By: Drusti Gandhi
Cyber extortion, specifically attacks on healthcare organizations, has been on the rise; with no evidence of stopping. Cyber Extortion comes in many ways ranging from ransomware to denial of service and distributed denial of service. Ransomware attack involves encrypting data, blocking the healthcare provider from accessing it, and threatening to publish it unless the attackers are paid. Meanwhile, denial of service and distributed denial of service attack involves continuous assault on the computer system with emails and other traffic, which results in shutting the system down. Attackers then demand money to stop the attack. With the new technological advances in the healthcare, patient’s information is not the only vulnerable target. Wearable health technology and surgical robots in some areas can also become potential targets, which can lead to physical injury or even death.
Healthcare providers make for an easy target for extortion attacks due to the amount of personal data, weak defense, and the ease of attacking their systems. For some, if not most, paying the ransom is most cost effective and better than to recover the data from backups. The hacking groups modus operandi has been threats to dump data online if the ransom is not paid. Hacking group named TheDarkOverlord has been behind the various attacks on healthcare providers for past 2 years.
A recent cyber extortion attack took place at Hancock Regional Hospital in Greenfield, Indiana. The ransomware attack started to cause the network to run slowly and eventually ransom notes started to appear on screens. The IT team responded by closing down the network and calling a third-party response firm. Although no files were stolen and the patient services were unaffected, the attack’s purpose was to cause disruption. It caused the hospital employees to record patients’ information on paper while the IT staff tried to block the attack and gain access to their files. The ransomware used in the attack was called SamSam, which was also used in various attacks on healthcare organization in the U.S. over the past 12 months. Hancock Health eventually made payment of 4 Bitcoin (about 55,000 USD at the time of the attack). Two hours after they were paid, the key to unlock the encryption was supplied.
Healthcare providers are not properly equipped to defend their system against these types of attacks like major tech companies. Most of the healthcare providers choose to pay the ransom money rather than defend their system or report to the authorities. One of the major failures of the healthcare organizations is that they are not properly complying with the HIPPA regulation. The 2017 HIPPA enforcement summary details the penalties that the organizations paid to resolve the violations. The report shows that the organizations that are subjected to HIPPA regulations has been failing to comply in major areas such as safeguarding Protected Health Information (“PHI”) on portable devices, conducting an organization wide risk analysis, implementing a security risk management process, and entering into HIPPA-complaint business associate agreements with all vendors. Many of these failures open up vulnerabilities in the system leaving them at risk.
While the threat may seem overwhelming and impossible to prevent, healthcare organizations must prepare and train to minimize the attacks. Healthcare organization can adopt best practices given by Information Sharing and Analysis Organization and other providers that can discover threats to systems in time to implement defense strategies. Simple steps such as anti-malware, anti-virus, other malware defense, and regular backups can also provide additional security to the data. Risk analysis and risk management are the key defense strategies against cyber extortion. Training programs and regular drills to educate the employees on the risk can strengthen the organization. They can be properly trained when it comes to opening or responding to malicious emails. American Hospital Association (AHA) is pushing its members to enhance its cybersecurity plans in their facilities. Similarly, Food and Drug Administration (FDA) is encouraging both manufacturers and users of medical devices to improve the uses and protection of such devices. Cyber extortion threats are not stopping anytime soon and cannot be ignored anymore. New technology and the dependence of the healthcare facilities on the technology constantly add risks daily putting the patients’ health and information at risk. The first step of acknowledging the problem and vulnerabilities has begun. Now it is up to the authorities and organizations to implement plans on combating the issue of cyber extortion in healthcare.