Ransomware in Hospitals: What Providers Will Inevitably Face When Attacked

One Friday, Sally, a member of a local hospital’s finance team, received an overdue billing statement from a Salesforce.com e-mail. Because it is the end of the month, she considered this e-mail a routine part of billing and reporting. Sally opened the e-mail, as well as the attached contract in Word format. Suddenly, the screen of Sally’s monitor turned to a red warning screen..

Sally froze. She had heard about cyber threats in training, but in a Salesforce.com billing statement? Who would be as sophisticated as that? Sally immediately picked up the phone and called the IT department.

Too late.

Sally had just experienced a highly advanced cybersecurity breach known as ransomware—this one specifically referred to as CryptoWall (CW). In the following moments, Sally, IT, hospital executives, nurses, doctors, and patients would discover that valuable database files had been locked. Because of the threat to hospital operations and the emergency department, patients were moved to another physical facility for care.

Typically, the only way for the hospital to regain access to its information is to pay the hacking agent a requested fee using Bitcoin. Directors of the hospital Board are now faced with the decision: Pay or don’t pay?

According to the regular cyber threat reporting of NTT Group, a global solutions company that provides next-generation managed security services, ransomware recently accounted for 30% of malware activity. The ransomware Sally encountered, CW, accounted for nearly half of the reported ransomware attacks from June to November 2015.(1) During January 2016, Solutionary has already observed nearly 3,100 possible CW infections, all sourcing from the United States.(2) Such CW emails come in the disguised form of Salesforce.com or even official IRS e-mails during tax periods.

Healthcare providers are discovering they are a soft target for highly sophisticated cybercriminals.

Healthcare providers are discovering they are a soft target for highly sophisticated cybercriminals. It is nearly impossible for ransomware victims to crack a hacker’s crypto keys. The FBI is even on record advising ransomware victims to just pay.

A very similar case to Sally’s situation occurred recently, on February 5, 2016, at Hollywood Presbyterian Hospital. An original ransom of $3.4 million was whittled down to $17,000.(3) This is not unusual. Typically, the ransom team wants a quick payday. They will even provide customer service by offering the crypto keys to a couple of locked files to show goodwill. One estimate quoted by the head of the Federal Trade Commission (FTC) indicated more than $27 million was paid in the first two months after CryptoLocker ransomware was released, with many of the individual payments ultimately being less than $1000.(4)

The most recent ransomware attack took place on March 28, 2016, with MedStar Health, a Washington, DC–based hospital chain. Prior to this attack, three other hospitals—Methodist Hospital in Henderson, Kentucky, Chino Valley Medical Center and Desert Valley Hospital in California—were held by ransomware around March 23.(5)

You’ve Become a Victim Of Ransomware: What’s Next?

Now, back to Sally and her hospital’s Board of Directors. All board members have gathered in a large conference room, and the burning question they face now is: Should they pay? Does the Board have options? Simply put: Yes.

If the hospital has been preemptive in its security planning, it can refuse to pay.

As long as the hospital has been preemptive in its security planning, it can refuse to pay. Has the IT team created appropriate backups of databases and storage? Is there already a business continuity plan in place in case of such situations? A robust disaster recovery plan would include several alternatives. Are other security controls, especially monitoring, threat intelligence, and incident response, hardened to ensure the current ransomware risk is isolated? If encryption has been applied to network drives, shares, and removable media, the hospital has increased confidence that any outgoing data cannot be opened. Further, if the IT team has composed end-user privileges using a segregation-of-duty model, that also will assist in isolating the threat. Furthermore, if the hospital does pay, it will likely be added to a ransomware “payers list,” potentially making this the first of many more incidents.

On the other hand, the hospital should pay if it has a questionable backup and no business continuity. If security controls are lacking, the hospital may be vulnerable in other IT domains. Basic security hygiene (e.g., application patches and updates) is another open door the ransomware could already be violating or inviting other hackers to join. Board members in the room are reminded security controls should also include hardware. For example, recent Cisco, Juniper, and Fortinet updates and notices around security vulnerabilities have been communicated to customers. Does the hospital have physical devices from any of these vendors? Of even greater concern are not just IT devices but the “keep current” status of MRI scanners and IV pumps. Those, too, can be used as backdoors for hackers. Speaking of vendors, how current are the business associate agreements with third parties? The impact on business costs can also be mitigated if the hospital has appropriate cybersecurity insurance.

An organization’s Chief Information Officer (CIO) and Chief Information Security Officer (CISO) must be equipped to respond to these questions in case of an attack. This information will ultimately determine the final decision.

Government Organizations Will Take Notice

Either way, the hospital needs to take swift action. A “war room” should be created. Those attending should include the obvious actors: CEO, CIO, CISO, IT Directors (Application, Data, Network), and the HIPAA lead for both federal and state regulations. In addition, the hospital’s legal representative should be present, as well as a public relations officer. A representative from the hospital’s insurance company should also be available, for two coverage reasons: property and personal [patient] liability, and cybersecurity insurance coverage. Another individual who should also be considered for the war room is a representative from law enforcement, such as the FBI.

As the operational key players in the war room weigh their options, the Board of Directors must concern themselves with their governance mandate. They will have to update their quarterly and annual reports with details about the security incident and steps taken. Board members are not only fretting about HIPAA—there are now even more well-funded Federal players overseeing the security landscape: the Security and Exchange Commission (SEC) and the FTC. Both are heavily staffed with legal teams, budgets and legal authority. In contrast, their HIPAA counterpart, the Office for Civil Rights, has hardly even begun to conduct audits.

