Encryption & Key Management , Governance & Risk Management , Next-Generation Technologies & Secure Development
Hollywood Hospital Pays Ransom to Unlock Data9 Steps to Take to Avoid Being the Next Extortion Victim
Hollywood Presbyterian Medical Center acknowledges paying a $17,000 ransom to unlock data seized earlier this month by cyberattackers.
And while experts generally caution against paying ransom to de-encrypt compromised data - saying it's much preferred to take other preventative steps to avoid becoming a victim of attackers - some organizations do fold under the pressure to get their critical data back quickly.
In a Feb. 17 statement, Allen Stefanek, president and CEO of the Hollywood, Calif. hospital explains why his organization decided to pay the ransom.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this." Stefanek adds that "reports of the hospital paying 9,000 Bitcoins or $3.4 million are false. The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000."
While experts generally advise against paying extortionists, sometimes entities - especially hospitals - feel they have little choice in order to get their operations back to normal as soon as possible.
"As a matter of principle, you don't want to see the ransom paid, therefore reinforcing the behavior, and as a practical matter paying doesn't always guarantee relief," says Mac McMillan, CEO of security consulting firm CynergisTek. "But the hospital had to make the decision that was in the best interests of the public and the business. It's easy to stand on principle when you are not the one looking down the barrel of the ransom demand."
In the statement, Stefanek says the incident did not affect the hospital's delivery and quality of patient care. "Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access."
Attorney Brian Finch, a partner at law firm Pillsbury Winthrop Shaw Pittman LLP, says the hospital's choice "was the only decision they could make. If you don't catch ransomware in time, the victim is in a terrible position. Even the NSA would have a hard time cracking the encryption."
Ransomware attacks on the healthcare sector are an increasingly common occurrence, as was highlighted most recently by this case, as well as others involving hospitals elsewhere, including Germany (see: Ransomware Hits Hospitals).
"The attackers know how critical patient information is to healthcare delivery and how little the industry focuses on its protection," McMillan says. "It's an attractive target."
"This threat is very profitable for the actors, and we're seeing many organized threat actor groups coming into play due to this fact," says Daniel Nutkis, executive director of the Healthcare Information Trust Alliance.
HITRUST is best known for its Common Security Framework, but also offers an indicator of compromise feed that identifies ransomware domains during "deep-web monitoring." HITRUST says the feed shows active ransomware payment domains, as well as the most common gateways used by extortionist to permit payments by victims.
Ransomware attackers "are organized and sophisticated and will continue until the threat becomes unprofitable, which we don't see happening in the near future," Nutkis says.
But it's not just healthcare entities that are at risk. "We have seen an increase in ransomware attacks targeting healthcare organizations, but not disproportionate to other sectors across the globe due to the success of this threat to the actors behind them," Nutkis says.
Hollywood Presbyterian's Stefanek says that on Feb. 5, "staff noticed issues accessing the hospital's computer network. Our IT department began an immediate investigation and determined we had been subject to a malware attack. The malware locked access to certain computer systems and prevented us from sharing communications electronically."
As recommended by experts, the hospital quickly notified law enforcement. p>
The hospital restored its electronic medical records system on Feb, 15, Stefanek says. "All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event."
Steps to Take
Experts say there are key steps that organizations can take to prevent falling victim to these attacks, as well as measures to take if they do get hit with a ransomware attempt.
The Department of Health and Human Services recently issued new guidance aimed at building cyber-awareness, especially around how to avoid falling victim to ransomware. Those steps include measures such as backing up data onto segmented networks or external devices and making sure backups are current (see OCR Cyber Awareness Effort: Will it Have an Impact?).
To defend against ransomware attacks, it's important to take a multi-pronged approach, says Mark Dill, principle consultant of consulting firm tw-Security and former long-time CISO at the Cleveland Clinic. "You can only attack this problem in a layered way - no one single fix will both reduce the likelihood and lower the harm."
Dill says he recommends a combination of the following steps:
- Back up data: "For workstations, the My Documents folders should be redirected to a network drive and backed up regularly - so that an org has data to restore," he says. For mobile workers with a laptop, "I recommend a well-vetted cloud service that has reasonable controls...that will sign a [HIPAA] business associate agreement." It's also important to change the retention period for data backups to one month, he says. li>
- Improve workforce awareness: Consider tools that phish users, and when they open the email or click on the attachment, they are tutored on how they should've been alerted that this was a phishing attack.
- Consider using AppLocker to create a blacklist/whitelist: you especially want to disallow Cyrptolocker variants from launching on Windows devices. Also, consider stripping away all email attachments. However, "while it works... it doesn't seem practical in many settings. Also, be aware that many email filters will just quarantine the files - if a user requests a copy and then clicks, this control is defeated," he says.
- Review the rights on shared drives: "If the infected user only needed to read files but was given 'write' access - trim back rights where possible; this malware needs to write in order to encrypt," Dill says.
- Ban all personal web-mail and surfing on corporate devices: However, "depending upon an organization's culture, be prepared for worker backlash," he notes. Also, require employees to use their personally-owned mobile device through a "guest" wireless network for accessing their personal webmail accounts.
- Consider next generation anti-malware tools that use advanced math to predict malware: "Traditional antivirus suites are having difficulties blocking ransomware variants, especially the zero-day versions," Dill notes.
- Evaluate advanced persistent threat tools: "Some variants of Crypto provide an initial/silent infection first; then the infected device reaches out to command and control servers to get the encryption key. FireEye and tools like this can block or alert on the activity," he says. "An organization will still have an infected devices, but the malware can't achieve its objective/payload."
- Implement intrusion prevention systems: "They block some of the command and control traffic - check with your provider to confirm if this is an additional feature that you are not yet licensed for," Dill says.
- Refine web filtering to block bad traffic: This includes blocking traffic to and from foreign countries that your organization is not actively doing business with; and quarantining or blocking inbound email traffic that comes from a newly created domain.
If an entity becomes the target of a ransomware attack, it's usually not too difficult to spot, says Joey Johnson, CISO of Premise Health, a provider of on-site wellness programs for employers. "You'll get a desktop wallpaper change with an image and/or text file telling you that your data has been encrypted. Once that happens, your trouble has arrived."
If an organization does become victim of a ransomware attack, restoring data is the top priority, especially if a shared department folder has also been encrypted, Dill says, adding that using a combinations of the above security controls "creates a defense-in-depth strategy that works and avoids [a negative] outcome."
Nutkis says it's important to quickly locate and isolate the system from the environment. "Recover from backup if possible, and [contact] law enforcement to aid in prosecuting the threat actors behind the attack."
Nonetheless, if entities still fall victim to ransomware attacks, despite their best efforts to avoid those scenarios or mitigate the situation, some may end up opting to pay the ransom.
"Depending on the hospital's readiness to recover and ability to do that, paying - despite how distasteful or risky - may still be the prudent decision," McMillan says.