Ransomware attacks on Healthcare

The 2017 Ransomware attacks on Healthcare or: How I Learned to Stop Worrying and Love Ivanti.

The American healthcare industry was attacked for the first time by a multi-headed ransomware monster. Ivanti’s Patch for Windows can help hospitals, clinics, and health systems mitigate these attacks.
wannacry screenshot
By establishing and maintaining agile, effective patch management Ivanti has a solid solution for hospitals in the age of ransomware. How did hospitals and clinic come to rely upon Ivanti? First a look back on the tumultuous year in healthcare:

Overview

US Healthcare reached a tipping point in 2017. Ransomware attacks forever changed the medical data security landscape. Cyber attacks on hospitals are not new. Yet in 2017 ransomware created a four-headed monster never seen before across healthcare systems. Work outside healthcare? Let’s take the red pill.

The US Department of Health and Human Services (HHS) protects the health of all Americans. The National Institutes of Health (NIH) is a subsidiary of HHS. The US Federal Drug Administration (FDA) provides oversight for medical device cybersecurity.
Your Personal Health Information (PHI) is stored in medical records across multiple healthcare facilities. From large metropolitan hospitals and health systems to rural clinics and small doctor’s offices, your PHI data is governed by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Healthcare facilities were literally on the front lines of global cyber attacks. As the year progressed, new attacks would only grow worse. Hospitals have dedicated Clinical Engineering (CE) teams. CE is a specialty within biomedical engineering and is primarily responsible for managing medical device technologies to optimize healthcare delivery.
The Emergency Care Research Institute (ECRI)  is a nonprofit organization dedicated to the discipline of applied scientific research. ECRI provides critical resources to global healthcare facilities including medical device best practices and PHI data alert vulnerabilities.

A ransomware primer in three parts:

1. Ransomware is not new
Long before ‘ransomware’ was a television storyline, malware that encrypted files was known as CryptoLocker in September 2013. In October Infosecurity Magazine published CryptoLocker: The Ransomware There’s No Coming Back From. A year later it was TorrentLocker and BitCrypt. BitCrypt is a type of ransomware that steals funds from Bitcoin wallets. Cybercriminals begin using the cloud service model to introduce Ransomware as a Service (RaaS) that would push strains over 752% in 2016.

2. PHI remains highly valuable on the dark web
Cybercriminals sell, buy and barter stolen data on the dark web. Now place the Target credit card breach into context: Banks can quickly issue new cards to consumers and invalidate the stolen Primary Account Numbers (PAN). The stolen cards are worthless on the dark web. Most regrettably, you cannot edit your stolen PHI data. Your PHI can be sold and then re-sold on the dark web for many years. In light of the 2017 massive Equifax breach, it may hard to overlook Anthem’s 37.5 million data breach of PHI in February 2015. It has been suggested Anthem’s stolen PHI data could sit idle for 20 years before criminals begin reselling your data.

3. The Shadow Brokers, Wikileaks, and the CIA
The wildcard that changed everything. The Shadow Brokers published very powerful hacking tools from the National Security Agency (NSA). Nation states, cybercriminals and even teenagers could download, modify and create new attacks based upon very sophisticated hacking tools written by the CIA.

2016 – Setting the stage

On February 5th The Hollywood Presbyterian Medical Center. The tipping point for ransomware attacks across Healthcare. California’s Hollywood Presbyterian, 434-bed short-term acute care hospital was bitten by Locky ransomware. This attack made national headlines and started a year-long conversation with the healthcare industry.

The Medical Center paid $17,000 in bitcoin to decrypt their medical files and restart operations. Their payment gave the green light to cybercriminals to target hospitals without impunity. However, ransomware attacks upon hospitals were well documented:

January 20th – TripWire
22 Ransomware Prevention Tips
February 16th – CNBC
The hospital held hostage by hackers
February 17th – Ars Technica
Patients diverted to other hospitals after ransomware locks down key software
February 17th – The Atlantic
A Hospital Paralyzed by Hackers
February 21st – TrendLabs
Cybercrime and Other Threats Faced by the Healthcare Industry
March 16th – Wired Magazine
Why Hospitals are the perfect target for ransomware
March 17th – Forbes
Ransomware-As-A-Service: The Next Great Cyber Threat?

