beawolf - Fotolia

Manage Learn to apply best practices and optimize your operations.

Ransomware attacks: Why healthcare data is at risk

Ransomware attacks on healthcare data are on the rise. Expert Ernie Hayden explains why healthcare organizations are a target and the effects of these attacks.

Today's healthcare industry in the United States is under cyberattack. Healthcare executives, CISOs and systems administrators are witnessing attacks by means of ransomware, denial of service attacks and medical records theft -- both cyber and physical media.

In the Ponemon Institute's Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data in April 2016, healthcare-related breaches constituted $6.2B in cost, at an average expense of $355 per record, versus $246 per education record and $221 per finance record. According to ID experts, over 140 million individuals in the United States -- roughly 50% of the population -- have had their healthcare records lost, breached or stolen. In 2015, IBM noted that healthcare had the highest rate of data breaches versus any other industry.

What are the causes for these breaches and successful ransomware attacks? According to Ponemon, 48% of the events are due to malicious or criminal attacks and 27% are due to system errors in IT and business processes. Negligent employees or contractors -- the human factor -- cause about 25% of the security breaches. Ponemon even noted in its survey that "60+% of healthcare organizations and business associates believe they are more vulnerable to data breach than any other industry."

Sadly, the data appears to support this conclusion.

Why is healthcare a target?

There are three primary reasons why the healthcare industry is a target for ransomware.

First, patient information is valuable to identity thieves. For instance, the FBI reports healthcare records can be worth between $20 and $70 per file versus only $5 for each credit card record. A 2014 survey of healthcare technology professionals found half spent only 3% or less of their technology budgets on cybersecurity, as opposed to the standard 10%.

A second reason why healthcare is a target for ransomware is that hospitals, doctors, nurses and emergency medical technicians need access to patient histories, directives, lists of prescribed medications and other personal data to be able to help the patient. Essentially they need this information STAT and any delay in accessing these records could result in loss of life or severe injury.

A third reason why ransomware can effectively attack the healthcare industry is the heavy reliance of medical services on electronic healthcare records (EMR). When President Obama first came into office in 2008, and as part of the American Recovery and Reinvestment Act, all public and private healthcare providers were required to adopt and demonstrate "meaningful use of electronic medical records by January 1, 2014 in order to maintain their existing Medicaid and Medicare reimbursement levels." While there have been many advantages gained with EMR, the unintended consequence is a heavy reliance on the availability of these records. These records are a perfect target for ransomware, thus making the denial of access to the records a justification for payment of ransomware bills.

What is ransomware?
Ransomware is a form of malicious software that restricts the user's access to her device or data in some way and demands a ransom payment in exchange for lifting the restriction.

Some sub-types of ransomware include:

  • Crypto-ransomware: Specifically encrypts the files on a victim's machine and typically gives a time limit by which the victim must pay a fee to decrypt the files, or else the files are erased.
  • Lockscreen ransomware: Locks the screen and demands payment but no files are encrypted or affected.
  • Master boot record blocking: Here the computer will not boot up, instead a ransom note is displayed on the screen.

Essentially ransomware is a form of extortion. It attempts to force or extort money from a computer user or company by:

  • Infecting or taking control of the computer and files on it,
  • Preventing the victim from accessing the operating system and/or other devices,
  • Encrypting files so the user cannot use them,
  • Preventing certain applications from operating, and
  • Blocking access to backup repositories -- which can be a major problem.

A brief history of ransomware

Ransomware did not really take off until after the introduction of Bitcoin in 2009. Bitcoin essentially offers an anonymous means of moving funds, which is exactly what a ransomware criminal needs to be effective. With enhanced ransomware techniques and attacks, the improvement in phishing techniques and capabilities and ready access to Bitcoin, ransomware has substantially expanded since 2005.

One of the first ransomware attacks was in 1989 by Mr. Joseph Popp which he called the "AIDS" or "PC Cyborg" attack. The ransomware hid the files on the victim's hard drive, encrypted the file names and displayed a message claiming that the user's license to use a certain piece of software had expired. The victim was asked to pay $189 to "PC Cyborg Corporation" in order to obtain the repair tool. Essentially Popp attacked another machine but his downfall was that the payment funds could be easily traced back to him, resulting in his arrest. Supposedly Popp never stood trial because he was considered mentally unfit. The "AIDS" name surfaced because Popp claimed that he'd donate the proceeds to an AIDS charity.

How does ransomware work?

The classic ransomware model starts as a phishing email attack with an attached file -- usually a .docx, .pdf or .zip. Basically, it tricks the user into opening a file and malicious macros are executed on the double-click. Alternatively, the email can contain a malicious link to a malware site or location where malware can be quietly downloaded onto an unpatched machine.

Another technique is to attack via a compromised website using a method known as a watering hole attack.

Once the malware is inside your machine, an executable file is downloaded and installs the ransomware, embedding it into the victim's computer. The ransomware then begins to search the computer and any attached peripherals, network connections, hard drives and USB drives looking for files to encrypt. This search can even include network accessible resources and cloud resources such as Dropbox and Evernote.

Finally the ransomware encrypts the files or at least blocks the user from accessing the computer and applications and posts a ransom note on the victim's machine.

A U.S. government interagency report cited that there have been 4,000 daily ransomware attacks since early 2016 or a 300% increase over the 1,000 daily attacks reported in 2015.

Example healthcare cases

According to the FBI there had been several reported ransomware attacks on healthcare organizations in the U.S. affecting over 15 hospitals from January to April 2016. Two of the most public and cited examples are the following:

  • Hollywood Presbyterian Medical Center, Los Angeles, California

In this instance the Locky ransomware variant attacked and knocked the hospital's systems off line for over a week. This caused substantial disruption to patient care and scheduling, and resulted in doctors and nurses communicating in person or by fax, new patient records being recorded on paper and some patients transferred to other hospitals. After a week and lots of internal discussions, the hospital finally paid a Bitcoin ransom worth $17,000.

  • Methodist Hospital, Henderson, Kentucky

On March 18, 2016, Methodist Hospital announced it was operating in an "internal state of emergency" after a ransomware attack. The attack reportedly encrypted files on computer systems and held data hostage until the four Bitcoin or $1,600 ransom was paid. The attack on the hospital came via spam email, with messages referring to invoices prompting recipients to open an attached file that actually contained malware. The main impact of the ransomware was system downtime, which forced the hospital to process everything by hand on paper.

Approximately five days after the attack hit, Methodist Hospital regained control of its network and data without paying the ransom, apparently by restoring data from backups.

Editor's Note: Stay tuned for part two of this series, which will look at steps to prevent ransomware attacks on healthcare companies.

Next Steps

Learn 10 ways to stop ransomware attacks on healthcare systems and data

Find out how data protection can help your company recover from a ransomware event

Discover how your enterprise can mitigate the ransomware as a service threat

This was last published in October 2016

Dig Deeper on HIPAA