A healthcare provider previously would not have considered the SEC a concern for security oversight. However, the SEC is now requiring companies to disclose cyber risks and material breaches. This agency is now providing guidance on how companies accurately report their security disposition. Ignorance is no longer an excuse.

The FTC is also playing a more active role in protecting consumers. In August 2015, the FTC’s case at the Third Court of Appeals against Wyndham Worldwide Corporation proved Wyndham failed to uphold promised security with a lack of firewalls and basic protections (United States Court of Appeals for the Third Circuit, No. 14-3514; Federal Trade Commission v. Wyndham Worldwide Corporation). The FTC also plays a dominant role in federal government action against cyber threats. Its Computer Crime and Intellectual Property Section (CCIPS) has 270 prosecutors focused on high-tech crimes and espionage. Their involvement with last summer’s takedown of the global CryptoLocker ransomware scheme, known as Gameover ZeuS, shows their ability to enforce policy.

Returning back to the war room: members have become numb to the HIPAA “Wall of Shame.” What will now make them sit up in their chairs is the possibility of the SEC and FTC walking through the door. The SEC now expects full transparency in reporting out to shareholders. Past disclosures will need to be examined by the Board. Regarding a Form of Disclosure for the hospital’s ransomware incident, a supplemental disclosure should be immediately crafted. At minimum, the annual obligation is to disclose in the SEC 10-K annual report material information about special risks, followed by updates on previous disclosures. If the hospital Board identifies the recent ransomware breach as a major breach, an SEC 8-K special report should be filed immediately to notify investors of specified events.

The FTC expects not only consumer protection, but also some reporting of breaches to the CCIPS. The Caremark claims litigation case provides a landmark legal precedent in enforcing board governance of corporate controls (In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996)). It stated the Board of Directors’ “duty of care” was negligent with internal controls, allowing employees to commit criminal offences. The Caremark decision thus asserted that a Board of Directors has a duty to ensure appropriate information and reporting systems are in place to provide the Board and top management with timely and accurate information.

How Do We Move Forward?

As Board members craft a governance response, they will also reevaluate their cybersecurity insurance. Yes, they can foresee not only that their premiums will increase, but also that their ceiling of coverage will be lowered. They can now only hope to prove to their insurance carrier they are taking appropriate action to not be at risk again.

When Sally returns to work on Monday, she will most likely come back to end-user security training, for herself and the entire staff. She (and they) will have to keep up with a global threat. RaaS (Ransomware-as-a-Service) is as established as any private sector industry. Hackers can sign up to a RaaS on the Dark Web. They are then provided access to an affiliate console. There they can walk through the process of receiving their ransomware exploit kit. They will configure settings and campaigns of which targets they would like to attack. There are even metrics on success rates, installations, and how much ransom to demand.

Poor Sally. She is up against a global movement. There is hope, though. By implementing a preemptive security model, Sally’s hospital can harden its security surface area. Sally’s training will also be critical. This is where leadership from the Board of Directors becomes critical.

All organizations need a proactive and comprehensive cybersecurity plan. However, although many operations have the “right” plan and necessary hardware, software, and processes in place, the reality is that many do not have the time and resources to implement their response plan and fulfill the necessary documentation requirements for HIPAA, the SEC, and State regulations, in addition to ensuring business continuity. Therefore, to get started, healthcare organizations must focus on the four pillars of security:

• Governance risk and compliance;

• Security monitoring and management;

• Threat intelligence; and

• Incident response.

Furthermore, organizations must layer their efforts from basic responsiveness to advanced responsiveness, and, finally, become preemptive. A variety of capabilities exist within the four pillars and the three layers that should be prioritized and preferably automated (Figure 1). It is essential to enlist the right outside talent to conduct this effort immediately. Finally, once this strategy is developed and implemented, companies must conduct an internal review and gauge where teams will align with internal security: be out of the security business, own some of it, or close the gaps. Ensure there is balance between managing the unexpected and current resources.

Figure 1. Four pillars and three layers of cybersecurity preparedness. IR, incident response; IRP, incident response plan; PHI, protected health information; SDLC, systems development life cycle; SLA, service level agreement; SOPs, standard operating procedures.

In Sally’s case, after following this advice, the future of the hospital’s security, brand and revenue is in the hands of the Board of Directors. All has been laid out for them to do. But will they do it?

Will decision-makers just respond to the breach and return to business as usual? Will the Board commit the appropriate funding and resources? Will Sally receive improved training?

The hackers downloading the next exploit kit off the Dark Web are expecting that the hospital will not do any of those things.

References

1. Microsoft Malware Protection Center. Figure 2. [Crowti]. https://www.microsoft.com/security/portal/mmpc/shared/ransomware.aspx .

2. Solutionary Security Threat Report-2016. https://www.solutionary.com/threat-intelligence/threat-reports/monthly-threat-reports/ 2016/01/security-threat-report-january-2016/ .

3. Ragan S. Ransomware takes Hollywood hospital offline, $3.6M demanded by attackers. CSO Magazine. February 14, 2016; http://www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-36m-demanded-by-attackers.html .

4. Assistant Attorney General Leslie R. Caldwell. Remarks at the Georgetown Cybersecurity Law Institute, Washington, DC. May 20, 2015; https://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-georgetown-cybersecurity .

5. Mannion C. Three U.S. Hospitals Hit in string of ransomware attacks. NBC News. March 23, 2016; www.nbcnews.com/tech/security/three-u-s-hospitals-hit-string-ransomware-attacks-n544366 .