July 12th: HHS issues new guidance

To address a growing threat, HHS issues Factsheet: Ransomware and HIPAA (PDF link). Two key aspects for hospitals:

#3: Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?
Yes. The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack. Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.
Page 2
#6: Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.
Pages 5-6

This new eight-point guidance was crafted to help healthcare facilities understand how to confront ransomware attacks. HHS provides healthcare entities additional Cyber Security Guidance Materials.

July 24th – Wired
A CLEVER NEW TOOL SHUTS DOWN RANSOMWARE BEFORE IT’S TOO LATE
July 26th – TrendMicro
Economics Behind Ransomware as a Service
August 9th – TrendMicro
Outsourcing crime: How Ransomware-as-a-Service works
September 2nd – TrendMicro
RaaS: Ransomware Operators Find Ways to Bring in Business
September 4th – IBM
Cybercrime-as-a-Service Poses a Growing Challenge
September 14th – Apress
Cybersecurity for Hospitals and Healthcare Facilities
September 29th – TrendMicro
The Rise and Fall of Encryptor RaaS

2017 – The year of attacks

After years of growth, new ransomware strains were in place and easy to script. The wildcard no hospital could have projected: leaked CIA and NSA cyber tools.

January 1st – Ars Technica
LA Community College paid $28,000 to free itself from ransomware
March 17th – Wikileaks
Publishes Vault7, the CIA’s cyber warfare tools
March 17th – Barkly
RAAS is Booming: Here is what you need to know
April 11th – Accenture’s Digital Trust Survey
Are you 1 breach away from losing a healthcare consumer?

April 14th – Bleeping computer
Shadow Brokers Publish the Password for the Rest the Stolen NSA Hacking Tools
April 14th – Ars Technica
NSA-leaking Shadow Brokers just dumped its most damaging release yet
April 15th – Ars Technica
Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers
May 5th – Wired
HOW AN ACCIDENTAL ‘KILL SWITCH’ SLOWED FRIDAY’S MASSIVE RANSOMWARE ATTACK

For cybercriminals and nation states, Wikileaks provides CIA tools to create new, more powerful ransomware attacks. EternalRomance and EternalBlue would prove to be the tools of choice targeting Microsoft’s Windows vulnerabilities. Microsoft quickly issued a Security Bulletin on March 14 to patch these vulnerabilities.

May 12: WannaCry ransomware attack

American healthcare organizations awoke to morning news of a new widespread, global ransomware attack across England’s National Health Service. Initially, reports seemed to indicate the ransomware attack was a larger version of the Hollywood Presbyterian Locky attack. By Sunday WannaCry proved to be a global monster for healthcare.

The most severe impact was upon Emergency Departments (ED) across the UK forcing first responders to be redirected to hospitals not (yet) impacted by WannaCry. Some UK healthcare facilities were forced to shut down. Many scheduled procedures were postponed.

The Health Information Trust Alliance HITRUST, a privately held not-for-profit organization that collaborates with healthcare, law enforcement, technology and information security leaders. HITRUST issued early WannaCrypt alerts via their Cyber Threat XChange (Healthcare only access).

May 12th – Ars Technica
Massive ransomware attack hits UK hospitals, Spanish banks
May 12th – Wired
An NSA-derived ransomware worm is shutting down computers worldwide
May 13th – Wired
4 WAYS TO PROTECT AGAINST THE VERY REAL THREAT OF RANSOMWARE
May 14th – Wired
WHAT IS RANSOMWARE? A GUIDE TO THE GLOBAL CYBERATTACK’S SCARY METHOD
May 13th – Ars Technica
WCry is so mean Microsoft issues patch for 3 unsupported Windows versions

May 15th: WannaCry medical device attacks

The US Department of Homeland Security (DHS), ECRI, & HITRUST issue WannaCry vulnerabilities for medical devices. This marked the first time a global malware attack was able to encrypt medical devices deployed across healthcare facilities. WannaCry was now a two-headed monster.

