Hospitals remain a popular target for cybercriminals, who continue to drain America’s healthcare system of valuable resources.
Not even 24 hours prior to his dismissal, then FBI Director James Comey emphasized his organization’s longstanding recommendation against ransomware payments at the 2017 American Hospital Association’s Annual Membership Meeting. “I understand [the] instinct, but it is horribly short-sighted,” he said. “The idea that [ransomware] will go away…is foolish. It will be back to you, it will be back to your clients, it will be back to your supply chain, it will be back to your industry.”
While some American hospitals seem to have gotten the message — McAfee reports that ransom payments decreased in 2017 despite a 56% increase in total ransomware — others continue to acquiesce to cybercriminals’ demands. In fact, just last month, Hancock Health, a network of more than 20 Indiana-based healthcare facilities, paid hackers four bitcoins, or roughly $55,000, for keys to decrypt hundreds of commandeered files.
Around 9:30 pm on January 11, Hancock Health employees started to notice a significant slowdown across their IT systems. The hackers notified them that 1,400 mission-critical files had been locked down — the names of which were all changed to “I’m sorry” — and that the healthcare network had seven days to pay a ransom before the files were permanently encrypted.
Unlike the vast majority of ransomware attacks, the Hancock attack was not the byproduct of a successful phishing campaign. “The [hacking] group obtained the login credentials of a vendor that provides hardware for one of the critical information systems used by the hospital,” explains Hancock Health President and CEO Steve Long. “Utilizing these compromised credentials, the hackers targeted a server located in the emergency IT backup facility utilized by the hospital…and made use of the electronic connection between the backup site and the server farm on the hospital main campus to deliver SamSam malware.”
Since they’d made a practice of regularly backing up all of their critical files, Hancock administrators initially believed that they would be able to purge the compromised files and replace them with clean backup versions. Unfortunately, it turned out that the “electronic tunnel” between the backup site and the hospital had been intentionally blocked. Several days later, administrators discovered that “the core components of the backup files from many other systems had been purposefully and permanently corrupted by the hackers.”
Ultimately, the network’s administration decided that paying the ransom was the most logical course of action. As Hancock Health Senior VP Rob Matt told USA Today, “[While] it wasn’t an easy decision…the amount of the ransom was reasonable in respect to the cost of continuing downtime and not being able to care for patients.”
Comey’s warnings notwithstanding, there is a good deal of evidence to suggest that a moderate ransomware payment is a hospital’s least expensive option, at least in the short term. For instance, in April 2017, the Erie County Medical Center (ECMC) in Buffalo, New York, decided against paying a $30,000 ransom. Months later, The Buffalo News reported that expenses tied to the attack were quickly approaching $10 million, and that the cost of continually upgrading their technology and training procedures would figure around $250,000 to $400,000 a month.
Of course, hospital administrators would ideally be able to protect themselves from such acts of extortion. Unfortunately, as McAfee Chief Scientist Raj Samani points out, “The healthcare sector has probably suffered more than most in terms of ransomware.” Research suggests that over half of American hospitals fell prey to a ransomware attack between 2015 and 2016.
As concerning as this is, it’s not entirely surprising. Medical records are often more valuable to cybercriminals who are trying to make a buck than financial information like credit card numbers, as they typically contain a wealth of sensitive and valuable identifying information like home addresses, telephone numbers, email addresses, dates of birth, and social security numbers.
What’s more, according to one study, 20% of healthcare IT professionals admit to running Windows XP on their networks, an operating system that has been unsupported since early 2014 — and thus hasn’t had a security update in what amounts to an eternity in IT years. Even more shockingly, 7% of healthcare IT professionals don’t even know what operating systems their connected medical devices are running!
At the end of the day, protecting a hospital network from ransomware — and other cybersecurity threats — is hard, complicated work, and many hospitals just aren’t equipped to do it. That’s why healthcare organizations of any size would be wise to partner with a cybersecurity expert like Turn-key Technologies (TTI).
With over two decades of experience in the healthcare IT field, TTI understands the unique threats hospitals face, the primacy of patient care, and the pricelessness of never having to make the “to pay or not to pay” decision. By working with TTI, hospitals can ensure that their networks remain secure for years to come.
March 15, 2018
Please, rotate your device