health and Human Services, a great number of compromises have gone unreported.
“No one is talking,” Nutkis told eWEEK. “We have reached out to get more insights about what happened and what their plans were … but no one was willing to speak about it, publicly or privately.”
Typically, only the loss of personal health information requires a health organization to report a breach.
Yet, recent attacks have targeted health care organizations. Cisco’s Talos research group has seen hospitals infected with a variant of ransomware, called Samsam. The program is pushed to vulnerable application servers after they are exploited using known vulnerabilities that many companies have not patched.
“Attackers are finding that the fastest way to convert their access to money is going the ransomware route,” Matt Olney, manager of threat intelligence analytics for Cisco’s Talos, told eWEEK.
Hospitals, doctors’ offices and health insurers often suffer from poor information security, according to experts. Many organizations do not have a chief information security officer or even an information security manager.
The result is that the health care sector has had historically low security ratings. In its 2014 ratings report, BitSight scored health care firms lower than finance, utilities and retailers.
“Those systems are not always patched,” said Stephen Boyer, CTO of BitSight. “We see Conficker [a 7-year-old network worm] on hospital networks because they are running some old version of Windows that no one is monitoring, and when it stops working, it is going to be a problem.”
Because most organizations may not have an option besides paying a ransom—even police departments have paid—the lucrative nature of the ransomware scheme is making it more popular.
“Right now, $17,000 may not seem that significant, but for someone who is engaged in electronic crime, they see that trend and conclude that hospitals are definitely a vulnerable attack vector and willing to pay money to make this problem go away, which makes it likely that they will be targeted,” Fusion X’s Devost said.
In a few years, ransomware will likely become more virulent, once inside a network and more capable of disrupting operations. With the increased sophistication will likely come high price tags to recover from an attack, Devost said.
“My expectation is the dollar threshold on these payments is going to go up over the next year to 18 months,” he said.