Should hospitals pay up when it comes to ransomware?

Has the recent wave of ransomware attacks aimed at hospitals been a wakeup call for the healthcare industry? Or is this latest security plague just part of the new normal?

hollywood presbyterian

The Hollywood Presbyterian Medical Center is pictured in Los Angeles, California February 16, 2016. The FBI is investigating a cyber attack that has crippled the electronic database at Hollywood Presbyterian Medical Center for days, forcing doctors at the Los Angeles hospital to rely on telephones and fax machines to relay patient information.

Credit: REUTERS/Mario Anzuoni

Ransomware has become a major threat to the U.S. healthcare industry this year. The high-profile attacks that involved Hollywood Presbyterian Hospital in Los Angeles, MedStar Health in Washington, D.C., and other healthcare systems are just the tip of the iceberg. Over half of hospitals surveyed recently by HIMSS Analytics and Healthcare IT News said they had been hit by ransomware attacks in the past year. Another 25 percent were unsure whether such attacks had occurred. 

It’s not clear how many hospitals have paid ransoms to cyber-criminals to unencrypt their data and/or unlock their systems. Hollywood Presbyterian announced it had paid $17,000 to get its data back after being unable to use its EHR for 10 days. Methodist Hospital in Henderson, Ky., also reportedly paid $17,000. MedStar’s systems were at least partly down for nearly a week, but the organization didn’t say whether it had paid a ransom. 

Asked whether they’d fork over the ransom payment if hackers had encrypted their hospital’s patient data, about half of the healthcare executives in the HIMSS Analytics survey said they wouldn’t. Forty-four percent said they were unsure, and just 5 percent said they would pay. 

But experts say that the exponential growth of ransomware attacks indicates that some victims are yielding to the hackers’ demands. “The increase is related to the fact that attacks are successful because organizations are willing to pay. They will continue to rise as long as that continues to be the case,” says Nathan Gibson, director of IT operations/privacy officer for WVMI Quality Insights, based in Charleston, West Virginia. 

Low-hanging fruit makes for easy pickings? 

Another reason for the jump in ransomware incidents this year is that publicity about the attacks and hospitals’ vulnerability to them “has emboldened the bad guys,” says Mac McMillan, CEO of CynergisTek, an Austin, Texas-based IT security firm. In addition, he says, “There’s a very low risk of these people getting caught,” and there’s a potentially big payoff. 

[Related: You’ve been hit with ransomware. Now what?] 

McMillan agrees that $17,000 isn’t a huge sum for a hospital or healthcare system to pay to regain access to its data and to protect its patients and its reputation. “But the more you pay, the more it incents the hackers to do it,” he notes. “And the last thing you want to do is incent their behavior.” Also, Gibson observes, there’s no guarantee organizations will get their data back if they pay the ransom. 

On the other hand, McMillan points out, “It’s easy to say, ‘We don’t pay criminals,’ if you’re not the one who’s locked out of your system or doesn’t have access to data. At the end of the day, you want to try hard not to pay that ransom. And the best way to do that is to be prepared to deal with the incident and to recover quickly.” 

There are two basic forms of ransomware. One type prevents users from logging into the system, and the other encrypts the data; some attacks involve both kinds of malware. 

McMillan says the crypto-ware version is the more dangerous of the two. “If a hospital is attacked by malware that locks the system up, it can survive that if it has good recovery procedures and an alternate site that IT people can use to reconstitute the environment. But once your data is encrypted and you no longer have access to your data, and if you don’t have the ability to recover quickly and reconstitute and provide your data from a backup, it’s very complicated to recover from that.” 

Data backups are the key to surviving ransomware attacks. But some hospitals and physician practices don’t back up their data at all. This lack of security awareness puzzles McMillan. “It’s possible is that security is still not seen as a critical business function” in those organizations, he suggests. 

Even if a hospital or a physician group does back up its data, it might do so only on a nightly basis. So, if a ransomware attack occurs and the organization uses its data backup to continue operations, the database will be missing everything that has been entered into the system since the previous evening, notes Gibson. That’s much better than nothing, but it will still send clinicians scrambling. 

Many hospitals do near-real-time backups of data on mirrored servers. In case one server goes down, the other can take up the slack. “But if you have near real time backups, those backups will be vulnerable to attacks, because they’re online and available [to malware] on the network,” Gibson points out. 

McMillan agrees that this poses a challenge. “You want to make sure you have good access controls and good separation between those two systems so that if malware breaks out in the first system, you can sever the connection between that and the backup very quickly,” he says. 

Both experts concur that adding a second backup system could help organizations recover in case of a ransomware attack. Gibson suggests using a backup system that is offline most of the time and backs up the main system “every so often.” He’d also segment the redundant server to allow security controls to ferret out “malicious activities that can affect the backup.”

McMillan observes, “Cloud backup can be advantageous, because often, cloud vendors will back up data in multiple locations. And as soon as you know that something has been infected, you can sever that and make sure not all your backups are infected at the same time. Also, cloud vendors have good malware detectors and filters, so even if it doesn’t get caught in your environment, they may catch it before it infects the backup.” 

[Related: 4 reasons not to pay up in a ransomware attack] 

However, Gibson counters, many healthcare organizations are still wary of placing sensitive patient data in the cloud. One alternative, he says, is to segment online backup in a separate non-cloud system that uses a protocol that the malware is not trying to utilize. 

“A lot of ransomware is looking for network shares and directly accessible systems,” he says. “If you have a backup that’s using a different protocol, the malware might not be able to reach that.” 

An ounce of prevention … 

Healthcare organizations can also protect themselves by using advanced malware detectors that quickly tip off security personnel when an intrusion occurs. Older antivirus software, McMillan notes, searches for malware with known signatures; but the newer forms of malware, including ransomware, lack those signatures. So the advanced detector searches for anomalies rather than just signatures. 

“It can segregate that attachment or email or other delivery mechanism and put it in a quarantined area where it can be inspected,” he notes. “Most advanced detectors will block the unknown piece of code at the perimeter and send it to the cloud for analysis. If it’s harmless, it’ll send it back and let it through.” 

Gibson agrees that every organization should have a “gateway server that filters email and Internet traffic.” The only problem with opening up attachments in a safe area to search for malware is that, in some cases, the ransomware is not executed until it contacts the server that sent it. So it might sit there and do nothing until an organization allows it into its network. 

To protect against ransomware and other kinds of malware, says Gibson, every healthcare organization should assess its security vulnerabilities. “It’s important to have a security risk assessment and instant response plan to combat these types of threats,” he says. “HIPAA requires a risk analysis, so many of these controls and defenses should already be in place. Then it’s just a matter of continuing your security risk assessments on a continuous basis to meet new threats and enhance your security controls.”

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO October 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.