Ransomware attacks on Hospitals and Clinics have just begun
For the first time the healthcare industry was attacked by a multi-headed ransomware monster. This is only the beginning of a new attack model for hospitals and clinics to confront moving forward.
Since the first ransomware attack in early 2016 I have observed how this became a credible threat to hospitals. In 2017 an seemingly overwhelming series of attacks forced hospitals and clinics around the country to adjust long-held views and policies of information security. Due to the amount of news coverage I have added a timeline to this post to indicate how ransomware became part of the social mainstream.
Overview
A ransomware primer in three parts:
Ransomware is not new
PHI data remains highly valuable on the dark web
The Shadow Brokers, Wikileaks, and the CIA
2016 – Setting the stage
February 5th – Hollywood Presbyterian
July 12: HHS issues new guidance
2017 – The attacks begin
May 12: WannaCry IT infrastructure attacks
May 15: WannaCry medical device attacks
June 13: WannaCry building control attacks
June 15: US Congress: Lessons learned from WannaCry
June 29: NotPetya attacks
July 25: Nuance confirms NotPetya attack
October 24: Bad Rabbit attack
December 13: Nuance shuts down medical transcription service
Read more about it
Did hospitals ignore the March Microsoft Security Bulletin?
Ransomware in popular culture
Top 2017 Healthcare Ransomware Attacks
Healthcare, Cyber Insurance, & Ransomware
US Senate Bill S.2179-Data Security & Breach Notification Act
Overview
US Healthcare reached a cyberattack tipping point in 2017. Ransomware has forever changed the medical data security landscape. While cyberattacks on hospitals are certainly not new, ransomware created a four-headed monster never seen before across healthcare systems.
The US Department of Health and Human Services (HHS) protects the health of all Americans. The National Institutes of Health (NIH) is a subsidiary of HHS. The US Federal Drug Administration (FDA) provides oversight for medical device cybersecurity.
Your Personal Health Information (PHI) is stored in medical records across multiple healthcare facilities. From large metropolitan hospitals and health systems to rural clinics and small doctor’s offices, PHI data is governed by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Healthcare facilities were literally on the front lines of global cyber attacks. As the year progressed, new attacks would only grow worse. Hospitals have dedicated Clinical Engineering (CE) teams. CE is a specialty within biomedical engineering and is primarily responsible for managing medical device technologies to optimize healthcare delivery.
The Emergency Care Research Institute (ECRI) is a nonprofit organization dedicated to the discipline of applied scientific research. ECRI provides critical resources to global healthcare facilities including medical device best practices and PHI data alert vulnerabilities.
A healthcare ransomware primer in three parts:
1. Ransomware is not new
Long before ‘ransomware’ was the national storyline computer malware that encrypted files was known as CryptoLocker. In October Infosecurity Magazine published CryptoLocker: The Ransomware There’s No Coming Back From. One year later this malware was better known as TorrentLocker and BitCrypt. BitCrypt is a type of ransomware that steals funds from Bitcoin wallets. Cybercriminals begin using the cloud service model to introduce Ransomware as a Service (RaaS) and would push new ransomware strains over 752% in 2016.
2. PHI data remains highly valuable on the dark web
Cybercriminals buy, sell and barter stolen data on the dark web. Here the Target credit card breach comes into context: Banks can quickly issue new credit cards to consumers and invalidate stolen cards. The cards are worthless to criminals on the dark web. However you cannot ‘edit’ your stolen PHI data. Your PHI can be sold and then re-sold on the dark web for many years. In light of the 2017 massive Equifax breach, it may hard to overlook Anthem’s 37.5 million data breach of PHI in February 2015. It has been suggested Anthem’s stolen PHI data could sit idle for 20 years before criminals begin reselling your data.
3. The Shadow Brokers, Wikileaks, and the CIA
The wildcard that changed everything. The Shadow Brokers published very powerful hacking tools from the National Security Agency (NSA). Nation states, cybercriminals and even teenagers could download, modify and create new attacks based upon very sophisticated hacking tools written by the CIA.