To the irritation of healthcare facilities, this proved to be a popular storyline for television (below). DHS issues communications across the US Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

May 15th – wired
THE RANSOMWARE MELTDOWN EXPERTS WARNED ABOUT IS HERE
May 15th – wired
THE WANNACRY RANSOMWARE HACKERS MADE SOME REAL AMATEUR MISTAKES
May 15th – wired
THE WANNACRY RANSOMWARE HAS A LINK TO SUSPECTED NORTH KOREAN HACKERS
May 15th – Forbes
Medical Devices Hit By Ransomware for the First Time in US Hospitals
May 15th – Health IT Security
Medical Devices Reportedly Infected in Ransomware Attack
May 15th – Ars Technica
Two days after WCry worm, Microsoft decries exploit stockpiling by governments
May 15th – Ars Technica
Virulent WCry ransomware worm may have North Korea’s fingerprints on it
May 15th – Ars Technica
Wanna Decryptor: A worm lurking in the corridors of a crisis-hit NHS
May 17th – Ars Technica
Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft
May 19th – Ars Technica
The NHS ransomware attack—how, why, and who’s to blame
May 20th – Ars Technica
Windows 7, not XP, was the reason last week’s WCry worm spread so widely
May 17th – Security week
Industry Reactions to WannaCry Ransomware Attacks
May 17th – ECRI
Lessons from the recent cyber attack that crippled computers across the Globe.
May 13th – FDA
issues cyber recall of medical devices
May 18th – wired
A WANNACRY FLAW COULD HELP SOME VICTIMS GET FILES BACK
May 19th – wired
HACKERS ARE TRYING TO REIGNITE WANNACRY WITH NONSTOP BOTNET ATTACKS
May 19th – wired
ANOTHER RANSOMWARE NIGHTMARE COULD BE BREWING IN UKRAINE
May 22nd – national law review
WannaCry cyberattack raises legal issues
May 23rd – FDA
Device Firms Issue Advisories Following Ransomware Attack
May 23rd – Erie County Medical Center (ECMC)
Acknowledged target of a ransomware attack
May 24th – Trend Labs
Victims Lost US$1B to Ransomware in 2016
May 25th – Carbon Black Ransomware Survey
Ransom-Aware: Finds 7 of 10 Consumers Would Consider Leaving a Business Hit By Ransomware
May 25th – Security Week
The Impact of WannaCry on the Ransomware Conversation

DHS, HITRUST, and ECRI today share medical device vulnerabilities more transparently. Despite all efforts that hospitals accomplished to combat WannaCry, June was going to also prove costly ransomware attacks were set to impact heathcare across new attack surfaces.

June 13th: WannaCry building control attacks

DHS issued Indicators Associated with WannaCry Ransomware for Industrial Controls (ICS-ALERT-17-135-01 Update-I) in mid-June. This update extended WannaCry encryption vulnerabilities across hospital building control systems. While not a PHI risk, Facility Operations at hospitals and clinics across the country were forced to engage their building control system vendors. In less than one month WannaCry proved to be a healthcare’s three-headed monster.

Healthcare IT, Information Security, Clinical Engineering and healthcare senior managers were confronted for the first time with cyber attacks impacting three medical attack surfaces: servers, medical devices, and building controls. Updates from medical device and building control vendors were methodically (and slowly) tested to mitigate vulnerabilities, resulting in long patch delays. In some instances, medical devices required clearance from the FDA device patching could begin. These delays and clearance requirements placed many hospitals in a nervous wait and see approach, with a full understanding that new attacks were underway.

WannaCry impacted over 300,000+ organizations globally. This made a seismic shift in healthcare data security. Consider adopting a glass-is-half-full approach. WannaCry triggered closer collaboration and communications between our Hospital IT, Information Security, and Clinical Engineering teams. We all share a clear goal: secure all infrastructure against future ransomware strains.

June 15th: US Congress-Lessons learned from WannaCry

Only two days following the building controls WannaCry vulnerability, the US Congress Joint Subcommittee on Oversight and Subcommittee on Research and Technology conducted a public hearing: Bolstering the Government’s Cybersecurity: Lessons Learned from WannaCry.

On the heels of the WannaCry attack, the US Congress began conducting hearings (Full testimony via YouTube) to address this new ransomware attack. While news organizations initially focused on hospitals across England, leaders from cybersecurity firms testified to the impact of WannaCry.

