Hackers show it's easy to take a hospital hostage
Hackers show it's easy to take a hospital hostage
At least one facility was forced to pay thousands to get its computers back online. Here's your prevention plan.
Hospitals work very hard and spend a lot of money to keep their facilities secure, and that includes making sure the computer systems that keep things running and contain patient information are safe.
Sometimes, though, this preparation isn't enough. Take Hollywood Presbyterian Hospital: On February 5, an unknown hacker was able to virtually hold the hospital hostage, seizing control of its computer system and forcing the administration to pay a ransom to regain control.
Such an act is apparently easier than one would think. The computerized assault on Hollywood Presbyterian occurred when hackers used malware known as ransomware to infect the hospital's computers, preventing staff from communicating using the affected devices, according to a February 18 report in the Los Angeles Times. The disruption caused some patients to be transferred to other hospitals, postponed some procedures such as CT scans, and affected some patients' medical records from being accessed, according to an NPR report.
"The malware locks systems by encrypting files and demanding ransom to obtain the decryption key," said Hollywood Presbyterian CEO Allen Stefanek in the Times report. "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this."
The hacker, who still remains anonymous, originally demanded $3.4 million to restore the computer system. After almost 10 days of offline computers, the hospital paid a negotiated ransom of about $17,000 to get access back. The ransom was paid in the form of 40 bitcoins, an electronic currency that is largely anonymous, making it almost impossible to track the person who receives the money.
According to a CNBC report, the hospital was forced to rely on paper registrations and medical records while its computer systems were down, and many incoming ambulances were diverted to other hospitals. The report also said that ER functions were affected, and fax lines were jammed due to lack of access to email. The incident at the 43-bed acute care facility drew the attention of the FBI, which has not said if a suspect has been identified. Patient safety was apparently never in jeopardy, according to hospital officials quoted in published reports.
Cyberattacks are nothing new; at least 158 medical facilities, including medical providers, insurers, and hospitals, have reported being hacked or having some form of IT issue that affected patient records since 2010, the Times reported. In July 2015, hackers accessed the computer systems of the UCLA Health System, jeopardizing the security of as many as 4.5 million patients. In August 2014, hackers broke into the computer systems of Community Health Systems, a network that operates 206 hospitals in 28 states, and stole data from another 4.5 million patients. The loss of the information, protected under HIPAA, opens up the hospitals to potential lawsuits from victims affected by the breach.
"It's no different than if they took all the patients and held them in one room at gunpoint," said California State Senator Robert Hertzberg, who on February 17 introduced legislation to make a ransomware attack equivalent to extortion and punishable by up to four years in prison, according to a Reuters report?a sign that ransomware attacks may be on the rise.
Just two days beforehand, on February 15, FBI officials arrested Martin Gottesfeld, 31, of Somerville, Massachusetts, who was accused of hacking the computers of Boston Children's Hospital back in April 2014 in a protest against the medical treatment of a Connecticut teenager, according to a report in The Boston Globe. The weeklong attack on the hospital's computers crippled the hospital's website, disrupted its day-to-day operations, and affected its research. Gottesfeld was connected with the hacker group Anonymous, the Globe reported, and the hospital had to spend more than $18,000 on response and mitigation efforts to fix its computers.
In this particular case, hospital officials may have been so alarmed by the loss of computer control that they paid the ransom before calling police. In addition, while hospitals normally keep quiet about these sorts of things out of embarrassment and a desire to discourage future hackers, rumors about the hack were reportedly spread by staff members of the hospital, according to the Reuters report.
"Medical facilities in the area plan to consult cybersecurity experts on how to protect themselves," said Jennifer Bayer, a spokeswoman from the Hospital Association of Southern California, in the report. "Hospitals are certainly now aware of ransomware more than they ever were before, and this has become a very real threat."
How does ransomware work?
While cyberattacks that involve stolen information are relatively common, ransom attacks that demand money to restore systems are a somewhat new phenomenon?one that can be frightening to hospitals given the sensitive nature of patient data, not to mention the need to keep crucial life support and emergency communication systems running.
"Hacking in the '90s was all about reputation; it's now turned into less of a hobby and more of a business," says Travis Smith, senior security research engineer at Tripwire, a Portland, Oregon?based cybersecurity firm. Smith says that before 2010, most cyberattacks happened through annoying adware and scamware designed to collect information that hackers could then sell to third parties. With the advent of ransomware, which is designed to find and encrypt files such as .jpg photo files and PDFs, locking them up until a code is used to access them, hackers have found a way to turn stealing information into a business for themselves. Thanks to anonymous payment options such as bitcoins, they are virtually guaranteed not to get caught.
"We are evolving now into a time where they can actually monetize it themselves," Smith says. "They can get paid very quickly."
On top of everything else, there's usually an expiration date to the offer. If the hospital held ransom chooses not to pay, it may risk losing its data and computer system access forever, so there's virtually a guarantee that the hackers will benefit financially from their efforts.
"People have a very emotional connection to their data; it's equivalent of losing pictures in a fire," says Smith. "If you don't pay for it, they throw away the key, and it's essentially impossible to get your information back. Even the FBI says if you get hit, you have to pay the ransom."
According to the CNBC report, ransomware programs first appeared in 2013; since then, 56 types have emerged, which adds to law enforcement's inability to track the "gangs" that troll the Internet looking for victims. Also according to the report, research firm Forrester singled out the healthcare industry as a No. 1 target for ransomware in 2016.
In fact, the San Diego?based Identity Theft Resource Center reports that there were a total of 53 data breaches recorded through February 2, 2016, and that more than 1 million records had been exposed in just the two months since the beginning of the year. Stolen healthcare records amounted to just under 40% of those breaches.
