The recent spate of ransomware attacks on hospitals continues. In the last few days, two more attacks on Southern Californian hospitals have been announced.
Ransomware is a form of malware that encrypts files to prevent the victims from accessing their data. Ransomware is spread predominantly via email, although web-borne attacks are also being used to install the malicious software on end user devices.
Once installed, ransomware searches for a wide range of file types and locks them with powerful encryption. Infections can also spread laterally resulting in files on multiple computers and servers being locked.
Recent Ransomware Attacks on Hospitals
Eight ransomware attacks on hospitals have recently been reported, four of which were in the United States, with two reported infections in Canada, and two in Germany. These attacks could well be the tip of the iceberg. Not all ransomware attacks on hospitals are reported. Some healthcare providers prefer to keep attacks secret and quietly resolve the issue by paying a ransom.
Hospitals Recently Hit with Ransomware Infections
- Chino Valley Medical Center, Chino, CA
- Desert Valley Hospital, Victorville, CA
- Ottawa Hospital, Ontario, Canada
- Methodist Hospital, Henderson, KY
- Norfolk General Hospital, Simcoe, Ontario, Canada
- Lukas Hospital, Neuss, Germany
- Klinikum Arnsberg hospital, Arnsberg, Germany
- Hollywood Presbyterian Medical Center, Los Angeles, CA
In the case of infections involving the encryption of PHI, keeping quiet may not be an option. If attackers have infiltrated a network and have encrypted protected health information, this could be classed as a data breach. Ransomware attacks on hospitals are reportable unless covered entities can demonstrate a low probability of PHI being compromised. For that to be the case, a covered entity would need to prove that PHI was not accessed or viewed by the attackers.
Locky Ransomware Used in Recent Attacks on U.S. Hospitals
The recent ransomware attacks on hospitals have mostly involved ransomware called Locky, which has been used on all four of the reported attacks on U.S. Hospitals. The attack on Ottawa Hospital involved a variant of Cryptolocker called WinPlock, while Norfolk Hospital was attacked using Teslacrypt ransomware.
Locky ransomware replaces file extensions with the .locky suffix, but also uses powerful encryption to scramble the data stored in the files. A security key is required to remove the encryption, and that key is held by the attackers and only released if a ransom is paid.
Regardless of the type of ransomware used to attack hospitals, the result is the same. If a ransom is not paid, files will remain encrypted. That does not mean data will be lost if the ransom is not paid, as it is usually possible to restore encrypted data from backup files.
Hospitals are required to perform regular backups of patient data under HIPAA regulations, so a ransomware attack on a HIPAA-compliant hospital should not require the ransom to be paid in order to recover data. If backups have been performed daily, and backup files securely stored off site, loss of data should be minimal.
However, Locky and other forms of ransomware are capable of encrypting files on network drives and portable storage devices connected to an infected computer, server, or network. If backup device has not been disconnected, there is a possibility that backup files may also be encrypted. In such cases, hospitals may have no alternative but to give in to attackers’ demands.
Individual infections usually see a ransom demand for a payment of 0.5 to 1.0 Bitcoin (between $200 and $400). However, ransomware attacks on hospitals have seen much higher demands made. The attack on Hollywood Presbyterian Medical Center in February was accompanied with a ransom demand of 40 Bitcoin – approximately $17,000. Hollywood Presbyterian Medical Center felt that paying the ransom was the best option. Other hospitals have not disclosed how much the attackers have asked to unlock files.
How to Protect Against Ransomware
There are two aspects of protection that hospitals must consider. The first being to prevent ransomware from being installed on computers and the second is to make sure that if infection does occur, data can be recovered. The first requires education of the entire workforce along with security solutions such as anti-virus and anti-malware software, spam filters, and web filters.
Ransomware is commonly spread via spam email. This can be as an email attachment, but recently attacks have occurred as a result of other malware and malicious macros. Attackers may also gain access to privileged accounts via phishing campaigns and then use those accounts to install the malicious software.
Education must therefore encompass a wide range of security elements, such as phishing avoidance, email best practices, and safe Internet use. It is also essential that staff members are instructed what do if they believe they may have inadvertently installed malware or ransomware, or if they have received a suspicious email. Fast action by IT departments can help to contain an attack and limited the damage caused.
Should ransomware attacks on hospitals occur, recovery will be dependent on backup systems. Ransomware may delete backup files so it is essential that backups are stored offline. This is vital because attackers can’t be relied upon to supply functioning keys. In some cases, attackers have tweaked ransomware making it impossible to decrypt files. The lack of a viable backup in such cases could be catastrophic. The lack of a viable data backup will leave hospitals with no alternative but to pay the ransom.