Each presenter revealed the unique extent the WannaCry ransomware inflicted upon various markets. The testimony became very real for American healthcare facilities:

I will note that the largest attack we thwarted and measured to date from WannaCry was not on May 12 or 13th when the attack started, but began suddenly on June 8th and 9th on a well-funded hospital in the East coast of the United States.
–Mr. Salim Neino,
Chief Executive Officer, Kryptos Logic

An amazing and sober look at the impact of WannaCry upon the US. Yet before healthcare security teams could fully exhale from the impact of expert testimony, the next big ransomware attack was less than two weeks away.

June 19th – Trend Labs
Erebus Resurfaces as Linux Ransomware
June 27th – Ivanti with Chris Goettl
Global Ransomware Attack Based on a Petya Variant Threatens Repeat of WannaCry
June 27th – Wired
LATEST RANSOMWARE HACKERS DIDN’T MAKE WANNACRY’S MISTAKES
June 27th – Wired
A SCARY NEW RANSOMWARE OUTBREAK USES WANNACRY’S OLD TRICKS

June 29th: NotPetya attacks

Kaspersky Labs first reported this new ransomware attack across Europe, the UK, and the US. The main targets initially appeared to be Russia and Ukraine. It was determined that a popular Ukrainian tax preparation program M.E.Doc spread this ransomware. Kaspersky dubbed this variant “NotPetya,” which targeted energy and industrial supply chains.

Initially thought to be yet another global WannaCry attack, NotPetya was re-classified as a wiper, erasing every infected computer’s Master Boot Record — destroying hard-drive data without any opportunity to recover data. Early reports suggested the patches that stopped WannaCry would protect hospitals and clinics against this new ransomware. They were wrong.

NotPetya was a fast-moving worm exploiting IAM vulnerabilities which captured valid user credentials and propagated laterally across the network. For healthcare, these attacks were not easy to re-mediate on Windows 7 and Windows Server 2008. Many hospitals and clinics remained vulnerable. Yes, healthcare facilities continue to run legacy Windows OS solutions due to select clinical applications and medical devices.

While The Hospital Heritage Valley Health System northwest of Pittsburgh was directly hit by NotPetya, the larger healthcare threat was due to drive-by-malware.

Nuance Communications was crippled by NotPetya.Consumers know Nuance by their Dragon Systems brand. At the time of the attack, Nuance held almost 70% of the medical transcription market.

Nuance’s leading medical transcription service eScription, deployed across healthcare facilities was completely wiped due to NotPetya. Hundreds if not thousands of US healthcare organizations lost complete medical transcription services for almost two months.

Nuance’s other medical transcription services including Apex, Dragon Medical One, Powerscribe, and Powershare were not impacted by NotPetya. In the immediate aftermath, hundreds of health systems were offline, hampering medical records and billing workflow. NotPetya created healthcare’s four-headed monster.

Even outside of healthcare, global brands posted significant losses attributed to this attack. Supply-chain victims, Maersk, Merck, and FedEx’s European delivery subsidy TNT Express all acknowledged $300 million dollar losses in their current financial reporting quarters.

July 1st – wired
HOW SHIPPING GIANT MAERSK DEALT WITH A MALWARE MELTDOWN

July 25th: Nuance confirms NotPetya attack

Following a forensic examination Nuance publicly acknowledged (PDF Link) their eScription medical transcription service was completely wiped by NotPetya. While Nuance did patch their servers against WannaCry, their privileged account management (PAM) was vulnerable and exploited. A contractor with remote access to Nuance had an infected laptop. That device spread the worm across Nuance’s server infrastructure.

Nuance detailed this ransomware’s ability to strike quickly. NotPetya launched in Ukraine at 9:15 am with Nuance infrastructure infected before 11:00 am. A third party contractor with remote access into Nuance systems had an infected laptop. Nuance simply had no opportunity to recover. This also indicates Nuance lacked trusted backups, something hospitals and clinics needed to reinforce.

The loss of Nuance medical transcription services made an enormous impact for healthcare systems. NotPetya proved the vulnerability of contractors and vendors with remote access into healthcare infrastructures.

While aimed at supply chains, NotPetya painfully proved organizations must bolster their internal security posture. This attack refocused the well-known and existing security principles of IAM: Least Privilege Principle, Identity Hygiene, and no lingering accounts via Just-In-Time provisioning.

Ransomware in popular culture

Clearly, ransomware made a dramatic impact upon our lives. This was even promoted by popular television shows Grey’s Anatomy, Chicago Med, and NCIS, who adopted ransomware episodes. Even The Big Bang Theory presented a bitcoin episode.