2016: Setting the Stage
California’s Hollywood Presbyterian Medical Center is a 434-bed short-term acute care hospital. The Locky ransomware strain attacked this hospital in February. This attack made international headlines and began a year-long conversation within the healthcare industry. This incident served as the tipping point for ransomware attacks upon Hospitals.
The Medical Center paid $17,000 in bitcoin to decrypt their files and restart operations. This payment gave cybercriminals the green light to target hospitals without impunity. While the attack caught the public by surprise, hospital ransomware attacks were already well documented.
ATTACK TIMELINE: January – July 2016:
January 20th – TripWire
22 Ransomware Prevention Tips
February 16th – CNBC
The hospital held hostage by hackers
February 17th – Ars Technica
Patients diverted to other hospitals after ransomware locks down key software
February 17th – The Atlantic
A Hospital Paralyzed by Hackers
February 21st – TrendLabs
Cybercrime and Other Threats Faced by the Healthcare Industry
March 16th – Wired Magazine
Why Hospitals are the perfect target for ransomware
March 17th – Forbes
Ransomware-As-A-Service: The Next Great Cyber Threat?
March 31st – US Homeland Security
Alert (TA16-091A) Ransomware and Recent Variants
April 7th – healthcare IT security
More Hospitals Affected by Healthcare Ransomware Attacks
April 7th – healthcare IT security
MedStar Ransomware Attack Caused by Known Security Flaw
May 4th – Health IT Security
FBI Ransomware Warning Crucial for Healthcare Cybersecurity
July 12th: HHS issues new guidance
To address a growing ransomware threat, The US Department of Health and Human Services (HHS) issued Factsheet: Ransomware and HIPAA (PDF link). Two key aspects for hospitals:
#3: Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?
Yes. The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack. Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.
Page 2
#6: Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?
When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule. Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements.
Pages 5-6
HHS regularly provides healthcare entities with additional Cybersecurity Guidance Materials. This eight-point guidance was crafted to help healthcare organizations understand how to confront ransomware attacks.
ATTACK TIMELINE: July to October 2016:
July 24th – Wired
A CLEVER NEW TOOL SHUTS DOWN RANSOMWARE BEFORE IT’S TOO LATE
July 26th – TrendMicro
Economics Behind Ransomware as a Service
August 9th – TrendMicro
Outsourcing crime: How Ransomware-as-a-Service works
September 2nd – TrendMicro
RaaS: Ransomware Operators Find Ways to Bring in Business
September 4th – IBM
Cybercrime-as-a-Service Poses a Growing Challenge
September 14th – Apress
Cybersecurity for Hospitals and Healthcare Facilities
September 29th – TrendMicro
The Rise and Fall of Encryptor RaaS
2017: The attacks begin
Ransomware strains were in place and easy to script. The wildcard no hospital could have predicted: leaked CIA and NSA cybersecurity tools.
ATTACK TIMELINE: January to May 2017:
January 1st – Ars Technica
LA Community College paid $28,000 to free itself from ransomware
March 17th – Wikileaks
Publishes Vault7, the CIA’s cyber warfare tools
March 17th – Barkly
RAAS is Booming: Here is what you need to know
April 11th – Accenture’s Digital Trust Survey
Are you 1 breach away from losing a healthcare consumer?
April 14th – Bleeping computer
Shadow Brokers Publish the Password for the Rest the Stolen NSA Hacking Tools
April 14th – Ars Technica
NSA-leaking Shadow Brokers just dumped its most damaging release yet
April 15th – Ars Technica
Mysterious Microsoft patch killed 0-days released by NSA-leaking Shadow Brokers
May 5th – Wired
HOW AN ACCIDENTAL ‘KILL SWITCH’ SLOWED FRIDAY’S MASSIVE RANSOMWARE ATTACK
For cybercriminals and nation states, Wikileaks provided CIA tools to create new, more powerful ransomware. EternalRomance and EternalBlue would prove to be the tools of choice targeting Microsoft’s Windows OS vulnerabilities. Microsoft quickly issued a Security Bulletin on March 14 to patch these vulnerabilities.
