Ransomware scare: Will hospitals pay for protection?

On April 4 an ordinary looking e-mail arrived in a clinical worker's Microsoft Outlook inbox at a small Indiana hospital. In the “From” field was the name of the hospital's new printer and fax machine paired with its official e-mail domain. The subject line was simply the word “Invoice.” That is, it all looked mundane and legit—like a routine document sent from the device.

But that e-mail, several of which made it past the hospital's firewall, unleashed a virus that encrypted files on the worker's computer hard drive and connected to a server. A window popped up giving instructions and links to retrieve a key to unlock the files.

King's Daughters' Health in the small town of Madison, Ind., was the victim of a so-called ransomware attack. A series of such attacks in recent weeks, including disabling the computer systems at MedStar Health, a much larger and more sophisticated organization based in Columbia, Md., have startled hospitals across the U.S.

Healthcare organizations, for a variety of good and bad reasons, are slow to adopt and update their information technology. And the cybercriminals know it.

“It's a quick and easy way to monetize weaknesses in health information security,” said Dr. Eric Liederman, director of medical informatics at the Permanente Medical Group. Dealing with ransomware adds one more item to an already crowded to-do list for clinical IT leaders, Liederman said. “My job is to try to find that balance” between clinicians' workflow needs, patient-safety requirements and security demands.

As hospital IT teams spend much of their time and money figuring out how to meaningfully deploy electronic health records and harness the data for emerging payment and delivery models, the bad guys continue to hone their technology and calibrate their attacks, creating boom times for data defenders. With at least six hospitals targeted in the past month, healthcare leaders are scrambling for protection.

These available wares include legal services, security consultancy, training, systems testing, cyber insurance, security software that runs on and defends computer systems, and remote-hosted software and services that can include fully staffed security operations centers that provide computerized and human watchdogs on the lookout for cyberthreats 24/7.

“Business is booming,” said Eldon Sprickerhoff, founder and chief security strategist at eSentire, a Canadian provider of remote-hosted security services.

At King's Daughters' Health, the employee who unwittingly released the malware quickly notified the IT department, which shut down all of the hospital's computer systems, including its electronic health record system. The EHR system was unscathed, although it was open on the infected computer. Still, the attack forced the hospital to go without e-mail and use paper to document patient encounters until the system's corrupted files could be deleted and replaced.

“We knew we had a backup—I think we handled it as well as we could have,” said Linda Darnell, senior director of technology and health at the 77-bed hospital. “We saw stories from other organizations that were hit, and those stories gave us the warning to be prepared.” The hospital added some security software to monitor its systems but paid no ransom.

“It's a troubling trend,” said Katherine Keefe, head of breach response services for Beazley, which sells breach insurance, including coverage for ransom payments. “We had our biggest (breach) incident month last month, and a lot of it was attributable to ransomware.”

Fernando Blanco, vice president and chief information security officer at Irving, Texas-based Christus Health, said he is getting about 200 e-mail solicitations a day from vendors and consultants.

The newest tech wrinkles in ransomware are called Locky and Samas, both used this year against healthcare organizations, according to a threat alert on ransomware issued March 30 by the U.S. Department of Homeland Security and the Canadian Cyber Incident Response Centre.

Locky uses e-mail as a vector. It deploys a virus hidden in a document that, when opened by an unwitting e-mail recipient, launches other software that moves through an infected computer system, scrambling computer files with near-bulletproof encryption, then posts a demand that the victim pay a ransom to the hackers.

Its signature, the .Locky extension, attaches to the data files it encrypts. It was Locky that struck King's Daughters' Health in Madison.

Samas propagates through vulnerabilities in an organization's Web servers. According to the federal alert, the server of an unnamed healthcare organization was compromised this year by Samas, which uploaded ransomware that infected its network.

And Samas was likely the virus that attacked MedStar Health in late March, according to the Associated Press. MedStar's Georgetown University Hospital in Washington and other facilities were affected, forcing clinicians to return to paper record-keeping and knocking out at least some of its computer systems for more than a week. MedStar was not commenting about the nature of its attack.

The cybersecurity community doesn't know yet who's behind the latest ransomware attacks, said Joseph Lawlor, associate managing director for the U.S. cyber investigations and incident response practice at K2 Intelligence. “The important thing to understand here is these aren't amateurs,” said Lawlor, a former FBI agent assigned to cybercrimes. “This is not a kid in his mom's basement. They're well-trained professionals, and they're all over the world.”

And the gambit is extremely successful. In 2012, Symantec Corp., the Mountain View, Calif., security software developer, estimated ransomware was yielding $33,000 a day. “I would suspect they're making a lot more now,” Lawlor said.

Like astute businessmen, data kidnappers are experimenting with various price points in their ransom demands to see what the market can bear.

So far ransom demands have run from a few hundred dollars to a few thousand, so that victims will do the math and decide “it's the most expeditious thing to do” to make the payoff, said Collin Hite, leader of the insurance recovery group and co-chair of the data privacy and security practice at Hirschler Fleischer, a Richmond, Va., law firm.

In March, Hollywood Presbyterian Medical Center in Los Angeles paid about $17,000 to hackers who disabled its computer network. CEO Allen Stefanek said paying up was the “quickest and most efficient way to restore our systems and administrative functions.”

Some ransomware attackers have even optimized their software to facilitate customer interactions, such as providing victims with easy-to-follow instructions on how to acquire and transmit bitcoins, a hard-to-trace electronic currency preferred by cybercriminals.

As any TV cop show aficionado knows, the weakest link in a kidnapping scheme comes when the ransom payment changes hands, but that problem was addressed in September 2013. It was “the date ransomware went mainstream,” said Stu Sjouwerman CEO of KnowBe4, a Tampa Bay, Fla.-based provider of cybersecurity training services.

“That's when Crypto-Locker (a ransomware variant) came out and took everyone by surprise with its business model of using bitcoin as the payment method,” Sjouwerman said. “It's almost untraceable.”

And data kidnappers are mindful of their further business development needs. Thus, they adhere to an honor code among thieves—reliably releasing decryption keys once their ransom demands are met so victims know their cooperation will be rewarded.

“They're good criminals,” Hite said. “They have every reason in the world to ensure that if you do your part and pay, they'll do their part to make sure the next guy pays as well.”

One vulnerability so far unexploited in ransomware attacks is with networked, computerized medical devices. Last year the FDA and the Department of Homeland Security issued warnings about vulnerabilities in several infusion pumps, and the FDA followed last summer with a recommendation that hospitals stop using Hospira's Symbiq medication infusion pump because of its vulnerability to hacking. (The company removed the device from the market and says it is working with customers still using the pumps to add protections.)

Jeremy Richards, senior vulnerability researcher at Saint Corp., a Toronto developer of security scanning tools, has taken apart and analyzed the software controlling several pumps and medication stations and found their security wanting—particularly on some popular wireless pumps.

“From the parking lot with a good antenna you'd be able to control the pumps” on a network across an entire hospital, Richards said. He's heard of no ransom demands yet, “but it's scary.”

Sprickerhoff, of the security company eSentire, worries the industry might not be capable of moving fast enough to keep ahead of the latest ransomware threats. “I know consensus is a big part of decisionmaking in healthcare,” he said. But, he added: “This is a new animal. The situation has changed so dramatically in the last six weeks. I'm hopeful, but not optimistic they can do it.”