While the shows held a bit of artistic license….there is a  hint of possibility. TV Networks are driven by television ratings and advertisers. So on with the shock and horror:

Remember the last malware attack getting TV storylines? Remember Y2K. For clarity healthcare facilities have long established “downtime procedures” to address events impacting patient care. Electronic record systems or medical devices may go offline but care for patients continues via paper.

Healthcare, Cyber Insurance, and Ransomware

Many healthcare organizations carry cyber insurance policies to protect against internet-based risks. Organizations should consider a wide number of insurance types, including but are not limited to:

PCI Fines, Penalties, and Expenses
Business interruption
Cyber Extortion (ransomware)
Data Restoration
Forensic Services
Outside Legal Counsel
Public Relations/Brand reputation
Credit/ID monitoring
Call centers providing 24-hour hotline
Table Top Exercise

Today breach fines can surpass $5 million. This has a key impact on healthcare. Regardless if a healthcare organization has cyber insurance, to cover a ransomware bitcoin payment, declaring a breach is required to secure their insurance payment. Some healthcare organizations have paid a bitcoin ransom.

More damaging, however, a breach notification triggers on onsite HIPAA audit. Any healthcare’s leadership (CIO, CISO, Legal, Medical Records, Risk Management and the Office of Compliance) do not want to see auditors arriving.

August 7th – McClatchy
Ransomware fallout in healthcare: cybercriminals’ next deadly target
August 8th – FierceHealthcare
Cybersecurity experts warn of ‘digital D-Day’ in healthcare
August 8th – DARKReading
New Targeted Ransomware Hits Healthcare, Manufacturing
:
August 29th – bleeping computer
Bit Paymer Ransomware Hits Scottish Hospitals
September 6th – health data management
Delaware ransomware attack affects 19,000
September 13th – ECRI Webinar
This is Not a Test – Operationalizing Medical Device CybersecuritY
September 13th – health data management
How providers can bolster their ransomware defenses
SEPTEMBER 13TH – HEALTH DATA MANAGEMENT
HOW PROVIDERS CAN BOLSTER THEIR RANSOMWARE DEFENSES
september 28th – Tripwire
Oral Surgery Center Notifies 128K Patients of Ransomware Attack
October 3rd – Heath data management
Ransomware attack affects data of 128,000 patients
October 9th – Dotmed
Is a cyber equivalent of ‘D-Day’ inevitable in the medical industry?
October 16th – Carbon Black
The Ransomware Economy Intelligence Report
October 23rd – Healthcare InfoSecurity
US Congressional Committee Wants Nuance to Share NotPetya Details

October 24th Bad Rabbit attack

The next ransomware attack, Bad Rabbit held a clear focus: Russia, Ukraine, and Germany. This was triggered by email phishing that delivered fake Adobe Flash installers from infected websites. Bad Rabbit did not use EternalBlue, but rather EternalRomance via drive-by-malware that moved laterally across networks. There is little indication that healthcare facilities in the countries mentioned above were impacted….thankfully.

October 24th – Wired
NEW RANSOMWARE LINKED TO NOTPETYA SWEEPS RUSSIA AND UKRAINE
November 6th – ECRI
Ransomware and Other Cybersecurity Threats Top ECRI Institute’s Annual Health Technology Hazards List

On December 4th HIMSS presented Protecting Medical IoT Devices: Lessons Learned from WannaCry and NotPetya. For the first time, ransomware was the top US healthcare threat. This clearly indicates how far ransomware attacks advanced across the American healthcare industry.

HIMSS delivered a good panel discussion regarding the ransomware takedown of Nuance. A large Midwestern University health system acknowledged their medical records, hospital, clinic and billing workflow went offline for 45 days as a result of NotPetya wiping their Nuance eScription service.

On December 5th Trend Micro published Security Predictions for 2018: Paradigm Shifts indicating RaaS will become more targeted in the coming year including:

We also expect cases of biohacking, via wearables and medical devices, to materialize in 2018. Biometric activity trackers such as heart rate monitors and fitness bands can be intercepted to gather information about the users. Even life-sustaining pacemakers have been found with vulnerabilities that can be exploited for potentially fatal attacks.
Page 6

This re-enforces the Mirai-like botnets could have been healthcare’s 5th headed monster in 2017. While botnets and cryptocurrency attacks proved just as serious, they flew under the ransomware radar.