"It's very troubling because there are going to be more," says Smith. "The hackers see they can get $17,000, so you are going to see businesses targeted more and more. The cost of restoring the data may be higher than paying the ransom."
Preventing system hacking
In many cases, preventing hackers from gaining access to crucial patient information and computers that could control critical facility infrastructure from security locks to HVAC systems is not rocket science, and there are many IT security firms out there dedicated to helping protect healthcare facilities. The key is to do something, not expect to handle it all yourself, and constantly upgrade your IT security capabilities, because as the ransomware situation shows, the threat is evolving almost on a daily basis.
- Continuously upgrade security software. So you bit the bullet and decided to spend $79.99 to install Norton Antivirus on the nursing department's computers to help guard against online threats? That's a start, but it's not going to be enough. Smith says that in 2015, 200,000 pieces of malware were being created every day. That's far more than the average computer security software can keep up with?and it's why you shouldn't try to face the problem alone. A dedicated IT professional should be able to upgrade your facility's servers and computer devices with the latest antivirus software. Software vulnerabilities, such as misconfigurations and failure to update applications such as Internet browsers with the latest security upgrades, can lead to ransomware exploiting your system's weak spots. Outside software should have the latest security upgrades, and any in-house software should be tested for loopholes that could affect security.
- Train your employees. Hackers, and the software they use, take the path of least resistance when trying to find their way into your computers. That's usually the human element. "Hackers are smart, and they know how to social engineer people," says Smith.
Think about it. How many of your staff members check their personal emails, go on Facebook, or do a little harmless browsing if they have any free time? All it takes is for them to click on a malicious link on an insecure website, or open an email attachment from a sender they don't know, and their computer could be infected with a virus or ransomware that could make their way through your hospital's network.
"You need to teach your staff not to click on links or attachments they didn't expect," Smith says. "Also, definitely don't plug in that strange USB drive they found in the parking lot. Security training will definitely reduce your attacks."
In addition, staff should be trained to never give away or share their passwords, and passwords should be changed on a regular basis. Staff should also avoid setting up shared or default profiles that work around security measures.
- Restrict access. Not every employee in your hospital needs to have access to the same information?nor should they. Remember that the more people who have access to files, computers, software programs, or hard drives, the higher the risk that a malicious program will find its way into your computer system.
"There's probably a lot of information your receptionist doesn't need," Smith says. "Malware gets in that way." IT experts call this the "concept of least privilege," in which a person is only given access to information he or she needs.
- Consider cloud backup. What would your hospital do if it lost all the patient data, security information, SDS information, survey records, and other information crucial to keeping the facility and its patients safe? Well, it wouldn't be able to remain in business, but you can add network mitigation costs, network countermeasures, loss of productivity, legal fees, costs for IT services, and the purchase of credit monitoring services for employees or customers to the list too, according to the FBI's Internet Crime Complaint Center.
Some cybersecurity firms recommend that hospitals consider using a service network that will automatically upload all crucial information to the cloud. This way, if there ever is a loss of data?not just from a hacker, but also other incidents, such as major power loss?that information will be retrievable from a reasonably recent point in the near past.
"Real-time replication is so important because you have a technology that's saving every 30 minutes of information," says Henry Martinez, VP of sales engineering for Vision Solutions, an Irvine, California?based IT security firm that specializes in disaster recovery software and consulted with many hospitals who lost crucial data after Hurricane Katrina in 2005. "If you have an emergency 15 minutes later, those 15 minutes are very important. It can mean patient information that doesn't get to the surgical suite."
Computer protection tips
Editor's note: The following is a list of computer protection tips offered by the FBI.
The same advice parents might deliver to young drivers on their first solo journey applies to everyone who wants to navigate safely online. A special agent in our Cyber Division offered the following:
"Don't drive in bad neighborhoods."
"If you don't lock your car, it's vulnerable; if you don't secure your computer, it's vulnerable."
"Reduce your vulnerability, and you reduce the threat."
Below are some key steps to protecting your computer from intrusion:
Keep your firewall turned on. A firewall helps protect your computer from hackers who might try to gain access to crash it, delete information, or even steal passwords or other sensitive information. Software firewalls are widely recommended for single computers. The software is prepackaged on some operating systems or can be purchased for individual computers. For multiple networked computers, hardware routers typically provide firewall protection.
Install or update your antivirus software. Antivirus software is designed to prevent malicious software programs from embedding on your computer. If it detects malicious code, like a virus or a worm, it works to disarm or remove it. Viruses can infect computers without users' knowledge. Most types of antivirus software can be set up to update automatically.
Install or update your antispyware technology. Spyware is just what it sounds like?software that is surreptitiously installed on your computer to let others peer into your activities on the computer. Some spyware collects information about you without your consent or produces unwanted pop-up ads on your Web browser. Some operating systems offer free spyware protection, and inexpensive software is readily available for download on the Internet or at your local computer store. Be wary of ads on the Internet offering downloadable antispyware?in some cases these products may be fake and may actually contain spyware or other malicious code. It's like buying groceries?shop where you trust.
Keep your operating system up-to-date. Computer operating systems are periodically updated to stay in tune with technology requirements and to fix security holes. Be sure to install the updates to ensure your computer has the latest protection.
Be careful what you download. Carelessly downloading email attachments can circumvent even the most vigilant antivirus software. Never open an email attachment from someone you don't know, and be wary of forwarded attachments from people you do know. They may have unwittingly advanced malicious code.
Turn off your computer. With the growth of high-speed Internet connections, many opt to leave their computers on and ready for action. The downside is that being "always on" renders computers more susceptible. Beyond firewall protection, which is designed to fend off unwanted attacks, turning the computer off effectively severs an attacker's connection?be it spyware or a botnet that employs your computer's resources to reach out to other unwitting users.