Records for Ransom
By Susan Chapman
For The Record
Vol. 32 No. 3 P. 18
How should health care organizations react when kidnappers grab the goods?
Ransomware is a type of malicious software that infects computers, servers, databases, and managed service providers, encrypting data on the infected platform. The individuals behind the nefarious attack request a price, or ransom, from the organization in order to release the information. Generally, they do not provide the data decryption key until the ransom is paid. According to Verizon’s 2019 Data Breach Investigations Report, ransomware incidents accounted for more than 70% of all malware occurrences across the health care industry.
How an Attack Happens
“Often, when a computer or system is infected, a blue screen, or some other anomaly, will appear with a message about the ransomware,” explains Ryan Patrick, MBA, CISSP, CCSFP, senior vice president of security products and strategy at Intraprise Health. “The attackers need to be paid via cryptocurrency to release the records. Health care is specifically targeted, as the health care industry, unlike other industries, has been slow to adapt to the security industry. In 1996, HIPAA went into effect, but people really didn’t pay attention to cybersecurity until about 2015 when there was a big breach at Anthem.”
Ransomware attacks can occur many different ways, says Adam Kujawa, director and chief security analyst at Malwarebytes Labs, but “in general, attackers find the vulnerability that is more valuable to the victim than to anyone else.”
To Kujawa’s point, because health care data sets are the most comprehensive of any industry, with information on patients, families, insurance, and payment options, any security breach or attack is going to be particularly devastating to victims. Not only is personal information unmasked and accessible, but also patients’ lives can hang in the balance while organizations scramble to address a breach or attack.
For instance, in September 2019, Campbell County Memorial Hospital in Gillette, Wyoming, was the target of a ransomware attack. “The attack was so devastating that the hospital was actually turning away patients and sending them 70 miles away for about eight hours. In a situation like this, there is the potential for life-or-death consequences when a patient is experiencing an emergency,” Patrick says.
Ransomware attacks occur in seemingly innocuous ways. One of the most common ways an attacker can infiltrate a hospital’s computer system is through phishing, the practice of sending malicious e-mails that look genuine to an unsuspecting recipient. The recipient clicks on the attachment, and the ransomware attack begins.
Another related practice is trusted domain spoofing, in which an employee reads an e-mail that looks as though it came from a reliable source. If the person enters the site, the attackers are able to infiltrate the system.
“The primary distribution method we see is through malicious e-mails. They look like they are coming from a legitimate source or they have a legitimate body. People are told to log into e-mails and are directed to a site that looks exactly like theirs,” Kujawa says. “The e-mail includes an attachment, such as a Microsoft Word or other Office document attachment. The document is sometimes simple; the attackers always find some easy way to trick the user to click the enable button, which then runs the malicious software.”
Ransomware attacks can also occur via social engineering, says Ty Greenhalgh, HCISPP, CEO of Cyber Tygr. “Attackers stalk people on social media, which is open-source intelligence. There is a lot of information out there on you through social media sites. An attacker can learn a great deal about a person in this way, which is called ‘spear phishing.’ A phishing will seem real based on the personal information in it. As an example, the victim posted online that he bought a new car, and then the attacker e-mails him like it’s coming from the dealer,” he explains.
Stuart Reed, vice president at Nominet, notes that organizations can also be vulnerable from within. “Potentially, the attack could be an inside job. Because the most common way of getting onto a network or computer system is to have someone innocently download an attachment or click on a link, using a USB stick, a malicious insider could put malware onto a computer system, which then starts that process.”
Although ransomware has become more sophisticated in its delivery, it is actually not much different than when it first made an appearance in 1989. Patrick explains, “At that time, an attacker wrote a piece of code that was exactly the same in functionality as you see today. But, in 1989, things weren’t as connected. The attacker would mail out code on floppy disk. The person would receive it, insert it, and open the file. It wasn’t as effective, but that is how it started. It’s evolved over time and has accelerated over the last 10 years. It started out using fear or guilt to pay the ransom. In the mid-2000s, it just scanned all your files. The message was ‘pay all this money and we will clean your files.’ Ransomware uses much more sophisticated algorithms today.”
