To Pay or Not to Pay, That is the Question
healthcaretechoutlook

To Pay or Not to Pay, That is the Question

By Bryan Smalley, Enterprise Security Architect, Orlando Health And Avani Desai, EVP, Schellman

 

Note: “Healthcare Tech Outlook incorrectly listed Mr. Smalley’s job title in the original article as “Director IT/Client Technical Services”. This has been corrected to reflect his correct job title at the time”

Bryan Smalley, Enterprise Security Architect, Orlando Health

Healthcare and Ransomware 

Ransomware is one of the most sinister types of malware. It often originates in a phishing or spear phishing email and once a machine is infected, all of the data – in whatever format or even in remote repositories–is encrypted. After encryption, the malware is programmed to display a pop-up message to the user telling them that if they want their data decrypted, they will have to ‘pay up.’ To add salt to the wound, the payment demand is often in the crypto-currency, Bitcoin, so the perpetrator can’t be easily traced.  

“If the organization cannot restore its data in a timely manner, it will have to weigh the cost-benefit of paying the ransom” 

Ransomware has existed for many years, however, new and destructive variants have been discovered earlier this year that could declare 2016 to be “the year of ransomware”. Symantec reported that in 2014 ransomware attacks increased by around 45X and McAfee Labs found an increase of 165 percent in Q1 2015 alone. According to the Dept. of Justice, victims reported paying out over 24 Mn dollars in 2015. One of the noticeable profiles of ransomware is that they tend to target smaller organizations that are unlikely to have easy access to IT security departments. at least half of the victims affected appear to be paying the ransom, with payment being delivered through a network of encrypted and anonymized channels that prevent discovery of where the ransom is going.  

Now it seems that the ransomware cybercriminals are targeting hospitals. In 2016 this includes three U.S. hospitals, as well as the Hollywood Presbyterian Medical Center, which ended up paying the equivalent of 17,000 dollars in Bitcoins to the hackers after ‘Locky’ ransomware denied access to its patient medical record system, forcing them back to paper record keeping and redirecting patients to other healthcare facilities. Similarly, a hospital in Kentucky had to declare an internal state of emergency to deal with the situation. 

Why Healthcare? 

Health data has been shown to be the most valuable of all personal information. The Ponemon Institute’s 2015 Costs of Data Breach Study report found that health data was worth more than any other data set at 363 dollars per record. Healthcare records are good business for cybercriminals, as evidenced by some of the biggest cyber crimes in recent years such as the Anthem and Blue Cross data breaches where millions of healthcare records were stolen.

Avani Desai, EVP, Schellman

The Ransom 

Ransomware can be tough to remove, so the best way to manage a ransomware attack is not to get infected in the first place. A recommended defense-in-depth approach – one that focuses on both prevention and response, and knowing how it initially enters an organization is important. Ransomware is usually received through an email. These emails are phishing emails, or if more targeted, ‘spear’ phishing emails. The latest spate of email born ransomware was discovered by ESET. The email containing the malware looks very legitimate and carries an attachment, usually in the form of a zip, purporting to be an invoice. If the recipient opens this zip, it will run a Trojan program and infect the computer and associated network with the ransomware.

The list below outlines approaches to preventing ransomware: 

1. Employee awareness and training: Phishing email awareness and training initiatives can help reduce the likelihood of ransomware infections. Ensure your workforce understands how to identify phishing emails – especially those with attachments or links to suspicious sites. We need to also be aware of another form of phishing email, spear phishing that is far more concerning. Spear phishing is targeted to certain individuals or departments; those that likely have privileged access to critical systems and data and can be difficult to identify. Focusing user awareness training efforts towards these individuals is highly recommended.  

2. Patch management: Ransomware looks for vulnerabilities in software applications and systems to perform harmful actions. In one recent example, a Baltimore hospital was hit with a variant of ransomware that searched and exploited JBoss application servers, locking employees out of their data. Establishing processes for identifying and remediating vulnerabilities is an essential step towards mitigating the effects of ransomware. Make sure software and OS updates are done regularly and strongly consider immediate patching for any critical vulnerabilities on public facing systems.  

3. Back up your data: Having mature backup and restore processes – especially within a context of business continuity and disaster recovery planning – is generally the most effective method of recovery should a ransomware outbreak occur. But get assurances your backups are good; conduct periodic testing to validate data and systems can be restored.

4. Filter unwanted file types: If possible, use an email gateway to filter executables, .zip files, macros, .tar, .gz and other files that should not be sent over email. Better yet, tune the email gateway to inspect all attachments for embedded malicious code and block or quarantine accordingly.  

5. Access control: Adhering to a strict access control model can 1) potentially prevent ransomware and other malware from compromising a computer system outright, and 2) limit its spread across a network after the fact. Malware runs with whatever level of access users have, so if those users do not have full control of a computer system or on network share folders, ransomware likely won’t either. Granting only explicit access to specific share folders across a network rather than ‘full access for everyone’ is recommended.  

6. Endpoint protection: Endpoint protection suites, including anti-virus, can prevent ransomware infections using features like signature matching of known bad malware, behavioral analytics, file reputation evaluation, IPS, download protection, and device control.  

7. Browser settings: There are variants of ransomware that target browsers, locking an image on a page and perhaps showing a warning notice with steps to pay a ransom. Disabling scripting in the browser can be a good proactive first step.  

8. Disconnect from the network: If you do suspect you may have accidentally clicked on a file that contains ransomware, disconnect from Wi-Fi and the network immediately. Once you see the ransomware popup window appear, shaking you down for cash to get your data back, it’s too late.

But the question remains, should you pay the hackers to get your data back? The FBI has sent mixed signals on the subject. In October, 2015, they put out a note which stated on the subject of paying the ransom:  

“…And most ransomware scammers are good to their word…You do get your access back.” 

However, by May, 2016 they pulled a 180 and stated they do not recommend paying the extortionists. FBI Cyber Division Assistant Director James Trainor commented on the topic, “there is no guarantee an organization will get its data back” and paying the bad actors emboldens them to continue targeting other organizations, indirectly supporting their criminal activity.  

Answering the question of whether to pay or not may ultimately depend on how well an organization is prepared should they get locked out of their data. If the organization cannot restore its data in a timely manner, it will have to weigh the cost-benefit of paying the ransom. Questions of, what is the criticality of the data that was locked, how much of it was locked, whether patient care was affected, and how quickly can data or systems be restored, need to be asked in order to make an informed decision.  

If the ransom is paid, there are no guarantees if 1) the decryption method will be delivered, 2) if it is, will really unlock the data, or 3) if this or other ransomware won’t hit the organization again, and again. With so many uncertainties, prevention and solid disaster recovery planning looks like a better option.  

With that said…how are those backups looking?

Read Also

Integrating RTH solution to Adopt Remote Working Employees

Integrating RTH solution to Adopt Remote Working Employees

Dave Gravender, CIO, Alameda Health System
Synergy between CIO and CMO: A Boon to the Organization

Synergy between CIO and CMO: A Boon to the Organization

Scott Terrell, SVP & CIO, HealthMarkets, Inc.
Quality and Safety Boards: A Lesson in Proactive Pediatric Health

Quality and Safety Boards: A Lesson in Proactive Pediatric Health

Brian Jacobs, MD, VP, CMIO & CIO, Children’s National Health System

Weekly Brief