Hacking hospitals and holding data hostage
by Heather Zeiger | April 22, 2016
A string of hospitals in the United States have been subjected to ransomware attacks. Hackers encrypt network files and hold them hostage until the hospital pays the ransom. Because those files include patient records, the hospital has to shut down services until it either restores backup files or pays the ransom. It is an old-fashioned type of crime with a tech twist.
Ransomware dates back to the 1980s, but it has become particularly prevalent in the past two years. McAfee reports that by the first half of 2015, there were over two million new ransomware samples. While ransomware can attack at-home networks, hospitals have been a prime target. The hospital’s daily operations depend upon accessing patient data. Shut down the ability to access data, and shut down the hospital. When this happens patients may not get the care that they need, putting their lives at risk.
Since the beginning of 2015, there have been several high-profile cases of hospital hacking. Some paid the ransom; some did not. In February Hollywood Presbyterian Medical Center reportedly paid the ransom after being offline for a week. Methodist Hospital in Henderson, Kentucky, which was attacked last March, did not pay, and instead restored their data from backups. At the end of March MedStar Health had ten hospitals and 250 out-patient clinics hit with a ransomware virus.
Typically crooks demand a ransom from people who they think can pay it and who would have motives to pay it rather than report it. The health sector is lucrative. The Centers for Medicare & Medicaid Services report that health care spending in the US reached $3.0 trillion and accounts for about 18 percent of GDP. Shutting down a hospital’s network endangers lives and results in loss of funds. Furthermore, smart hackers will ask for a ransom that is substantial enough to make the hack worth it, but low enough that hospital executives will consider it easier to pay the ransom than shut down for several days risking lives and lawsuits.
To make matters worse, according to a recent article in Wired, hospitals tend to not prioritize cybersecurity, in general. Last year, after the Charlie Sheen medical blackmail scandal came out, I talked to a friend who had worked in IT at a hospital. He said that one of the problems is that doctors make decisions about how the network is set up, and often these networks are no different from the kind of network you set up at home.
Wired said that the recent string of attacks are bad because the ransomware has become more sophisticated and can quickly spread throughout the network:
“And ransomware attackers have upped the ante in recent months with attacks that encrypt not just files on an individual computer but on core servers, to prevent an entire organization from accessing shared files and databases. The really malevolent attacks also go after backup repositories that victims might ordinarily use to restore data.”
According to Health Care IT News, 50 percent of the people they interviewed said that there was an attempted cyberattack on their hospital in the last twelve months. Another 25 percent said that they did not know if their hospital was attacked or not. This is not necessarily a bad sign. It means that the majority of hospitals have faced some kind of attack but those attacks are usually thwarted. The ones that end up making the news somehow circumvented the hospital’s security systems. The standard procedure is that, once a security breech is detected and dealt with, hospitals do not reveal how the breech happened or the details of how they solved the problem. While they understandably do not want to advertise their vulnerabilities, this means that other hospitals cannot learn from their mistakes.
As a note, the Federal Aviation Agency takes an opposite approach to breaches in security, reporting exactly what went wrong and how it was handled so that it does not happen again.
Personal data held hostage
Personal data can be held hostage. MIT Technology Review reports that Cryptolocker was the first of a more sophisticated ransomware that debuted in 2013. It worked by infecting Windows computers, encrypting all of the computer’s data files as well as any external drives so the user could not access any of their data. It would then display a 72-hour countdown timer asking the user to pay a fee in exchange for their data. It was eventually taken down by a collaborative effort between the FBI and the law enforcement agencies in the UK and the EU It is estimated that Cryptolocker made $3 million, and because it made so much money, there have been several copycats.
Not only have these attacks increased in frequency, but experts believe smartphones and tablets will become potent targets for ransomware. And lest Apple users think they are protected from these infections, CNET reported that a new ransomware called KeRanger has recently targeted Mac users.
Hospitals are in a moral bind. If they pay the criminals, they put more hospitals at risk. If they do not pay, then patients may not receive the care that they need. Individuals are also in a bind. While lives are not at stake, their data is. Even if they report the attack, the ransomware encryption is too difficult to crack, so they often just pay the ransom. Money is usually demanded in the form of Bitcoin, an untraceable digital currency, and communication is through untraceable servers, such as Tor.
An article in PC Magazine says that while experts in cybersecurity do not suggest paying the hackers, the FBI’s Cyber and counterintelligence program has now advised most people to pay the ransom. Experts say that this only makes the problem worse because funding cybercrimes just leads to an increase in cybercrime and provides resources for criminals to make more sophisticated ransomware programs.
For now, the best way out of this moral quandary is for people to protect their data by making external backups, and to be careful when opening email attachments. Ransomware can infect a computer through disreputable websites, downloads, attachments, and USB drives. It can also come from ads that have been infected. This past March the New York Times, BBC, About.com, AOL, and several other sites had seemingly innocuous ads that were actually vehicles for ransomware. The user did not have to click on the ad for his or her computer to become infected. According to CNET:
The cyberattackers inserted ads that contained malicious software into legitimate online ad networks…The ad networks then distributed the compromised advertising, known as malvertising, to websites, which served them to visitors.
While technology may change, human nature remains the same. Bad people like making money off vulnerable people. In today’s society information is a valuable commodity, but often people and organizations do not know how to protect their data from cyberattacks.
Heather Zeiger is a freelance science writer with advanced degrees in chemistry and bioethics. She writes on the intersection of science, culture, and technology.