Skip to main content
Subscribe
  • Sign Up Free
  • Login
  • Subscribe
  • News
    • Current News
    • Providers
    • Insurance
    • Government
    • Finance
    • Technology
    • Safety & Quality
    • Digital Health
    • Transformation
    • ESG
    • People
    • Regional News
    • Digital Edition (Web Version)
    • Patients
    • Operations
    • Care Delivery
    • Payment
    • Midwest
    • Northeast
    • South
    • West
  • Blogs
    • AI
    • Deals
    • Layoff Tracker
    • HIMSS 2023
  • Opinion
    • Breaking Bias
    • Commentaries
    • Letters
    • From the Editor
  • Events & Awards
    • Awards
    • Conferences
    • Galas
    • Virtual Briefings
    • Webinars
    • Nominate/Eligibility
    • 100 Most Influential People
    • 50 Most Influential Clinical Executives
    • Best Places to Work in Healthcare
    • Excellence in Governance
    • Health Care Hall of Fame
    • Healthcare Marketing Impact Awards
    • Top 25 Emerging Leaders
    • Top Innovators
    • Diversity in Healthcare
      • - Luminaries
      • - Top 25 Diversity Leaders
      • - Leaders to Watch
    • Women in Healthcare
      • - Luminaries
      • - Top 25 Women Leaders
      • - Women to Watch
    • Digital Health Transformation Summit
    • ESG: The Implementation Imperative Summit
    • Leadership Symposium
    • Social Determinants of Health Symposium
    • Women Leaders in Healthcare Conference
    • Best Places to Work Awards Gala
    • Health Care Hall of Fame Gala
    • Top 25 Diversity Leaders Gala
    • Top 25 Women Leaders Gala
    • - Hospital of the Future
    • - Value Based Care
    • - Hospital at Home
    • - Workplace of the Future
    • - AI and Digital Health
    • - Future of Staffing
    • - Hospital of the Future (Fall)
  • Multimedia
    • Podcast - Beyond the Byline
    • Sponsored Podcast - Healthcare Insider
    • Sponsored Video Series - One on One
    • Sponsored Video Series - Checking In with Dan Peres
  • Data & Insights
    • Data & Insights Home
    • Hospital Financials
    • Staffing & Compensation
    • Quality & Safety
    • Mergers & Acquisitions
    • Data Archive
    • Resource Guide: By the Numbers
    • Surveys
    • Data Points
  • Newsletters
  • MORE+
    • Contact Us
    • Advertise
    • Media Kit
    • Jobs
    • People on the Move
    • Reprints & Licensing
MENU
Breadcrumb
  1. Home
  2. Providers
April 09, 2016 12:00 AM

Ransomware scare: Will hospitals pay for protection?

Joseph Conn
  • Tweet
  • Share
  • Share
  • Email
  • More
    Reprints Print
    This is what victims of of a Locky-based attack see when the malware infects and encrypts their data, according to an alert from McAfee Labs.

    On April 4 an ordinary looking e-mail arrived in a clinical worker's Microsoft Outlook inbox at a small Indiana hospital. In the “From” field was the name of the hospital's new printer and fax machine paired with its official e-mail domain. The subject line was simply the word “Invoice.” That is, it all looked mundane and legit—like a routine document sent from the device.

    But that e-mail, several of which made it past the hospital's firewall, unleashed a virus that encrypted files on the worker's computer hard drive and connected to a server. A window popped up giving instructions and links to retrieve a key to unlock the files.

    King's Daughters' Health in the small town of Madison, Ind., was the victim of a so-called ransomware attack. A series of such attacks in recent weeks, including disabling the computer systems at MedStar Health, a much larger and more sophisticated organization based in Columbia, Md., have startled hospitals across the U.S.

    Healthcare organizations, for a variety of good and bad reasons, are slow to adopt and update their information technology. And the cybercriminals know it.

    “It's a quick and easy way to monetize weaknesses in health information security,” said Dr. Eric Liederman, director of medical informatics at the Permanente Medical Group. Dealing with ransomware adds one more item to an already crowded to-do list for clinical IT leaders, Liederman said. “My job is to try to find that balance” between clinicians' workflow needs, patient-safety requirements and security demands.

    As hospital IT teams spend much of their time and money figuring out how to meaningfully deploy electronic health records and harness the data for emerging payment and delivery models, the bad guys continue to hone their technology and calibrate their attacks, creating boom times for data defenders. With at least six hospitals targeted in the past month, healthcare leaders are scrambling for protection.

    These available wares include legal services, security consultancy, training, systems testing, cyber insurance, security software that runs on and defends computer systems, and remote-hosted software and services that can include fully staffed security operations centers that provide computerized and human watchdogs on the lookout for cyberthreats 24/7.

    “Business is booming,” said Eldon Sprickerhoff, founder and chief security strategist at eSentire, a Canadian provider of remote-hosted security services.

