Vedder Thinking | Articles Ransomware Rises Among Hospitals
This article was co-authored by Bruce A. Radke, Michael J. Waters and John C. Cleary, Shareholders at Vedder Price, in collaboration with David Evans, Director of Strategic Alliances, and Cliff Kittle, Principal of Healthcare Information Security at Dell SecureWorks.
Roughly 60 percent of hospitals have been targeted by ransomware attacks in the last 12 months, according to an April poll conducted by HIMSS and Healthcare IT News. Last year, the FBI received nearly 2,500 ransomware attack complaints that cost victims $24 million. That cost is growing exponentially.
In the first three months of 2016, ransomware attacks cost Americans another $209 million. Hospitals are prime targets because they need up-to-date information from patient records and often would rather pay a ransom than risk delayed patient care that could result in lawsuits.
Ransomware is a type of malicious software that encrypts nearly all types of files on hard drives and their shared networks, including MS Office files, PDFs, documents, pictures and videos. Attackers demand that victims pay a ransom, threatening to destroy the key to decrypt the files if payment is not made by a set time. Payment, however, does not guarantee the decryption of files. Michigan Attorney General Bill Schuette said in a consumer alert that some victims have reported that their files were not decrypted even after the ransom was paid. In May, Kansas Heart Hospital in Wichita, KS, became afflicted with ransomware and lost access to files. The hospital paid the ransom but received access to only some of its files. The attacker then demanded more money before he or she would allow the hospital to access more of its files. The hospital declined to pay any more. There has been no word yet on whether or not the hospital was able to recover its other files.
Other Ransomware Attacks Targeting Hospitals
In February, Hollywood Presbyterian Medical Center (HPMC) in Los Angeles suffered a ransomware attack. HPMC struggled for ten days working without electronic records and trying to restore the network before relenting and paying a ransom of 40 bitcoins—the equivalent of $17,000. Cyber attackers have targeted hospitals in the United States and abroad, including Lukas Hospital in Neuss, Germany; Ottawa Hospital in Ottawa, Ontario, Canada; Methodist Hospital in Henderson, KY; Chino Valley Medical Center in Chino, CA; and MedStar Health in Baltimore, MD. While these hospitals know they have been victims of ransomware attacks, the HIMSS and Healthcare IT News poll revealed that 25 percent of hospitals surveyed said they have no way of knowing whether or not ransomware attacks were perpetrated against them. The hospitals could have been attacked, but the attacks could have been unsuccessful. For example, a hospital could have received phishing e-mails with links or attachments that contained ransomware, but if a user never clicked on the link, the ransomware would not deploy. Also, no matter how the attacks arrived, hospitals could have had proper protections in place that blocked ransomware from ever deploying.
The FBI is investigating the recent onslaught of ransomware attacks on hospitals as well as other types of businesses, organizations and local governments. In January, the FBI issued a warning on the rise of ransomware and identified a new ransomware variant, CryptoWall. Two months later, the FBI issued a confidential "Flash" advisory asking businesses and software security experts for emergency assistance in its investigation into another new type of ransomware known as MSIL/Samas.A. Each variant of ransomware works in a different way, so in addition to having technologies in place to recognize already-used variants, hospitals must be able to respond to new threats as rapidly and effectively as possible.
How to Protect against a Ransomware Attack
- Implement endpoint threat detection services that allow cybersecurity experts to monitor your endpoints 24x7 to detect anomalous behavior, which often occurs before ransomware is deployed. Ransomware attacks can come in a variety of ways, including via e-mails containing malicious attachments and links, and by visiting a website that has been tainted with malware. The attacks also occur after attackers break into networks and linger there for months until they find an organization's most valuable servers and unleash their ransomware. Endpoint threat detection services can spot the attackers quickly to help organizations get them out of the network before ransomware can be deployed.
- Identify the most necessary resources needed for operations, such as patient records and health care provider contact lists, and strengthen their defenses to mitigate the risk of loss. Search your environment for malware and attack indicators to see if threat actors are already hiding in your environment. An attacker could have access to your network for months or even years without your knowledge and could deploy ransomware at any time.
- Assess backup files, as dormant malware may be in the infrastructure prior to the latest backup.
- Implement security awareness training for employees. Cyber attackers often use "social engineering" to trick a user into providing information that allows an intruder inside the network. The training should cover software-based threat vectors and physical security. Deploy test exercises that include sending fake phishing e-mails to employees. Those people who end up falling for the fake e-mails can learn from their mistakes, which will help prevent them from being fooled by real phishing attacks.
- Ensure that you have adequate security technology protections in place, such as firewalls and anti-virus, anti-spam and anti-phishing technologies, as well as 24x7x365 network and endpoint monitoring.
- Use Microsoft's software restriction policies that allow only specific software defined in the policy to run. There are certain directories in which ransomware infections will typically start; by isolating these directories with a software restriction policy, hospitals can cut down on the likelihood of infections.
- Back up files regularly, and test their ability to restore needed data.
- Store an off-site or redundant backup in another location to avoid the possibility of the backup data being compromised.
How to Respond to a Ransomware Attack
Craft a response plan for when systems get hijacked that will help you manage the situation. Test the plan regularly to ensure that all parties involved in incident response understand their responsibilities and are equipped to perform their duties. Implement a response plan that contains the following actions:
- Restore any encrypted files from a recent backup;
- Decrypt the files using a third-party decryptor;
- Contact a managed security services provider, which may be able to help decrypt the files as well as prevent future ransomware infections;
- Do nothing and lose the data;
- Negotiate with the attacker and pay some or all of the requested payment. While paying the ransom may seem like a realistic option, the FBI recommends that organizations not pay the ransom, as attackers will not always give you the key to decrypt your files. Often, paying the ransom simply leads to more ransomware attacks.
Hospitals that have been hit with ransomware attacks should seek legal advice immediately to see whether the attack triggers any notification requirements or other obligations under state or federal law. Counsel should coordinate remediation efforts with the hospital's PR, crisis management, IT and outside forensics teams, as well as with law enforcement.
For more information about the recent rise of ransomware attacks on health care providers, or for advice about a specific potential or actual ransomware attack, please contact Bruce A. Radke at +1 (312) 609 7689, Michael J. Waters at +1 (312) 609 7726, John C. Cleary at +1 (212) 407 7740, David Evans of Dell SecureWorks at +1 (404) 704 2766, Cliff Kittle of Dell SecureWorks at +1 (815) 338 8315, or any other member of the Vedder Price Privacy, CyberSecurity & Media practice group.