Think Like a Cyber Attacker
Put yourself in the mindset of a cybercriminal for a moment. You’ve been targeting personal computer devices and phones up to now with ransomware making some fast bucks here and there but you want to go after a bigger target on a grander scale. You want a quick but sizable payoff and then move on to the next victim. What type of organization would you target? Ideally it would be:
- An organization that deals with high value mission critical data on a regular basis in an exceedingly time sensitive manner
- An organization that demands data availability and network uptime of 100%
- An organization that doesn’t have experienced cybersecurity specialists on staff
- An organization that uses a large number and variety of unmanaged computing devices
Hospital represent a quick but sizable payoff for hackers
So what type of organization comes to mind? How about a hospital? Hospitals deal in data of the highest value possible, the value of life or death. Sometimes this data is only relevant for a brief window of time and must be utilized within minutes of its generation. Although hospitals staff are often highly educated and experienced in meeting HIPAA compliancy, they are relatively new to the concept of cyber security. They also deal with plethora of medical computing devices, many of them have no centralized management capabilities to ensure proper patching procedures.
Hospitals Under Attack from continuous phishing attempts
And these are the very reasons why hospitals have been victimized by cyberattacks with greater frequency recently.
- On February 16, 2016, an employee of the Hollywood Presbyterian Medical Center clicked a link in a phishing email. What happened next is the type of scenario that keeps IT managers up at night. The link downloaded and provisioned a type of malware ransomware application that infiltrated their network, forcing the IT staff to shut it down. Hospital staff members were limited to the use of pen and paper for basic medical record keeping. The hospital was forced to divert hundreds of patients to nearby hospitals and cancelled most treatments. On top of that, the radiation and Oncology departments were shut down completely.
Unsure of what to do, the hospital initially contacted the LA police department. Eventually the FBI was brought in and shortly afterwards the hospital paid the attackers a ransom of $17,000 in bitcoin currency. Hospital Chief Executive, Allen Stefanek, told the LA Times, "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key." For a hospital, paying a ransom can often be a lot cheaper than the risk of substantial payouts in possible lawsuits from patients.
Not an isolated incident
Unfortunately Hollywood Presbyterian Medical Center wasn’t an isolated incident.
- Five days previous to the attack on Presbyterian Medical Center, Lukas Hospital, based in Neuss, Germany, reported a similar infection on Feb. 11.
- Earlier in the month, a Methodist Hospital in Henderson, Kentucky was shut down for the weekend after malware invaded its systems on a Friday. In each of these attacks the hospital was able to restore their systems rather than pay the ransom.
The real reason hospitals find themselves battling malware
To say that ransomware is a growing threat would be an understatement. According to the FBI, agents investigated 2,453 attacks in 2015 that cost targets $24.1 million. But the reason why hospitals find themselves battling malware isn’t always apparent.
1) Patching.
According to the Cisco Talos Security Intelligence and Research Group, hospitals are a rich environment for malware because so much of their applications and devices go unpatched.
2) Outsourcing & mismanagement.
In addition, large IT projects are often outsourced and then forgotten about. As a result, malware finds its way into hospital networks even though they may not have been directly targeted. In one example, the heart monitors at one hospital kept rebooting after being infected with the Zotob worm. These vulnerable devices became inoperative.
3) No penetration tests or risk assessment.
Although many of the typical medical devices found in a hospital are operated by Windows, many of them are delivered in a locked down state, preventing the hospital from upgrading or updating them. Many devices come with only default admin accounts that can’t be modified. What’s more, many medical device manufacturers don’t perform penetration testing or risk assessments of their systems.
Fortunately, new FDA guidelines are pushing medical device manufacturers to patch long-neglected software. Many additional steps are needed however because, like so many organizations, hospitals are embracing technology more and more and must learn how to deal with the inherent threats of being a technology driven organization.