    At King's Daughters' Health, the employee who unwittingly released the malware quickly notified the IT department, which shut down all of the hospital's computer systems, including its electronic health record system. The EHR system was unscathed, although it was open on the infected computer. Still, the attack forced the hospital to go without e-mail and use paper to document patient encounters until the system's corrupted files could be deleted and replaced.

    MH Takeaways

    The recent spate of ransomware attacks has hospitals weighing whether to pay now to fortify their IT systems or risk paying criminals to unfreeze their data.

    “We knew we had a backup—I think we handled it as well as we could have,” said Linda Darnell, senior director of technology and health at the 77-bed hospital. “We saw stories from other organizations that were hit, and those stories gave us the warning to be prepared.” The hospital added some security software to monitor its systems but paid no ransom.

    “It's a troubling trend,” said Katherine Keefe, head of breach response services for Beazley, which sells breach insurance, including coverage for ransom payments. “We had our biggest (breach) incident month last month, and a lot of it was attributable to ransomware.”

    Fernando Blanco, vice president and chief information security officer at Irving, Texas-based Christus Health, said he is getting about 200 e-mail solicitations a day from vendors and consultants.

    The newest tech wrinkles in ransomware are called Locky and Samas, both used this year against healthcare organizations, according to a threat alert on ransomware issued March 30 by the U.S. Department of Homeland Security and the Canadian Cyber Incident Response Centre.

    Locky uses e-mail as a vector. It deploys a virus hidden in a document that, when opened by an unwitting e-mail recipient, launches other software that moves through an infected computer system, scrambling computer files with near-bulletproof encryption, then posts a demand that the victim pay a ransom to the hackers.

    Its signature, the .Locky extension, attaches to the data files it encrypts. It was Locky that struck King's Daughters' Health in Madison.

    Samas propagates through vulnerabilities in an organization's Web servers. According to the federal alert, the server of an unnamed healthcare organization was compromised this year by Samas, which uploaded ransomware that infected its network.

    And Samas was likely the virus that attacked MedStar Health in late March, according to the Associated Press. MedStar's Georgetown University Hospital in Washington and other facilities were affected, forcing clinicians to return to paper record-keeping and knocking out at least some of its computer systems for more than a week. MedStar was not commenting about the nature of its attack.

    The cybersecurity community doesn't know yet who's behind the latest ransomware attacks, said Joseph Lawlor, associate managing director for the U.S. cyber investigations and incident response practice at K2 Intelligence. “The important thing to understand here is these aren't amateurs,” said Lawlor, a former FBI agent assigned to cybercrimes. “This is not a kid in his mom's basement. They're well-trained professionals, and they're all over the world.”

    And the gambit is extremely successful. In 2012, Symantec Corp., the Mountain View, Calif., security software developer, estimated ransomware was yielding $33,000 a day. “I would suspect they're making a lot more now,” Lawlor said.

    Like astute businessmen, data kidnappers are experimenting with various price points in their ransom demands to see what the market can bear.

    So far ransom demands have run from a few hundred dollars to a few thousand, so that victims will do the math and decide “it's the most expeditious thing to do” to make the payoff, said Collin Hite, leader of the insurance recovery group and co-chair of the data privacy and security practice at Hirschler Fleischer, a Richmond, Va., law firm.

    In March, Hollywood Presbyterian Medical Center in Los Angeles paid about $17,000 to hackers who disabled its computer network. CEO Allen Stefanek said paying up was the “quickest and most efficient way to restore our systems and administrative functions.”

    Some ransomware attackers have even optimized their software to facilitate customer interactions, such as providing victims with easy-to-follow instructions on how to acquire and transmit bitcoins, a hard-to-trace electronic currency preferred by cybercriminals.

    As any TV cop show aficionado knows, the weakest link in a kidnapping scheme comes when the ransom payment changes hands, but that problem was addressed in September 2013. It was “the date ransomware went mainstream,” said Stu Sjouwerman CEO of KnowBe4, a Tampa Bay, Fla.-based provider of cybersecurity training services.

    “That's when Crypto-Locker (a ransomware variant) came out and took everyone by surprise with its business model of using bitcoin as the payment method,” Sjouwerman said. “It's almost untraceable.”

    And data kidnappers are mindful of their further business development needs. Thus, they adhere to an honor code among thieves—reliably releasing decryption keys once their ransom demands are met so victims know their cooperation will be rewarded.

    “They're good criminals,” Hite said. “They have every reason in the world to ensure that if you do your part and pay, they'll do their part to make sure the next guy pays as well.”

    One vulnerability so far unexploited in ransomware attacks is with networked, computerized medical devices. Last year the FDA and the Department of Homeland Security issued warnings about vulnerabilities in several infusion pumps, and the FDA followed last summer with a recommendation that hospitals stop using Hospira's Symbiq medication infusion pump because of its vulnerability to hacking. (The company removed the device from the market and says it is working with customers still using the pumps to add protections.)

    Jeremy Richards, senior vulnerability researcher at Saint Corp., a Toronto developer of security scanning tools, has taken apart and analyzed the software controlling several pumps and medication stations and found their security wanting—particularly on some popular wireless pumps.

