Experts say that the problem will only get worse, and exponentially so. Still, much can be learned from the recent WannaCry attack.
There are parasites in every ecosystem. In the increasingly technology-reliant healthcare ecosystem, they have evolved into multiple species. Some siphon silently, but ransomware can carry a paralyzing sting.
The most recent example was the widespread WannaCry attack, which crippled computers worldwide and briefly devastated the United Kingdom’s National Health Service. That one attack, experts say, brings into focus a continually growing threat that looms over the healthcare industry.
To date, millions in fines have been paid to the US Department of Health and Human Services’ Office for Civil Rights (OCR) related to data breaches, including a record $5.5 million settlement from a Florida health system earlier in 2017. As the number of breaches rise, so likely will the fines.
MORE BLATANT ATTACKS
Though such breaches often take place in silence, as was the case in 2015’s huge hack of Anthem, other actors will use blatant means like ransomware. May’s WannaCry attack raised international alarm bells on that front, as it ripped through unprotected computers, including hundreds in the United Kingdom’s National Health Service (NHS).
“Ransomware is really exploding—ransomware as a service. It has become an industry in and of itself. They develop it and then they sell it,” says Brian Balow, JD, Member, Dawda Mann PLC. “This is really an unintended byproduct of the Affordable Care Act, with its information technology and data requirements.”
Although the big attacks make headlines, “the prevalence of this is much higher than what we read in the press,” Balow noted in his speech at HIMSS17.
In January, the FBI announced that payments made to ransomware entities may have topped $1 billion in 2016, skyrocketing from only less than $30 million paid out the year before. An NBC News story from the time quoted an IBM Security expert referring to it as “like some sort of gold rush.”
Cyberattackers are relying on healthcare providers’ overconfidence in or lack of knowledge of their IT network’s security, according to the federal Health Care Industry Cybersecurity Task Force’s long-awaited report on cybersecurity weaknesses that was released in June.
“Recent high-profile incidents, such as ransomware attacks and large-scale privacy breaches, have shown this vulnerability assumption to be false and provided an opportunity to increase education and awareness about the benefits of cybersecurity in the health care community,” according to the report.
Massive data-mining attacks that compromise patient information are more insidious, officials tell providers to treat ransomware incidents as equally severe. In the wake of WannaCry, the US Department of Health and Human Services put out a notice that despite its differing nature, “OCR presumes a breach in the case of ransomware attack.” Whether or not patient data is stolen, any attack that displays technological deficiency may still incur a fine.
WHAT KEEPS THE EXPERTS AWAKE AT NIGHT
The different varieties of breaches have very different effects. A possible silver lining is that ransomware is a much more short-term threat than the subtler large-scale hacks in which thousands or millions of patient records are stolen. One is like holding up a single chain drug store and the other is like embezzling millions from the corporation itself.
The problem lies in the fact that health facilities such as hospitals can’t afford to be held up. When WannaCry jammed up hundreds of NHS computers in the United Kingdom, staff were forced to record information by manual means. The breadth of devices in a health setting and the importance of their tasks means even if valuable patient data isn’t breached, patients themselves might be at risk.
“Devices. That’s what keeps me up at night,” says Joe Riccie of WithumSmith+Brown. The firm audits companies in multiple industries, including healthcare, for potential security weaknesses and opportunities for impropriety. “Devices have a longer shelf life than a regular computer. A regular laptop maybe lasts 3 to 5 years. But a medical device can last 10 to 15 years. And how often do you think the firmware on that device is updated?” Not frequently enough, if at all, he says. Though such a case may not yet have emerged, the explosion of the internet of things creates the very real potential of life-saving medical procedures or diagnoses halted by a ransomware attack.
At the height of the WannaCry attack, Forbes reported on Bayer radiology equipment in a US hospital being rendered frozen by the attack. In a field where timeliness is essential, the threat of ransomware halting use of important diagnostic and treatment equipment is particularly pertinent. The Health Care Industry Cybersecurity Task Force document warns of sophisticated ransomware attacks “that hold IT systems and patient-critical devices hostage.”
A key hurdle is the operating system on healthcare devices. “The devices typically operate in kiosk mode, meaning that only the parts of the operating system related to the application are visible to the user, and you can’t go outside of that,” explains John Suit, the chief technology Officer at Trivalent Corp. In mimicking the user, the malware is able to create its own service in the task scheduler and wreak havoc, with little forewarning for the user until the ransomware message appears.
The loss of valuable data in a health breach does not usually have an impact on the healthcare network’s day-to-day operations, explains Riccie’s colleague, Anurag Sharma, a principal in Withum’s cybersecurity team. “There is a more long-term cost associated with those breaches,” he said. “Whereas if you look at a ransomware attack, that has a far greater impact in the short term. Even if you are not losing the data…your operation comes to a standstill, and depending on the size of your operation and the type of community you are serving, that can have a bigger impact, if not a bigger impact in dollar terms.”
The news of Wannacry had Suit and his colleagues at Trivalent “sort of freaking out a little bit, until we got to analyze what they were doing.” He says his company was able to breathe somewhat easier after doing some analysis of WannaCry, given how their technology works. Rather than simply encrypting files, it literally shreds them to bits and stashes the components across the system in which they are stored, putting a “tombstone” file in its place. Such methods protect against data theft and ransomware, since the malware protocol can’t find the files to lock the user out.
Still, Suit says, “We’re not arrogant enough to think no one could figure out what we’re doing. Who knows how good these guys can get, and they get better every day, right?”
HOW TO PROTECT AGAINST ATTACKS
A 2-fold ransomware attack¬—one that locks up operations in the front while exporting valuable data through the back door¬—has yet to be confirmed. Of course, that possibility exists, Suit says. While health systems have increasingly become targets for ransomware, many attacks (like WannaCry) wander blindly into medical machines. Early on, British Prime Minister Theresa May indicated that there was “no evidence” that NHS patient records were stolen during the attack.
Targeted or otherwise, the threat of ransomware will continue to evolve. If WannaCry was not originally intended to compromise health systems, as it appears, its prowess in doing so will likely encourage others seeking to cause harm in one of the world’s most lucrative industries. This was the case in February 2016, when the Hollywood Presbyterian Medical Center paid $16,664 (in the form of 40 bitcoins) to alleviate a ransomware stranglehold.
In the short term, systems small and large are left with a relatively simple protocol. Although the most recent headline-making ransomware attack used leaked National Security Agency information to find and exploit weaknesses and reproduce itself organically, most ransomware is straightforward. Phishing scams are the primary entry point for malevolent software, and the same diligence that medicine itself requires may be needed to protect the act of administering medicine.
Simple preventative knowledge and behaviors remain logical and critical. Training employees to recognize questionable requests is paramount, in addition to constantly reminding them of the seriousness of digital threats.
According to Riccie, mankind’s propensity to be duped is still the weakest link in a health system’s overall security. Unsurprisingly, he says, his firm’s audits find that workers are most likely to be tricked into giving up system access on Friday afternoons.
Otherwise come Monday, the health system may find itself at a huge loss and a standstill.