Ransomware evolution also benefits from market competition. “A would-be attacker, assuming they have the right contacts and accesses to the right hacker forums, could find criminal vendors to create unique malware for them, another to distribute that malware, a third to handle hosting of the malware’s command and control, a fourth to handle money laundering, etc. The point being that a marketplace exists to accommodate anyone who wants to be a malware pusher and, in doing so, creates competition between developers of ‘ransomware as a service’ that often results in more capable ransomware,” Kujawa explains.
One such model relies on affiliates. The attackers create the malware and then modify it. They provide it to the customers who create ransomware files and distribute them out to the internet. “In this model, the creators get a percentage of ransom payments, and the affiliates do as well. This is how sophisticated it has become,” Kujawa says. “Attacks are sometimes to set people up in the right place and then to knock people over like dominoes. The ones who are actually able to do this are the most damaging.”
Greenhalgh elaborates, “If you access the dark web, you can easily find ransomware-as-a-service business models. ‘I’m going to give this much money to you and give you these addresses; here are my targets.’ I load them into the system, create my own ransomware notice, and the software does the rest. The host takes their cut from the ransom and deposits the remainder into your bank account. Ransomware has been embraced by organized crime and has gotten very sophisticated because it’s extremely lucrative and growing.”
Action Steps in the Event of an Attack
To help prevent a ransomware attack, Reed offers, “Don’t open attachments or click on links if they are not from legitimate sources. Organizations should also make sure they are monitoring their network activity, making sure they are able to ID malware or phishing, and have the right technology and procedures to monitor for those things on the network.”
Should an attack take place, experts recommend having up-to-date backup data. “Keeping backups is crucial,” Reed says. “By having multiple backups, in some cases kept off-premise, you’ll be able to restore business operations as quickly as possible. Also, prepare. Have an incident response plan. If anything does happen, everyone knows the role to play to mitigate the impacts.”
Patrick concurs, “Prior to falling victim, they should have back-up systems in place, which is something that has always been a problem in health care. Another preventive measure is to restrict administrative privileges for standard users. Phishing can be effective if a person has admin privileges, but a standard user would be blocked.”
Reactively, in general, an organization should disconnect the infected system from the rest of the network. “Removing the ability for things to crawl through the network can contain it,” Patrick says.
“But don’t turn your computer and/or server off. There is valuable forensic information in the RAM that will go away if you do,” Greenhalgh cautions.
“After that, go through your disaster response/recovery,” Patrick says. “If a hospital’s main EHR is affected, this is a pretty big deal. Part of the proactivity is the disaster recovery plan. ‘What is our fallback plan? Can we admit patients? Can we provide care? Do we need to revert to paper if the system fails?’ The disaster recovery plan is what that organization should turn to. It depends on what, where, and the criticality of what was infected.”
Greenhalgh also believes disaster recovery is key. “You need an incident response plan. OCR [Office for Civil Rights] is looking for these concentrated and coordinated contingency plans. It’s up to organizations to practice their plans,” he says. “The Ponemon Institute’s 2018 ‘Cost of a Data Breach’ study listed the cost of a data breach for health care as the highest in all industries: $408 per record. How do we reduce the pain associated with a breach? You can do different things to increase or decrease the cost. According to the Ponemon report, the No. 1 thing you can do to reduce it is to have an incident response plan. You will minimize the malware’s impact and recover faster if you become coordinated in your response.”
Some of the most important components of a disaster recovery plan are the team and communications. “You may need back-up communications,” Greenhalgh explains. “E-mail or VOIP might not be there if your network is on hard lockdown. The plan should lay out everything that you should do.”
Kujawa adds, “The bad guys don’t rely on lack of security to break in. They rely on lack of knowledge. Know that, first of all, the attackers will find a way in, regardless. Prepare your organization to be attacked.”
He cites the importance of identifying the most valuable data on the network—the data that will be needed to pay the ransom—then establishing additional internal security procedures to protect those specific data. “You can have specialized access lists for certain data or utilize additional encryption. It really depends on the operational requirements for that data and what the organization can deploy,” Kujawa says.