    “From the parking lot with a good antenna you'd be able to control the pumps” on a network across an entire hospital, Richards said. He's heard of no ransom demands yet, “but it's scary.”

    Sprickerhoff, of the security company eSentire, worries the industry might not be capable of moving fast enough to keep ahead of the latest ransomware threats. “I know consensus is a big part of decisionmaking in healthcare,” he said. But, he added: “This is a new animal. The situation has changed so dramatically in the last six weeks. I'm hopeful, but not optimistic they can do it.”

    Letter
    to the
    Editor

    Send us a letter

    Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.

    Recommended for You
    Rob Allen Intermountain 23
    Intermountain's Graphite Health may be AI 'grounding point,' CEO says
    Nursing home wheelchair
    4,000 Michigan nursing home beds at risk in proposed staffing mandate
    Most Popular
    1
    CMS tries luring providers to revamped Medicare ACOs
    2
    Oregon joins other states in setting ratios for nurse staffing
    3
    Blue Shield CA taps Amazon, Mark Cuban, CVS for new PBM model
    4
    A health innovation hub grows in Lake Nona Medical City
    5
    Hospital-at-home providers push for Medicaid coverage
    Sponsored Content
    Modern Healthcare A.M. Newsletter: Sign up to receive a comprehensive weekday morning newsletter designed for busy healthcare executives who need the latest and most important healthcare news and analysis.
    Get Newsletters

    Sign up for enewsletters and alerts to receive breaking news and in-depth coverage of healthcare events and trends, as they happen, right to your inbox.

    Subscribe Today
    MH Magazine Cover

    MH magazine offers content that sheds light on healthcare leaders’ complex choices and touch points—from strategy, governance, leadership development and finance to operations, clinical care, and marketing.

    Subscribe
    Connect with Us
    • LinkedIn
    • Twitter
    • Facebook
    • RSS

    Our Mission

    Modern Healthcare empowers industry leaders to succeed by providing unbiased reporting of the news, insights, analysis and data.

    Contact Us

    (877) 812-1581

    Email us

     

    Resources
    • Contact Us
    • Help Center
    • Advertise with Us
    • Ad Choices
    • Sitemap
    Editorial Dept
    • Submission Guidelines
    • Code of Ethics
    • Awards
    • About Us
    Legal
    • Terms and Conditions
    • Privacy Policy
    • Privacy Request
    Modern Healthcare
    Copyright © 1996-2023. Crain Communications, Inc. All Rights Reserved.
    • News
      • Current News
      • Providers
      • Insurance
      • Government
      • Finance
      • Technology
      • Safety & Quality
      • Digital Health
      • Transformation
        • Patients
        • Operations
        • Care Delivery
        • Payment
      • ESG
      • People
      • Regional News
        • Midwest
        • Northeast
        • South
        • West
      • Digital Edition (Web Version)
    • Blogs
      • AI
      • Deals
      • Layoff Tracker
      • HIMSS 2023
    • Opinion
      • Breaking Bias
      • Commentaries
      • Letters
      • From the Editor
    • Events & Awards
      • Awards
        • Nominate/Eligibility
        • 100 Most Influential People
        • 50 Most Influential Clinical Executives
        • Best Places to Work in Healthcare
        • Excellence in Governance
        • Health Care Hall of Fame
        • Healthcare Marketing Impact Awards
        • Top 25 Emerging Leaders
        • Top Innovators
        • Diversity in Healthcare
          • - Luminaries
          • - Top 25 Diversity Leaders
          • - Leaders to Watch
        • Women in Healthcare
          • - Luminaries
          • - Top 25 Women Leaders
          • - Women to Watch
      • Conferences
        • Digital Health Transformation Summit
        • ESG: The Implementation Imperative Summit
        • Leadership Symposium
        • Social Determinants of Health Symposium
        • Women Leaders in Healthcare Conference
      • Galas
        • Best Places to Work Awards Gala
        • Health Care Hall of Fame Gala
        • Top 25 Diversity Leaders Gala
        • Top 25 Women Leaders Gala
      • Virtual Briefings
        • - Hospital of the Future
        • - Value Based Care
        • - Hospital at Home
        • - Workplace of the Future
        • - AI and Digital Health
        • - Future of Staffing
        • - Hospital of the Future (Fall)
      • Webinars
    • Multimedia
      • Podcast - Beyond the Byline
      • Sponsored Podcast - Healthcare Insider
      • Sponsored Video Series - One on One
      • Sponsored Video Series - Checking In with Dan Peres
    • Data & Insights
      • Data & Insights Home
      • Hospital Financials
      • Staffing & Compensation
      • Quality & Safety
      • Mergers & Acquisitions
      • Data Archive
      • Resource Guide: By the Numbers
      • Surveys
      • Data Points
    • Newsletters
    • MORE+
      • Contact Us
      • Advertise
      • Media Kit
      • Jobs
      • People on the Move
      • Reprints & Licensing