By Mary Ellen Callahan
Over the past few weeks, several health care companies and hospitals have been hit by ransomware. For example, when patients walked into one hospital, they were greeted with the information that the hospital had no access to email, some patient data was inaccessible, and other services supported by computers, such as CT scans, lab work and the pharmacy, were offline.
These hospitals and health care companies were victims of cyber attacks − lasting for several days and up to a week. Hospitals and companies in general who have fallen prey to ransomware have had to revert to paper-based registration and medical records. Staff communicated by fax and telephone. Some patients had to be transferred to other hospitals.
Ransomware encrypts files, databases or other caches of information and what follows is a ransom demand to decrypt the data. One distinction between ransomware and other types of cyberattacks is that the perpetrators, the hackers, aren’t actually after the information. Holding the data or information captive is a means to an end – they’re hoping that the victim of the attack will pay the ransom.
Initially, hackers demanded up to 9,000 in Bitcoin, a digital currency, equivalent to somewhere between $3.4 million and $3.6 million, and in one instance, the hospital eventually provided 40 Bitcoin, or $17,000, to regain its systems.
Although no industry or sector is immune from cyberattacks in general, or ransomware in particular, health care needs to be prepared. In April 2014, the FBI Cyber Division issued a “Private Industry Notification” alerting health care systems to an anticipated increase in cyberattacks due to the transition to electronic health records. The warning extended to medical devices as well. Based on these recent public episodes of ransomware, the warnings are starting to become a reality.
According to the Symantec 2015 Internet Security Threat Report, the most common sources of ransomware are malicious email attachments that pretend to be some sort of invoice, bill or image. The end user opens the attachment, which downloads and installs the ransomware on the computer or network. Ransomware also can get onto a computer or network if the user clicks on an advertisement or visits a webpage where the ransomware is lying in wait.
Because we live in a networked world, and computers are most often connected to a network, infecting a single computer with ransomware can reach the whole network. In recent cases, the ransomware has encrypted files on the servers, not an individual computer, and brought down the whole network.
Ransomware is not confined to desktop or laptop computers. There also are ransomware attacks designed for mobile devices.
When a computer or device has been infected with ransomware, often a pop-up demands the monetary ransom in exchange for the decryption key. Although most security experts and law enforcement personnel will advise against paying the ransom, many companies do pay, particularly if the information encrypted are “crown jewels” and hard to replace.
But it’s important to understand there is never a guarantee that you will even get your data back and the hackers now know you are willing to pay the ransom. What’s to stop them from attacking you again and asking for more money next time?
Ransom demands have increased against companies, in part because the targets have become more valuable. Initially hackers using ransomware demanded only a few to several hundred dollars; that was often a price companies could consider paying without significant budgetary risk.
However, as evidenced by the recent attacks, the ransomware hackers are increasingly becoming more sophisticated in their targeting. Hospitals should be aware of this trend, and understand what their crown jewels are, how they are protected, and ensure that they are backed up regularly.
While creating a secure environment is very important, prevention through education and awareness is the most important weapon against ransomware.
Hospitals should regularly back up their data, whether it is stored on laptops, desktops, servers or mobile devices. In addition, they should ensure that anti-virus and anti-malware software is installed throughout their operations and make sure all of the devices, systems and software, including web browsers, are up to date with patches and security updates.
Everyone in health care has a responsibility. Health care administrators and staff should:
- be trained not to click on links or open attachments in emails or messages, including social media messages, especially when they don’t know or recognize the sender.
- never open an attachment that appears to come from a company that they have never done business with, such as an energy or utility company.
- be educated on what to do if they believe or know they have fallen victim to ransomware, including immediately ceasing use of their computers and contacting the IT or IT Security department.
Ransomware usually cannot be hacked to override the malware. Therefore, it is important to protect your crown jewels through good cybersecurity controls and regularly backing up your data. That way, if you are the unfortunate victim of a ransomware attack and your data is lost, you have a backup copy. Information Security, technology and administrators need to work together to identify and defend against cyber incidents of all kinds, including ransomware.
Callahan is an attorney with the Washington, D.C.-based law firm of Jenner and Block, an outside counsel to the AHA.