May 12: WannaCry ransomware attack
American healthcare organizations awoke to morning news of a new widespread, global ransomware attack across England’s National Health Service. Initially, reports seemed to indicate the ransomware attack was a larger version of the Hollywood Presbyterian Locky attack. By Sunday WannaCry proved to be a global monster for healthcare.
The most severe impact fell across Hospital Emergency Departments across the UK. First responders were redirected to hospitals not (yet) impacted by WannaCry. UK healthcare facilities were even forced to turn off their computers and shut down business operations. Many non-emergency scheduled procedures were postponed.
The Health Information Trust Alliance HITRUST, a privately held not-for-profit organization that collaborates with healthcare, law enforcement, technology and information security leaders. HITRUST issued early WannaCrypt alerts via their Cyber Threat XChange (Healthcare only access).
May 15th: WannaCry medical device attacks
The US Department of Homeland Security (DHS), ECRI, & HITRUST issue WannaCry vulnerabilities for medical devices. This marked the first time a global malware attack was able to encrypt medical devices deployed across healthcare facilities. WannaCry was now a two-headed monster.
To the irritation of healthcare providers this proved to be a popular storyline for television (below). DHS issues communications across the US Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
ATTACK TIMELINE: May 2017:
May 12th – Ars Technica
Massive ransomware attack hits UK hospitals, Spanish banks
May 12th – Wired
An NSA-derived ransomware worm is shutting down computers worldwide
May 13th – F-Secure
WannaCry, the Biggest Ransomware Outbreak Ever
May 13th – Wired
4 WAYS TO PROTECT AGAINST THE VERY REAL THREAT OF RANSOMWARE
May 14th – Wired
WHAT IS RANSOMWARE? A GUIDE TO THE GLOBAL CYBERATTACK’S SCARY METHOD
May 13th – Ars Technica
WCry is so mean Microsoft issues patch for 3 unsupported Windows versions
May 15th – wired
THE RANSOMWARE MELTDOWN EXPERTS WARNED ABOUT IS HERE
May 15th – wired
THE WANNACRY RANSOMWARE HACKERS MADE SOME REAL AMATEUR MISTAKES
May 15th – wired
THE WANNACRY RANSOMWARE HAS A LINK TO SUSPECTED NORTH KOREAN HACKERS
May 15th – Forbes
Medical Devices Hit By Ransomware for the First Time in US Hospitals
May 15th – Health IT Security
Medical Devices Reportedly Infected in Ransomware Attack
May 15th – Ars Technica
Two days after WCry worm, Microsoft decries exploit stockpiling by governments
May 15th – Ars Technica
Virulent WCry ransomware worm may have North Korea’s fingerprints on it
May 15th – Ars Technica
Wanna Decryptor: A worm lurking in the corridors of a crisis-hit NHS
May 17th – Ars Technica
Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft
May 19th – Ars Technica
The NHS ransomware attack—how, why, and who’s to blame
May 20th – Ars Technica
Windows 7, not XP, was the reason last week’s WCry worm spread so widely
May 17th – Security week
Industry Reactions to WannaCry Ransomware Attacks
May 17th – ECRI
Lessons from the recent cyber attack that crippled computers across the Globe.
