Continuing Hospital Ransomware Attacks: A Call to ActionExperts Offer Insights on Preventing, Mitigating Attacks
As MedStar Health completes its recovery from a recent malware attack that led to a temporary shutdown of most of its systems, other U.S. hospitals continue to struggle with similar attacks, many of them involving ransomware.
Among the latest victims of ransomware is Kings' Daughters' Health, which operates an 86-bed hospital and physicians' office in Madison, Ind.
So, what steps do healthcare organizations need to take in light of the surge in malware attacks? One critical step, security experts say, is diligent software patching and update practices. That's because the lack of prompt patching may have played a role in the MedStar attack, one news report, disputed by MedStar, alleges. Another key step involves educating staff about the risks of phishing emails, which often include malicious attachments. Plus, a key to being prepared to bounce back after an attack is implementing detailed offline and offsite system and data backup plans.
Although ransomware and other malware attacks on hospitals have recently spiked, it's likely that this is the work of many attackers, rather than related assaults, says Mac McMillan, CEO of the security consulting firm CynergisTek.
Lysa Myers, security researcher at security services firm ESET, also suspects that attacks on hospitals are being launched by several different groups. "The word is out in the criminal underground: Hospitals can be lucrative targets, and many are still poorly protected. My hope, with all the coverage about hospitals being hit, is that this serves as a wake-up call and motivates hospitals to start performing thorough risk assessments and moving quickly to mitigate those risks," she says.
Series of Incidents
In an April 4 statement concerning its recent security incident, Kings' Daughters' Health says, "most electronic systems ... are back online following a March 30 cyberattack in which a computer virus known as Locky was identified on a single user's computer. In response to the ransomware virus, KDH intentionally shut down its computer systems until it was safe to resume normal operations."
The Indiana provider did not immediately respond to an Information Security Media Group request for comment. Its statement, however, says no patient data had been compromised by the attack. "The Locky virus encrypts files and requests payment - a ransom - for the keys to unlock the encryption," the statement notes "Hospitals across the country have been under attack with various forms of ransomware."
Indeed, several hospitals across the U.S. - including MedStar on the East Coast, Methodist Hospital in Kentucky, and several California hospitals have fallen victim to malware attacks in recent weeks. Those attacks follow a ransomware assault in February on Hollywood Presbyterian Medical Center, which acknowledged it paid extortionists a $17,000 ransom in Bitcoin to unlock patient data.
Another recent malware victim is Alvarado Hospital Medical Center in San Diego, which is owned by Canada-based Prime Healthcare, reports the San Diego Union Tribune. Neither Alvarado Hospital nor Prime Healthcare immediately responded to an ISMG request for comment.
Two of Prime Healthcare's other hospitals in California - Chino Valley Medical Center and Desert Valley Hospital - reported "server disruptions" on March 18 that were linked to ransomware, a spokesman told ISMG on March 23 (see Hospital Ransomware Attacks Surge, So Now What?).
MedStar has acknowledged that it was a victim of a malware attack, but the organization has not yet confirmed that ransomware was involved, as has been alleged in several news reports. MedStar also did not respond to multiple ISMG requests for comment.
Meanwhile, the Associated Press reports that the MedStar hackers apparently exploited unpatched design flaws in a JBoss application server supported by Red Hat Inc.
"The U.S. government, Red Hat and others issued urgent warnings about the security problem and a related flaw in February 2007, March 2010 and again earlier this week. The government warned in 2007 the problem could disrupt operations and allow for unauthorized disclosures of confidential information," the AP reports.
MedStar on April 6 issued a statement apparently designed to discount the AP report. "Our partner Symantec, a global leader in cybersecurity, has been on the ground from the start of the situation and has been conducting a thorough forensic analysis. ... In reference to the attack at MedStar, Symantec said, 'the 2007 and 2010 fixes referenced in the article were not contributing factors in this event.'"
Myers of ESET, tells ISMG: "I cannot stress this enough: Updating your software is absolutely crucial. The JBoss flaw is almost a decade old."
When analyzing incidents, such as the malware attacks on MedStar and other hospitals, "we need to take a step back to look at the larger picture of the infrastructure and ask what were the specific controls for the server," says Ronnie Tokazowski, senior researcher at security vendor PhishMe.
If AP's MedStar report is accurate, Tokazowski says, "a JBoss application server was running out-of-date software, which led to the compromise of the system. This could have occurred from an external compromise of the web server, or the attackers could have started out with a foothold in the enterprise. In this case, it was more than likely an external system that was compromised, which could have let the attackers use this as a point of access for infection."
If the MedStar attack involved an external compromise, it serves as a reminder that other organizations "should keep their web servers patched and install proper security controls onto servers in the DMZ to not allow attackers to pivot further into the network," Tokazowski says. "If the attackers had a foothold within the network prior to the JBoss compromise, there is a high chance that this attack started with a phishing email, as we've seen with many APT breaches. By conditioning users to not click suspicious links in emails, this would have helped mitigate the attack, given that they had a foothold first."
Steps to Take
As ransomware and other malware attacks on hospitals escalate, organizations must take several critical steps.
"The lesson here is an old one," McMillan says. "Instill better discipline in the regular blocking and tackling chores - inventorying, hardening, configuration management, patch management, change control, vulnerability testing, system refresh, etc.," he says.
Threat analysis vendors report that "more than 90 percent of breaches involve vulnerabilities more than a year old," he notes.
To avoid falling victim to the kinds of ransomware attacks hitting the healthcare sector, McMillan says organizations must take three steps. "One - improve how we protect the enterprise; ... two - invest in the right technologies to enhance our ability to detect attacks; and three - review and update response and recovery processes and plans to include external support."
Myers says it's vital to apply software updates promptly, including for operating systems, browser software and plugins. "Use anti-malware software, and make sure it too is regularly updated and scanning your files," she adds. "Having a firewall or intrusion prevention software may also be helpful in preventing the ransomware from encrypting your files. Hospitals should also assess their exposure level. Performing an audit of platforms and systems could help to ensure your organization is aware of potentially vulnerable points."
Recovering from Ransomware
Offline and offsite backups are critical to prompt recovery from a malware attack, Myers stresses. "Ransomware will often try to encrypt online backups that are accessible from affected machines," she notes.
It's also important to test backups regularly to make sure that they work and are not also affected by ransomware, she adds. "If you have a viable backup, ransomware is really a non-issue - you just replace files from a known clean copy and you're good to go."