Organizations should encourage employees to report suspicious activity. “For instance, if we ever get an e-mail that looks weird, our employees can send it to an e-mail address for phishing within the organization to have it checked out. That is the middle point, a compromise,” Kujawa notes.
To Pay or Not to Pay
The industry is conflicted over whether or not to pay the ransom when an organization is attacked. “Some people believe you should pay the ransom,” Kujawa says. “Get things back on track and reduce the risk and downtime. In an incident in Baltimore, the organization waited to decide, and the ransom went up. If you’re a manufacturing plant and your systems go down, you are completely out of business until you come back up. But in a hospital, people can die.”
Greenhalgh explains the industry’s ambivalence. “It’s in debate. It’s a decision that each entity needs to make for itself. How long and how much money is it going to take to restore ourselves if we don’t pay the ransom? Can the organization wait that long? What if it takes a month? Can you wait that long? Can your business sustain that? Then, if you do pay, you’ve just told the hacker community that you’ll pay. Ransomware payments are getting bigger, probably because people are paying them. If a hospital pays $700,000, will the next one pay a million?” he says.
“The FBI would tell you, don’t pay the ransom, as would other security professionals. Don’t provide funding for future attacks,” Patrick says. “However, there is a town in southern Florida that paid because their entire environment was infected, and there was nothing they could do. It depends on the risk tolerance of the organization. You can sometimes pay and not receive the encryption key. It’s situation specific. But, when possible, don’t pay.”
Reed, too, advises organizations not to pay the ransom. “I would always say to not pay. You are not dealing with a legitimate organization. This is extortion. You should never pay or encourage this type of cyberactivity,” he says. “Also, if you do pay the ransom, you open yourself up to future attacks because you are a known target that will pay up. And there is no guarantee that you will get your files back or that they will be restored properly if you pay the ransom.”
Greenhalgh says the cyber-insurance industry oftentimes recommends that organizations pay the ransom. “There may be other mitigating factors that inform their decision—like a greater financial impact resulting from loss of business and damage to the hospital’s good name, and they don’t want it to go under,” he says.
Unforeseen Lasting Effects
Patrick believes one of the most important lasting effects of a ransomware attack is external stakeholder trust. “Do people feel confident in this organization’s ability to protect data and provide care? There could be confidence issues within the local community as well,” he says.
More tangibly, though, are damages to an organization’s systems. “Keep an eye on things from a malware perspective that could later launch another ransomware attack,” Kujawa says. “Not all attacks are ransomware. There is information stealing, credential stealing. They hide in the background. Ransomware is the most obvious, but most malware doesn’t want you to know it’s there. So, lasting effects are often hidden malware.”
Greenhalgh agrees. “Do you really know if your system is clean now? Because in health care, there is a mean time to containment and then a mean time to extraction—how long does it take us to find the malware, and how long does it take us to get rid of it? You may not understand what additional malware they have loaded and have no idea how long they have been in your system. They may have loaded Trojan horses or malware, and you’ve been backing this up for a long time,” he says.
A ransomware attack will breach two of the three components that help shape an organization’s data security policies. Known as the CIA triad, the three components, or pillars, are confidentiality, integrity, and availability. “Unauthorized access will compromise the confidentiality of protected data. Ransomware will restrict the availability of the systems to provide patient care. What if attackers start altering your data and they don’t tell you when or where they did it? Untraceably altering the integrity of the data is the next fear in the evolution of ransomware,” Greenhalgh says.
Reed offers guidance for any organization that falls victim to a ransomware attack. “You don’t know who these cybercriminals are; you don’t have any right of redress if you don’t know whom to pursue, if you decide to pay but don’t get your files back,” Reed explains. “That is why it is fundamentally important to keep a backup of those critical files in a separate location to recover from a ransom attack. Also, as a preventive measure, have good procedures and well-defined roles [in place], and the right level of supporting technology to provide early warning of these attacks.”
Kujawa adds, “Learn from mistakes; become more resilient, more agile. Attackers will evolve. Health care organizations must evolve as well.”
— Susan Chapman is a freelance writer based in Los Angeles.