December 7th – health data management
How providers can better protect IoT devices from ransomware
December 10th – TripWire
10 of the Most Significant Ransomware Attacks of 2017

TripWire also published their Month in Ransomware resource. This resource is very valuable for US Healthcare due to the July 2016 ransomware guidance. This 90-day example reinforces that hospitals must maintain awareness of new strains tied to phishing:

September:  41 new strains + 55 modifications = 96 / 3.2 per day
October
:   28 new strains + 18 modifications = 46 / 1.4 per day
November
:  37 new strains + 18 modifications = 55 / 1.8 per day

This September to November timeframe is an example of the volume of strains that require close monitoring. The HIPAA guidance for US Healthcare places a demand for awareness of ransomware strains targeting hospitals and clinics.

December 7th – Eye Physicians, P.C.
Acknowledged target of a ransomware attack
December 12th – Stanislaus County BHRS
Acknowledged target of a ransomware attack
December 13th – Health IT Security:
NotPetya PAM for Healthcare

December 13th – Nuance shuts down Apex

To address an internal security event Nuance shut down ALL remaining Apex services without notice. This left ALL remaining US healthcare systems without medical transcription services. Nuance required those remaining Apex healthcare facilities to “forcefully” transition to a their eScription platform. Remember Nuance’s eScription service was lost within the opening hours of NotPetya. This forced Nuance to rebuilt their eScription service from the ground up. As a result of the December 13th takedown of Apex, eScription is the only option for healthcare facilities who remained running Apex during NotPetya.

December 13th – Health IT Security
SIEM Provides Security Through Event Data Monitoring
December 14th – SophosLabs
FIVE ransomware as a service (RaaS) kits
December 20th – Health IT Security
Healthcare Data Security Attacks Account for 40% of Q3 Incidents
December 20th – Health IT SecuritY
Healthcare Ransomware, Medical Device Security Key 2018 Trends
December 28th – HIT Think
Evolving ransomware looms as 2018’s biggest threat
December 28th – Health Data Management
Providers need to prepare for virulent ransomware in 2018

US Senate Bill: Data Security/Breach Notification Act

Congress introduced a bill that requires companies 30 days to notify victims and authorities after the discovery of a data breach. The bill also would make it a crime, punishable by up to five years in prison to knowingly conceal a breach. Regardless if the bill is signed into law, hospital, clinic, and health system C-Suites including Trustees can no longer pay lip service to ransomware threats.

This should also shift how healthcare compliance officers view signing HIPAA Business Associates Agreement (BAA) without a valid Risk Assessment provided by a vendor. It should come as no surprise that any vendor without a valid risk assessment, the healthcare facility should immediately disqualify that vendor.

In the age of ransomware, it is simply not worth the risk to the organization. CIOs and CISOs must adhere to HIPAA’s ransomware guidance. Ransomware awareness is now at an all-time high while PHI remains highly profitable on dark web. This can be accomplished with a third party risk analysis, tabletop exercises and the NIST CSET 8.0 resource.

2018: Targeted ransomware attacks expected

In the new year, the view across the healthcare industry is that ransomware will continue to grow in more precise, targeted attacks including botnets and cryptocurrencies. Healthcare Information Security teams must show risk tolerance and carefully watch new trends in malware.

Ransomware will drive technical and business impacts along with shifts in governance and policy across US healthcare facilities. While ransomware clearly dominated 2017, botnets (more below) remain a very dangerous malware and received drastically less attention last year. Hospital IoT acquisitions must focus on device acquisition with strong security standards from HHS, FDA, and ECRI.