May 18th – wired
A WANNACRY FLAW COULD HELP SOME VICTIMS GET FILES BACK
May 19th – wired
HACKERS ARE TRYING TO REIGNITE WANNACRY WITH NONSTOP BOTNET ATTACKS
May 19th – wired
ANOTHER RANSOMWARE NIGHTMARE COULD BE BREWING IN UKRAINE
May 22nd – national law review
WannaCry cyberattack raises legal issues
May 23rd – FDA
Device Firms Issue Advisories Following Ransomware Attack
May 23rd – Erie County Medical Center (ECMC)
Acknowledged target of a ransomware attack
May 24th – Trend Labs
Victims Lost US$1B to Ransomware in 2016
May 25th – Carbon Black Ransomware Survey
Ransom-Aware: Finds 7 of 10 Consumers Would Consider Leaving a Business Hit By Ransomware
May 25th – Security Week
The Impact of WannaCry on the Ransomware Conversation
Following the initial ransomware attack on healthcare DHS, HITRUST, and ECRI today share medical device vulnerabilities more transparently. Despite all the efforts hospitals accomplished to combat WannaCry, June would prove very costly. New ransomware attacks were set to impact healthcare across new attack surfaces. This forced healthcare to look wider across their organization to implement solutions to protect their hospital infrastructure.
June 13th: WannaCry building control attacks
DHS issued Indicators Associated with WannaCry Ransomware for Industrial Controls (ICS-ALERT-17-135-01 Update-I) in mid-June. This update extended WannaCry encryption vulnerabilities across hospital building control systems. While not a PHI risk, Facility Operations at hospitals and clinics across the country were forced to engage their building control system vendors. In less than one month WannaCry proved to be a healthcare’s three-headed monster.
Healthcare IT, Information Security, Clinical Engineering and healthcare senior managers were confronted for the first time with cyber attacks impacting three medical attack surfaces: servers, medical devices, and building controls. Updates from medical device and building control vendors were methodically (and slowly) tested to mitigate vulnerabilities, resulting in long patch delays. In some instances, medical devices required clearance from the FDA device patching could begin. These delays and clearance requirements placed many hospitals in a nervous wait and see approach, with a full understanding that new attacks were underway.
WannaCry impacted over 300,000 organizations globally. This made a seismic shift in healthcare data security. Consider adopting a glass-is-half-full approach. WannaCry triggered closer collaboration and communications between our Hospital IT, Information Security, and Clinical Engineering teams. We all share a clear goal: secure all infrastructure against future ransomware strains.
June 15th: US Congress-Lessons learned from WannaCry
Only two days following the building controls WannaCry vulnerability, the US Congress Joint Subcommittee on Oversight and Subcommittee on Research and Technology conducted a public hearing: Bolstering the Government’s Cybersecurity: Lessons Learned from WannaCry.
On the heels of the WannaCry attack, the US Congress began conducting hearings (full testimony via YouTube) to address this new ransomware attack. While news organizations initially focused on hospitals across England, leaders from cybersecurity firms testified to the impact of WannaCry.
Each presenter revealed the unique extent the WannaCry ransomware inflicted upon various markets. The testimony became very real for American healthcare facilities:
I will note that the largest attack we thwarted and measured to date from WannaCry was not on May 12 or 13th when the attack started but began suddenly on June 8th and 9th on a well-funded hospital in the East coast of the United States.
–Mr. Salim Neino,
Chief Executive Officer, Kryptos Logic
An amazing and sober look at the impact of WannaCry upon the US. Yet before healthcare security teams could fully exhale from the impact of expert testimony, the next big ransomware attack was less than two weeks away.
ATTACK TIMELINE: June 2017:
June 19th – Trend Labs
Erebus Resurfaces as Linux Ransomware
June 27th – Ivanti with Chris Goettl
Global Ransomware Attack Based on a Petya Variant Threatens Repeat of WannaCry
June 27th – Wired
LATEST RANSOMWARE HACKERS DIDN’T MAKE WANNACRY’S MISTAKES
June 27th – Wired
A SCARY NEW RANSOMWARE OUTBREAK USES WANNACRY’S OLD TRICKS
June 29th – f-Secure
Petya: “I Want To Believe”
June 29th: NotPetya attacks
Kaspersky Labs first reported this new ransomware attack across Europe, the UK, and the US. The main targets initially appeared to be Russia and Ukraine. It was determined that a popular Ukrainian tax preparation program M.E.Doc spread this ransomware. Kaspersky dubbed this variant “NotPetya,” which targeted energy and industrial supply chains.
