The scenario is a nightmare for any hospital. Suddenly, all computer screens are stuck on a warning message: “All of your data has been encrypted. In order to unlock access to your system, you must pay $250,000 in Bitcoin.” Immediately, the entire hospital is plunged into a crisis. It is impossible for staff to look up patient conditions, or learn what treatments are required. Lives of patients are threatened. Your IT group has no idea what to do. This is the threat of so-called “ransomware” — hospital data is kidnapped until a ransom is paid.
Why do cyber-extortionists use Bitcoin? And what is Bitcoin? Bitcoin called a cryptocurrency, or a decentralized digital currency. It relies on a peer-to-peer system, which means there is no central point of control. It is open source software, so no company owns or controls Bitcoin. There is no intermediary for moving the currency from one party to another, no records, no taxes to pay, and no way to identify the party receiving the payment. All Bitcoin transactions are recorded in a giant ledger which is distributed from one network node to another. This ledger is called the blockchain. There are Bitcoin ATMs. The amount of Bitcoin is well over $10 billion dollars. In 2015, the UK bank Barclays announced it will accept Bitcoin. The price changes, but in November 2015, one Bitcoin was equivalent of around $500 dollars. There is no central repository, like a Central Bank (Federal Reserve), and no one controls the currency supply.
Bitcoin is a viable currency, and it is accepted for payment by many vendors. But it also is a favorite of criminals because there is no record of its use or transfer. No tracking, and of course no taxes. According to the FBI, “Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.”
Ransomware, or “cyber extortion” is said to have originated in Eastern Europe in 2005. The scourge of ransomware is spreading rapidly. In the United States, attacks are expected to top $1 billion in 2016. But these estimates probably ignore the vast majority of Ransomware attacks that never are reported. According to the FBI(*), a typical ransomware payment is between $200 and $10,000. By early 2016, there were more than 4,000 reported ransomware attacks. The current rate is around 3,000 attacks per day. It is big business.
The names of ransomware programs read like a twisted hacker’s nightmare: CryptoWall, CTB-Locker, TeslkaCrypt, Samoas (SAMSAM), Locky (very popular), Conflickeer work, Chanitor, Nivdort bot, HummingBad, Triada, Ztorg, GameOverZeus. The Android OS is particularly vulnerable. There are a few groups of cyber extortionists known for exploiting ransomware. These include: the Cyber Caliphate Army (CCA), and the Brazil-based TeamXRat. But there is need to worry about these identities, because you will never know who hit you. Table 1 summarizes a few of recent ransomware attacks against hospitals.
How Hospitals Can Protect Against Ransomware
Unlike financial institutions, hospitals in general do not have as much experience in handling computer emergencies. Even though healthcare represents a large part of the economy, spending on cyber-security is less than 10% of overall security spending. In other words, the healthcare sector is under-investing in security. And this needs to change.
There are a number of steps hospitals can take to improve their defenses against ransomware. Any hospital might start with a ransomware audit. This audit would aim at developing a strategy or “Playbook” to improve network security, help educate healthcare employees on good security practices, putting in place a computer recovery plan, and developing a protocol to handle emergencies. A few options to consider are summarized in Table 2.
It is important to note that ransomware is not only an IT issue. There are important legal considerations. For example, if patient records are compromised, the healthcare provider must make notification. And this means tens of thousands of persons must be contacted, and in a timely manner.
No matter what measures a hospital takes against cyber-extortionists, the reality is that it is impossible to have 100% reliable protection against hackers. But there is much that can be done to (1) lower the chance of being hacked; and (2) ensure that if a ransomware incident takes place, it can be dealt with expeditiously and with the least harmful disruption to what is really important — helping patients.
(*) FBI, Criminals Continue to Defraud and Extort Funds from Victims Using Cryptowall Ransomware Schemes, Public Service Announcement, June 23, 2015. See also: U.S. Government, How to Protect Your Networks from Ransomware, Interagency Technical Guidance Document, n.d., available here.
Published also in RACmonitor.