Reprinted from REPORT ON PATIENT PRIVACY, the industry's #1
source of timely news and business strategies for safeguarding patient privacy
and data security.
March 2016 Volume
16 Issue 3
For 10 days in February, hackers laid
siege to Hollywood Presbyterian Medical Center, successfully taking the
hospital’s network hostage before fading back into the recesses of the dark web
with $17,000 in their pockets. The high-profile cyberattack sent a wake-up call
rippling through the health care industry’s ranks, although cyber and legal
experts say it isn’t the first ransomware incident and it certainly won’t be
the last.
Initial reports had pegged the ransom
at around $3.6 million, and although a statement issued by hospital CEO Allen
Stefanek said those reports were false, multiple outlets have said the medical
center was at least considering paying that much, even if it had only
miscalculated the exchange rate between dollars and Bitcoin. The hackers
ultimately released the network after receiving 40 Bitcoins, or $17,000, in
payment.
Stefanek said the hospital immediately
contacted law enforcement when his team first noticed the attack on the evening
of Feb. 5, but the Los Angeles Times and others reported that the
hospital paid the ransom first. Steve King, chief operations officer and chief
security officer for San Francisco-based cybersecurity firm Netswitch
Technology Management, indicated that fellow cybersecurity analysts “who are
always on top of events that happen in the space” also are “pretty convinced”
the hospital paid the hackers immediately.
Hollywood Presbyterian isn’t talking
beyond Stefanek’s statement, but it isn’t the only one to suffer this type of
attack. Two other high-profile ransomware attacks occurred in the weeks prior
to the crisis at Hollywood Presbyterian. Titus Regional Medical Center in Mount
Pleasant, Texas, suffered a similar lock-out in January, telling The Daily
Tribune that the hospital had reverted back to the 1970s in terms of
patient records. “Everything is on paper and people are serving as runners,”
spokesperson Shannon Norfleet said. “There’s no automation.” The New York
Times reported that Titus eventually caved and paid the ransom, but did not
specify how much the hospital paid. (Titus did not return RPP’s request
for comment.) The European Association of Healthcare IT Managers on Feb. 16
reported that several hospitals in Germany were also hit with ransomware in the
last several weeks.
“Obviously hospitals have become a
primary target,” King says.
Between 2013 and 2014, researchers saw
a 250% increase in the number of “families” of crypto ransomware, the type of
virus that locks a person out of a server’s files, according to an August 2015
report from Symantec. The average ransom in 2015 was a mere $300, the report
found, but ransoms as high as $50,000 were reported.
To Pay or Not to Pay?
Hackers aren’t shy about who they
target, either. Multiple police departments across the country have been held
hostage too, and many end up paying the criminals. David Hall, a partner in the
Philadelphia and New York offices of Wiggin and Dana, says hackers attacked one
police department in Pennsylvania, encrypting its files until the department
ponied up $1,000.
Law enforcement, lawyers and cyber
experts are split on whether or not Hollywood Presbyterian should have paid,
but they all agree that situations should be determined on a case-by-case
basis. In one high-profile interview last year, a Boston FBI agent said the
agency often advises people just to pay, because “the ransomware is that good.”
The apparent level of access that the
hackers seemingly had at Hollywood Presbyterian is “pretty spectacular,” says
Hall. “I personally think in general it’s not a good practice to pay ransom,”
he says. “It does reward the wrongdoer. In a hospital setting, when patient
care is at stake, you can see the hospital might have felt that it had no
choice in order to keep treating its patients.”
In his statement, Stefanek said that
neither patient records nor patient care was threatened during the incident. If
that’s the case, King says, the hospital should not have paid. Doing so only
encourages the criminal behavior, and many hackers are hacking for the thrill.
He pointed to the case of ProtonMail, a Swiss encrypted email provider that he
says paid around $6,000 to recover its network, only to see the hackers launch
a denial-of-service attack when they received the money.
“I don’t think it’s about the money,”
King says. “It’s really about the joy of hacking, that weird ego gratification
that you get when you can blow up the system and show up the authorities.”
Ransomware attacks are definitely an
“increasing trend,” says Evan Wolff, a partner in the Washington, D.C., office
of Crowell & Moring LLP, but so are public and private sector responses.
Wolff says he advises his clients to take a “layered approach” to cyber defense
in ransomware situations, working with cybersecurity firms and law enforcement
like the FBI before pulling out their wallets. “I would say even contemplating
paying the ransom would be the last resort in any advice we would give,” he
says.
Elliott Golding, a counsel at Crowell
& Moring, likens it to a “chess match” between the good guys and bad guys.
Because situations like these are so case-specific, it’s hard to determine what
the legal fallout could be without the details.
“If you’re looking at various breach
laws, typically what they say is that if there is unauthorized access, use or
disclosure of data that compromises it, then you might have a breach on your
hands,” he says. “In this case it’s just not clear to me if any of those things
actually happened.”
The situation at Hollywood Presbyterian
impacted King enough to impel him to issue a strongly worded advisory to other
health care organizations. The precautions, he says, are “pretty simple.”
“The targets are so rich because
networks are converged. So you’ve got these medical devices that are part of
the core administrative network and so they’re accessible. You can shut down
the hospital pretty easily,” King tells RPP. “It’s not like shutting
down a bank, where the worst thing that could happen is that people can’t get
their money out, I guess, whereas in a hospital the worst thing that can happen
is people die.”
Segregating Networks Is Good Defense
Segregating networks is a crucial
defense strategy, he says, especially considering the leverage hackers will
have if they gain control of critical medical devices. “Then I can hold life or
death ransoms, which are going to be a lot more than $17,000.”
Cybersecurity researchers at
Independent Security Evaluators, LLC on Feb. 23 released a report detailing two
years of hacking an array of 12 hospitals, two health care data facilities, two
electronic health record platforms and two medical devices. They easily gained
access to patient monitors and even accessed systems controlling medicine
delivery and blood work requests by sitting down at one hospital lobby kiosk.
Backing up servers on a frequent basis
is also key to beating the hackers at their own game. If a hospital has the
ability to wipe their infected systems and restore them from a back-up server,
the hacker loses his leverage.
“A lot of companies do in-house
back-ups, which what you’re doing basically is giving the same access to the
back-ups as you do to the live data, so when you do back-ups for these sorts of
things, it should be off-site,” King says.
Health care organizations should also
develop incident response plans ahead of time, which Wolff says are critical
when a virus hits.
“The single most important thing a company
can do is have an incident response plan, and be familiar with it,” he says.
“It’s something that needs to be understandable by not just the IT department,
but by lawyers and executives and everyone in the company.”
Read the research hackers’ report at http://tinyurl.com/zgjorhs.
No comments:
Post a Comment