Initially thought to be yet another global WannaCry attack, NotPetya was re-classified as a wiper, erasing every infected computer’s Master Boot Record — destroying hard-drive data without any opportunity to recover data. Early reports suggested the patches that stopped WannaCry would protect hospitals and clinics against this new ransomware. They were wrong.
NotPetya was a fast-moving worm exploiting IAM vulnerabilities which captured valid user credentials and propagated laterally across the network. For healthcare, these attacks were not easy to re-mediate on Windows 7 and Windows Server 2008. Many hospitals and clinics remained vulnerable. Yes, healthcare facilities continue to run legacy Windows OS solutions due to select clinical applications and medical devices.
While The Hospital Heritage Valley Health System northwest of Pittsburgh was directly hit by NotPetya, the larger healthcare threat was due to drive-by-malware. Nuance Communications was crippled by NotPetya.
Consumers know Nuance by their Dragon Systems brand. At the time of the attack, Nuance held almost 70% of the medical transcription market.Nuance’s leading medical transcription service eScription, deployed across healthcare facilities was completely wiped due to NotPetya. Hundreds if not thousands of US healthcare organizations lost complete medical transcription services for almost two months.
Nuance’s other medical transcription services including Apex, Dragon Medical One, Powerscribe, and Powershare were not impacted by NotPetya. In the immediate aftermath, hundreds of health systems were offline, hampering medical records and billing workflow. NotPetya created healthcare’s four-headed monster.Even outside of healthcare, global brands posted significant losses attributed to this attack. Supply-chain victims, Maersk, Merck, and FedEx’s European delivery subsidy TNT Express all acknowledged $300 million dollar losses in their current financial reporting quarters.
July 25th: Nuance confirms NotPetya attack
Following a forensic examination Nuance publicly acknowledged (PDF Link) their eScription medical transcription service was completely wiped by NotPetya. While Nuance did patch their servers against WannaCry, their privileged account management (PAM) was vulnerable and exploited. A contractor with remote access to Nuance had an infected laptop. That device spread the worm across Nuance’s server infrastructure.
Nuance detailed this ransomware’s ability to strike quickly. NotPetya launched in Ukraine at 9:15 am with Nuance infrastructure infected before 11:00 am. A third party contractor with remote access to Nuance systems had an infected laptop. Nuance simply had no opportunity to recover. This also indicates Nuance also lacked trusted backups, something hospitals and clinics need to reinforce as part of the HIPAA Ransomware Guidance.
The loss of Nuance medical transcription services made an enormous impact on healthcare systems. NotPetya proved the vulnerability of contractors and vendors with remote access into healthcare infrastructures.
While aimed at supply chains, NotPetya painfully proved organizations must bolster their internal security posture. This attack refocused the well-known and existing security principles of IAM: Least Privilege Principle, Identity Hygiene, and no lingering accounts via Just-In-Time provisioning.
ATTACK TIMELINE: July to November 2017:
July 1st – wired
HOW SHIPPING GIANT MAERSK DEALT WITH A MALWARE MELTDOWN
August 7th – McClatchy
Ransomware fallout in healthcare: cybercriminals’ next deadly target
August 8th – FierceHealthcare
Cybersecurity experts warn of ‘digital D-Day’ in healthcare
August 8th – DARKReading
New Targeted Ransomware Hits Healthcare, Manufacturing
August 11th – F-Secure
What We Learned from WannaCry and EternalPetya
August 29th – bleeping computer
Bit Paymer Ransomware Hits Scottish Hospitals
September 6th – health data management
Delaware ransomware attack affects 19,000
September 13th – ECRI Webinar
This is Not a Test – Operationalizing Medical Device CybersecuritY
September 13th – health data management
How providers can bolster their ransomware defenses
SEPTEMBER 13TH – HEALTH DATA MANAGEMENT
HOW PROVIDERS CAN BOLSTER THEIR RANSOMWARE DEFENSES
september 28th – Tripwire
Oral Surgery Center Notifies 128K Patients of Ransomware Attack
October 3rd – Heath data management
Ransomware attack affects data of 128,000 patients
October 9th – Dotmed
Is a cyber equivalent of ‘D-Day’ inevitable in the medical industry?
