Ransomware: Healthcare Fights BackRegulator, Lawmakers Mull New Steps to Protect Targeted Entities
A surge in ransomware attacks on hospitals is driving healthcare organizations large and small - as well as lawmakers and law enforcement agencies - to consider new and improved approaches to dealing with this evolving threat.
See Also: HIPAA Audits: A Revised Game Plan
For healthcare providers, that includes the now-common advice to reassess breach prevention and disaster recovery plans. But on the legislative front, that includes potential new criminal laws related to ransomware attacks. And on the regulatory front, that includes new guidance currently in the works by the Department of Health and Human Services' Office for Civil Rights.
"This is a real issue for every CIO," says Leslie Krigstein, vice president of Congressional affairs at the College of Healthcare Information Management Executives, an association of CIOs and CISOs. "We've heard from one of the large east coast health systems that they turned away over 1 million ransomware emails in the month of March alone."
Krigstein says she recently spoke to a CIO at a rural, 130-bed community hospital, and it had nearly 3,500 attempted penetrations on its network on Mother's Day alone.
"If this is happening to a small hospital in a very rural area, then it's happening to everyone," she says (see Hacker Attacks in Healthcare: What's Changed in 2016 So Far?).
In the latest high-profile ransomware attack, Kansas Heart Hospital, a small Wichita-based, 54-bed acute care facility, reportedly fell victim on May 18. Hospital leaders made the difficult choice to pay an undisclosed ransom. But then extortionists reportedly demanded an even bigger ransom in order to provide complete access to files (see Ransomware: Is It Ever OK to Pay?).
It was at that point that the hospital decided to pay no more, Dr. Greg Duick, the hospital's president, reportedly told local CBS-affiliated television station KWCH.
Kansas Heart Hospital did not immediately respond to an Information Security Media Group request for comment.
Law enforcement agencies generally advise against ransomware-infected organizations paying a ransom to unlock their data, warning that the payments encourage more attacks, and that there is no guarantee that data will be unlocked.
Is the Kansas Heart Hospital incident a sign that some cyber-attackers are changing their tactics against healthcare entities? Some expert observers have doubts.
"It is out of character for criminals behind ransomware to operate in this manner, based on what we've all seen since ransomware started," says Keith Fricke, a principle consultant at consultancy tw-Security.
"Criminals invest time and money in their ransomware and want a return on their investment," Fricke says. "They make good on their end of the bargain when paid by a victim, regardless of it being an individual or a company. I feel this is anomalous behavior," he says.
The hard lesson, Fricke says, goes back to ensuring data recovery from backup is possible. Then entities avoid being held for ransom in the first place.
Supply and Demand
Since 2015, massive assaults on the healthcare sector have affected over 100 million individuals - including nearly 79 million people impacted by the Anthem Inc. breach that was disclosed in February 2015.
The surge in stolen healthcare data is a likely factor prompting attackers to turn to ransomware for a quick buck, some experts say.
"[Cybercriminals] have hacked so many records that the value is starting to decrease on the black market," Krigstein says. Attackers recognize that they can get a lot more money for shutting down a hospital system or blocking access to a network than for posting identities from the data ... out of the electronic health records of a hospital network, she says.
As a result, ransomware and other cyber attacks are surging for healthcare entities large and small.
Taking Proactive Measures
All organizations should be prepared to deal with potential ransomware attacks by restoring data from current backups, Fricke says. "The HIPAA Security Rule requires disaster planning capability," he adds. And those plans need to be reviewed and enhanced in light of these latest attacks.
John Nye, a senior penetration tester at security consulting firm CynergisTek, says there is no magic bullet in dealing with ransomware and other attacks. However, he suggests organizations take action to address "two critical points of weakness" that leave organizations open to these attacks.
That includes providing staff and clinicians with a training platform that actively engages users to adhere to security and privacy policies, he says.
Another key factor promoting the success of ransomware attacks is the number of systems that have not been properly patched, Nye says. "Keeping all systems up to date is critical to the security of an organization, [but] the crucial point is that the current crop of ransomware is targeting very specific vulnerabilities. These should be patched as soon as possible."
Lawmakers and regulators are also examining what they can do to help address the growing ransomware problem.
The California state legislature is considering a bill that would "make it a crime for a person to knowingly introduce ransomware into any computer ... or computer network." The bill would make a violation punishable by imprisonment for two to four years and a fine not exceeding $10,000. The bill also specifies that prosecution under that provision does not prohibit or limit prosecution under any other law.
Ratcheting up the prosecution of extortionists could help in the bigger picture, Krigstein says. "Showing we can fight them and bring them to justice - [that] will go a long way."
But not everyone is convinced that tougher ransomware-related criminal laws would help.
"Because many of the ransomware attacks come from overseas - many from Romania - I think legislation sounds good, but it will likely be a waste of time and taxpayer money," says Tom Walsh, founder of consultancy tw-Security. "Even if they did catch someone, then there are extradition rules/treaties" to complicate matters, he says.
The new guidance, which will supplement other ransomware-related cyber-awareness material OCR released in February, is expected to address issues concerning requirements for reporting to OCR and affected victims of breaches involving ransomware attacks. Many healthcare organizations have reportedly been confused by what reporting requirements they face, in the wake of such attacks.
Still, ransomware attacks aren't the only concern for healthcare entities. "CIOs and CISOs will tell you that ransomware is just the threat of the day, it's another malware strain," Krigstein says. "But the threats are going to mature, and we'll probably see something new in the very near future."