January 3rd – Jones Memorial Hospital (JMH) New York
Acknowledged target of a ransomware attack
January 3rd – healthcare info security
How Cyberattacks Can Impact Patient Safety
January 8th – NH/ISAC Cybersecurity Warning
Shows Importance of Regular Updates
January 11th – Hancock Health (Indiana)
Acknowledged target of a ransomware attack
January 15th – Microsoft
A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017
January 15th – University of Michigan Archimedes Center
Medical Device Security Conference
January 17th – TrendMicro
SAMSAM Ransomware Hits US Hospital, Management Pays $55K Ransom
January 20th – TrendMicro
2017 Ransomware Recap
january 23rd – Microsoft
Overview of rapid cyberattacks
January 25th – data breach today
Allscripts Ransomware Attack a Reminder of Cloud Risks
January 25th – data breach today
Ransomware Outlook: 542 Crypto-Lockers and Counting
January 25th – data breach today
Ransomware was most popular cyber crime tool in 2017
January 25th – dark reading
Ransomware Detections Up 90% for Businesses in 2017
January 29th – Backup Assist
Microsoft’s 10S ‘Ransomware Proof’ Claim Debunked
January 30th – ITSecurity Guru
The Three Rs of Today’s Cybersecurity Landscape: Risk, Ransomware and Reputation
January 30th – sophos naked Security
Are organizations prepared for the ransomware threat?
January 30th – Info security magazine
Half of Orgs Hit with Ransomware in 2017
february 2nd – Health data management
Two cybersecurity organizations merge to broaden services
february 2nd – linkedin
Cybercriminals Focusing On Small Healthcare Providers in 2018
February 5th – The Guardian
Every NHS trust tested for cybersecurity has failed, officials admit
february 9th – Symantec
Ransom.Shurl0kr

February 13th – Tripwire
Ransomware – A Reminder for Healthcare Providers to Lock Down Their Environments

Read more about it:

The Devil’s Ivy botnet

The July 18th botnet attack on IP cameras focused on a security flaw used in a popular open source library, gSOAP. Initially, Devil’s Ivy appeared to be a 5th headed monster for healthcare. Fortunately this attack never fully materialized. However, at the time hundreds of thousands of IoT devices worldwide remained vulnerable. Axis Communications, a high-end security camera vendor patched a dangerous coding flaw in virtually all of its products. An attacker could use the botnet to seize control over or crash devices.

Marcus Hutchins

August 2nd: Hacker Marcus Hutchins who stopped the spread of WannaCry was arrested in Las Vegas after Black Hat and DEF CON. Surprisingly Hutchins made two court appearances here in Milwaukee.

August 8th – Wired
HACKER WHO STOPPED WANNACRY CHARGED WITH WRITING BANKING MALWARE

Equifax data breach

October 2nd: The Equifax breach announced. Over 143 million Americans were impacted by the largest data breach of PII. 

Did Hospitals ignore the Microsoft Security Bulletin?

Of course not. Many hospitals run Windows-based clinical applications. Due to the highly sensitive nature of clinical apps at the bedside and Emergency Department, Healthcare IT, Information Security and Clinical Engineering teams must apply extensive application testing to protect patient care.

Hospitals deploy hundreds of clinical applications. It is not uncommon for change management schedules to patch systems on a quarterly basis. Regrettably, there remain conflicts within clinical applications that require a ‘slow and steady wins the race’ approach.

Another impact of patching is the introduction of unplanned outcomes. In November 2017, Microsoft applied two zero-day patches across their .NET framework. This resulted in sluggish performance across select clinical and administrative application servers. The December the framework did not address these concerns. so yes hospitals have a complex set of applications.

Vendor White Papers:

Cisco
Ransomware Defense Validated Design Guide (PDF)
US Department of Justice
How to Protect Your Networks from Ransomware
ECRI
2018 Top 10 Tech hazards: Ransomware
ComputerWeekly
WannaCry a signal moment, says NCA
Which?
Ransomware: what it is and how to stop it
Trend Micro
Ransomware
Heimdal Security
What is Ransomware – 15 Easy Steps To Protect Your System
Microsoft
The Ransomware FAQ
HITRUST and Trend Micro
Collaborative Advanced Cyber Deception Program
June 30th – Varonis
The Complete Guide to Ransomware
MalwareHunter
ID Ransomware: decoding the type of ransomware encrypting your files
IBM Security
Ransomware Client Engagement Guide
trend micro
Ransomware All-in-One Solutions Guide
backblaze
How to Recover From Ransomware
kaspersky
The Rise of Ransomware – Most Glaring Examples from 2015-2016

barkly
The Ransomware Survival Handbook

 

Vendor solutions addressing ransomware:

While early in development many vendors are making strides to confront and mitigate ransomware strains:

ID Ransomware – Malwarehunter

Malwarebytes – Anti-Ransomware Beta

Bitdefender – Anti-Ransomware Tool  and overview

Kaspersky – Anti-Ransomware Tool

WinPatrol – Win Anti Ransome

RansomFree – CyberReason

No More Ransom –  resource clarifying most strains

BartBlaze – Ransomware Prevention

Trend Micro – Anti-Ransomware Tool

WinPatrolWar – WinAntiRansome

Abelssoft – AntiRansomware

CryptoPrevent – Malware Prevention

GridSoft – GS Anti-Ransomware

Sophos – HitmanPro

NOguard – MoneroPay Decryptor

McAfee – Ransomware Interceptor (Pilot) 

Carbon Black’s The Ransomware Economy: Projections

1 – Based on the direction ransomware is trending, we believe ransomware will increasingly target Linux systems in an effort to further extort more money per infection. For example, attackers will increasingly look to conduct SQL injections to infect servers and charge a higher ransom price. We have already observed attacks hitting MongoDB earlier this year which provide excellent foreshadowing.
2 – Ransomware will become more targeted by looking for certain file types and targeting specific companies such as legal, healthcare, and tax preparers rather than “spray-and-pray” attacks we largely see now. There is already ransomware that targets databases, preying on businesses, and small tweaks to their code can target critical, proprietary files such as AutoCAD designs. A focused targeting of extensions can allow many ransomware samples to hide under the radar of many defenders.
3 – While most ransomware samples we analyzed in recent research simply encrypt files in place and transmit encryption keys for the purpose of decryption, there will be ransomware samples that will take the extra step of exfiltrating data prior to encryption. Not only would such an evolution put stress on companies to restore their data but also incorporate the loss of proprietary data that could be sold on the black market.
4 – Ransomware will increasingly be used as a smokescreen. For example, in the past, Zeus botnet operators hit victims with DDoS attacks after an infection to take investigators off the trail. A similar trend is emerging with ransomware attacks where the encryption of files could take place after more damning actions are taken by adversaries. Using already existing techniques of deleting Volume Shadow Copies, which deletes potential file backups, and the deletion of Windows event logs, adversaries can thwart many incident response efforts by forcing responders to focus on decrypting files instead of investigating data and credentials exfiltrated.
5 – Ransomware will emerge as a secondary method when initial forms of attack fail. Adversaries that rely upon more crafted and targeted attacks may use ransomware as an attack of last resort. Failing to entrench in an environment with a Remote Access Tool (RAT) or exfiltrate data, adversaries can push a ransomware across the environment to ensure at least a minimum return for their effort invested.
6 – Ransomware will be used more commonly as a false flag, as seen with NotPetya. Solely from dynamic analysis, it was perceived to be Petya, when more detailed analysis showed it wasn’t. Such quick analysis also insinuated it to be obvious ransomware, but a greater depth of disassembly showed that data was not held at ransom; it was simply destroyed.
7 – Ransomware will increasingly leverage social media to spread either intentionally or unintentionally. Similar to malware such as Koobface, maliciously shared content on sites such as Facebook could lead victims to click enticing links. Intentionally shared ransomware, seen in prior concepts, such as Popcorn Time where victims could share to reduce or eliminate their ransom, could see larger-scale use.
8 – Ransomware will start to morph to gain persistence on systems to re-encrypt them for more money some period of time later.

The 2017 Top 10 Healthcare Ransomware Attacks:

01. COMMONWEALTH HEALTH CORPORATION
02. AIRWAY OXYGEN, INC.
03. WOMEN’S HEALTHCARE GROUP OF PENNSYLVANIA
04. UROLOGY AUSTIN, PLLC
05. PACIFIC ALLIANCE MEDICAL CENTER
06. PEACHTREE NEUROLOGICAL CLINIC, P.C.
07. ARKANSAS ORAL AND FACIAL SURGERY CENTER
08. MCLAREN MEDICAL, MID-MICHIGAN PHYSICIANS CENTER
09. HARRISBURG GASTROENTEROLOGY LTD
10. VISIONQUEST EYECARE

 

January 4, 2018
Ivanti Interchange Podcast:

McKay’s Man-Crush on Elon Musk, and Hospital IT Security Stories from an Insider

Follow me here:
Twitter
Flipboard Healthy InfoSec

Ivanti Patch for Windows review

One Reply to “Ransomware attacks on Healthcare”

What say you?