October 16th – Carbon Black
The Ransomware Economy Intelligence Report
October 23rd – Healthcare InfoSecurity
US Congressional Committee Wants Nuance to Share NotPetya Details
October 24th Bad Rabbit attack
The next ransomware attack, Bad Rabbit held a clear focus: Russia, Ukraine, and Germany. This was triggered by email phishing that delivered fake Adobe Flash installers from infected websites. Bad Rabbit did not use EternalBlue, but rather EternalRomance via drive-by-malware that moved laterally across networks. There is little indication that healthcare facilities in the countries mentioned above were impacted….thankfully.
October 24th – Wired
NEW RANSOMWARE LINKED TO NOTPETYA SWEEPS RUSSIA AND UKRAINE
October 25th – helpnet security
NotPetya successor Bad Rabbit hits orgs in Russia, Ukraine
November 6th – ECRI
Ransomware and Other Cybersecurity Threats
On December 4th HIMSS presented Protecting Medical IoT Devices: Lessons Learned from WannaCry and NotPetya. For the first time, ransomware was the top US healthcare threat. This clearly indicates how far ransomware attacks advanced across the American healthcare industry.
HIMSS delivered a good panel discussion regarding the ransomware takedown of Nuance. A large Midwestern University health system acknowledged their medical records, hospital, clinic and billing workflow went offline for 45 days as a result of NotPetya wiping their Nuance eScription service.
On December 5th Trend Micro published Security Predictions for 2018: Paradigm Shifts indicating RaaS will become more targeted in the coming year including:
We also expect cases of biohacking, via wearables and medical devices, to materialize in 2018. Biometric activity trackers such as heart rate monitors and fitness bands can be intercepted to gather information about the users. Even life-sustaining pacemakers have been found with vulnerabilities that can be exploited for potentially fatal attacks.
Page 6
This re-enforced the Mirai-like botnets could have been healthcare’s 5th headed monster in 2017. While botnets and cryptocurrency attacks proved just as serious, they flew under the ransomware radar.
TripWire also published their Month in Ransomware resource. This resource is very valuable for US Healthcare due to the July 2016 ransomware guidance. This 90-day example reinforces that hospitals must maintain awareness of new strains tied to phishing:
September: 41 new strains + 55 modifications = 96 / 3.2 per day
October: 28 new strains + 18 modifications = 46 / 1.4 per day
November: 37 new strains + 18 modifications = 55 / 1.8 per day
This September to November timeframe is an example of the volume of strains that require close monitoring. The HIPAA guidance for US Healthcare places a demand for awareness of ransomware strains targeting hospitals and clinics.
ATTACK TIMELINE: November to December 2017:
november 14th – helpnet security
Rise and evolution of ransomware attacks
november 28th – helpnet security
A look at the top seven ransomware attacks in the past decade
december 4th – helpnet security
Five key trends to watch in 2018 as cybercriminals continue to innovate
December 7th – Eye Physicians, P.C.
