Protecting critical healthcare data like ePHI from dangers posed by ransomware requires an understanding of the threat. What is ransomware? How does it work? And how can we protect against it?

Ransomware refers to a form of malware that encrypts the victim’s files and demands a ransom to restore access. A study published on Issues in Information Science and Information Technology defines ransomware as a category of malicious software, which, when run, disables the functionality of a computer in some way. It is also important to note that ransomware typically attacks sensitive files, such as vital business records, business communication, financial data, databases, and personal files. File types that get encrypted include images with .jpeg or .png extensions, Microsoft Office files like Word (.docx), Excel (.exls), and PowerPoint (.pptx), Outlook email files (.pst, .msg, .ics), Adobe Acrobat files with .pdf extension, text files (.txt and .rtf), database files (.db) and many more.

In these types of attacks, hackers also display a message with instructions on how the victim can make a payment to gain a decryption key.

The screenshot above shows a message generated by the famous CryptoLocker ransomware that spread in 2013 and targeted all versions of Windows Operating System, including Windows XP, Vista, 7, and 8. The ransomware encrypted critical OS files using a combination of Advanced Encryption Standard (AES) and Rivest, Shamir, and Adleman (RSA) encryption methods. 

Ransomware attacks are on the rise because of the increased adoption of cryptocurrencies, such as Bitcoin and Monero. The rise can also be attributed to the proliferation of hacking tools and ransomware-as-a-service businesses on the Dark Web and cybercrime underworld. That makes it easy even for inexperienced hackers to easily purchase and customize ransomware tools to create sophisticated attacks used for financial gains.

The ransom is just a small part of the losses that a healthcare organization will experience if infected. Much higher is the financial and reputation impact of losing patients’ data and recovering from the attack. Such an event can be detrimental to unprepared healthcare providers and frequently results in costs exceeding multiple times initial estimates.

Statistics show that ransomware attacks on the healthcare industry have become a nightmare for many providers in the past few years. Suzanne Widup, a senior consultant at the Verizon RISK team, believes that threat actors are now targeting healthcare providers because they are “soft” targets and because previous ransomware attacks have succeeded. Above and beyond, the sensitivity of the systems and the data held in the healthcare sector creates a delicate sense of urgency, which can easily be manipulated by attackers. Timely access to a hospital system can be a matter of life and death. In such cases, healthcare providers are very likely to pay the ransom to gain access to their data.   

Cybersecurity personnel and IT professionals in healthcare also face increased challenges in securing their organizations’ systems because of numerous issues, such as the existence of vulnerabilities in their medical devices, the use of outdated operating systems, unpatched software, and uncertainties in security policies and regulations.

Phishing emails are a common method used by attackers to launch a ransomware attack on a healthcare provider. This cyber threat involves tricking unsuspicious users that the hacker is a legitimate source of an email. The contents shared between the attacker, and the victim contains links that request the healthcare provider employee to share their credentials or download a malicious document with a macro. A macro is a small program that automates common tasks and operations in Microsoft Office documents. Once the macro runs, additional programs are downloaded from a remote site and run on the user’s machine.

Ransomware can be damaging to every type of business. However, the impact on healthcare providers is much higher because the attack can prevent organizations from providing life-saving services to patients. Loss of medical records and patient history can severely impact the patient’s care process.

Ransomware attack on a healthcare provider can target the following systems and data:

One of the major ransomware attacks, the WannaCry campaign, spread among other also through healthcare providers, attacking the UK’s National Health Service. During the incident, NHS canceled crucial services, lost availability on some patient records, as well as phone communication capabilities.

In addition to WannaCry, the SamSam ransomware actors targeted healthcare organizations. A report released by Healthcare Cybersecurity and Communications Integration Center (HCCIC) shows that in 2018, eight separate incidents were recorded on healthcare and government entities utilizing this form of ransomware. The affected organizations include two Indian-based healthcare providers, a cloud-based electronic health record (EHR) provider, a New Mexico Municipality computer systems, Davidson County in North Carolina, systems, and services in Atlanta, Georgia, and others. According to the HCCIC report, the SamSam ransomware has been active since 2016. Victims reported that their data and files were encrypted with the .weapologize extension accompanied by a sorry message.

In yet a similar scenario, Hancock Health paid $55,000 following a ransomware attack that caused encryption of 1,400 patient records by hackers. The Indiana-based healthcare provider suffered a ransomware attack in January 2018. After settling the ransom requested by the attackers, Hancock Health regained access to its systems and the patients’ information. Forensic analysis of the incident revealed that the hackers gained access to the hospital systems through a remote-access portal and an outside vendor’s user credentials. Hancock Health had to part with the money since the patient portal was down, and it could have caused severe effects on the users. Moreover, practitioners at the organization used the manual method, which is pen and paper, to keep track of activities during the time the systems were down.

In January 2018, an Allscripts ransomware attack rendered some applications inaccessible. The incident affected regulatory reporting, InfoButton, clinical decision support, direct messaging, Payerpath, and EPCS systems. The attack forced the staff to use a paper or oral prescription as an alternative for pharmacist instructions and to keep track of patient records during the downtime.

Following the increased ransomware attacks on the healthcare sector, providers should be wary of their cybersecurity strategies. Based on an analysis of previous ransomware incidents in the industry, healthcare providers can implement the following measures in their data protection and safety efforts to mitigate future ransomware attacks:

In situations where an organization suffers a ransomware attack, isolate the infected devices immediately to prevent the malicious program from spreading in other parts of the network. Segregate user accounts that you suspect are compromised and involve security experts to conduct a cyber-forensics investigation on your network. Also, force password resets on all user accounts to make sure no other accounts are compromised.

As a healthcare organization, you must comply with HIPAA regulations that require you to contact relevant authorities to report the incident and seek additional assistance.

In certain cases, a ransomware victim can opt to regain system access by paying the ransom to the attackers. A good example is the Hancock Health incident discussed in this article. Infoblox 2017 study results also reveal that 26 percent of US and UK healthcare organizations would honor a ransom demand. 

However, FBI Cyber Division is of a different opinion. The authority states that paying a ransom does not guarantee that a system or a network would be made accessible again. The FBI does not recommend paying the monetary demands since it can embolden current criminals to target more systems in the same organization or others. Besides, sending money to hackers offers an incentive for other malicious actors to engage in similar illegal activities. Such payments can also be used to fund other illicit activities, such as terrorism, drug deals, or human trafficking. Last, but not least, paying the ransom involves a non-trivial process of acquiring cryptocurrency; something that is beyond the expertise of a healthcare provider.

Key barriers to enhance the cybersecurity posture of the healthcare organizations remains the lack of user awareness, outdated technical infrastructure, and the failure to invest in cybersecurity. Ultimately, proactive prevention strategies remain the key to defend against any cyber threats, including ransomware. Employee awareness training and robust administrative and technical prevention measures are crucial in safeguarding critical healthcare data and systems. Combined with a comprehensive and effective business continuity program, those measures can limit the impact of a ransomware incident. 

Healthcare providers should recognize the potential dangers of ransomware attacks as the industry becomes a popular target for such threats. Instead of waiting for the attack to happen and negotiate a ransom, healthcare providers should take proactive approaches to protect crucial patients’ data. The strategies involve ensuring that the organization is well prepared for a potential ransomware attack and has put in place a cybersecurity and continuity pan to respond to an incident promptly.

Agitare Technologies, Inc., in partnership with Sophos, offers products and services like cybersecurity training and awareness, endpoint protection and email protection, that can mitigate and prevent ransomware attacks. Use the button below to request a 30-day free trial to any of those services and protect your patients data.

Request a Security Trial