Acknowledged target of a ransomware attack
December 7th – health data management
How providers can better protect IoT devices from ransomware
December 10th – TripWire
10 of the Most Significant Ransomware Attacks of 2017
December 12th – Stanislaus County BHRS
Acknowledged target of a ransomware attack
December 13th – Health IT Security:
NotPetya PAM for Healthcare
December 12th – helpnet security
Return of Necurs botnet brings new ransomware threat
December 13th – Health IT Security
SIEM Provides Security Through Event Data Monitoring
December 14th – SophosLabs
FIVE ransomware as a service (RaaS) kits
December 20th – Health IT Security
Healthcare Data Security Attacks Account for 40% of Q3 Incidents
december 20th – helpNet security
Why ransomware? Let’s ask the bad guys
December 20th – Health IT SecuritY
Healthcare Ransomware, Medical Device Security Key 2018 Trends
December 28th – HIT Think
Evolving ransomware looms as 2018’s biggest threat
December 28th – Health Data Management
Providers need to prepare for virulent ransomware in 2018
December 13th – Nuance shuts down Apex
To address an internal security event Nuance shut down ALL remaining Apex services without notice. This left ALL remaining US healthcare systems without medical transcription services. Nuance required those remaining Apex healthcare facilities to “forcefully” transition to their eScription platform. Remember Nuance’s eScription service was lost within the opening hours of NotPetya. This forced Nuance to rebuilt their eScription service from the ground up. As a result of the December 13th takedown of Apex, eScription is the only option for healthcare facilities who remained running Apex during NotPetya.
Read more about it:
Did Hospitals ignore the Microsoft Security Bulletin?
No, of course not. Hospitals run Windows-based clinical applications. Due to the highly sensitive nature of patient care at the bedside and Emergency Department, Healthcare IT, Information Security, and Clinical Engineering teams must apply extensive application testing.
Hospitals deploy hundreds of clinical applications. It is not uncommon for change management schedules to patch on a quarterly basis. Regrettably, there remain conflicts within clinical applications that require a ‘slow and steady wins the race’ approach. Another impact is unplanned outcomes. In November 2017, Microsoft applied two zero-day patches across their .NET framework. This resulted in sluggish performance across select clinical and administrative application servers. The December the framework did not address these concerns. So yes, hospitals have a complex set of applications that cannot be immediately patched.
Ransomware in popular culture
Clearly WannaCry made a dramatic impact on our lives. This was even promoted by popular television shows Grey’s Anatomy, Chicago Med, and NCIS, who adopted ransomware episodes. Even The Big Bang Theory presented a bitcoin episode. While the shows held a bit of artistic license….there is a hint of possibility. TV Networks are driven by television ratings and advertisers. So on with the shock and horror:
Remember the last malware attack getting TV storylines? Remember Y2K. For clarity healthcare facilities have long established “downtime procedures” to address events impacting patient care. Electronic record systems or medical devices may go offline but care for patients continues via paper.
US Senate Bill: Data Security/Breach Notification Act
Congress introduced a bill that requires companies 30 days to notify victims and authorities after the discovery of a data breach. The bill also would make it a crime, punishable by up to five years in prison to knowingly conceal a breach. Regardless if the bill is signed into law, hospital, clinic, and health system C-Suites including Trustees can no longer pay lip service to ransomware threats.
This action may shift how healthcare compliance officers view signing HIPAA Business Associates Agreement (BAA) without a valid Risk Assessment provided by a vendor. It should come as no surprise that any vendor without a valid risk assessment, the healthcare facility should immediately disqualify that vendor.
In the age of ransomware, it is simply not worth the risk to the organization. CIOs and CISOs must adhere to HIPAA’s ransomware guidance. Ransomware awareness is now at an all-time high while PHI remains highly profitable on dark web. This can be accomplished with a third party risk analysis, tabletop exercises and the NIST CSET 8.0 resource
Healthcare, Cyber Insurance, and Ransomware
Many healthcare organizations carry cyber insurance policies to protect against internet-based risks. Organizations should consider a wide number of insurance types, including but are not limited to:
PCI Fines, Penalties, and Expenses
Business interruption
Cyber Extortion (ransomware)
Data Restoration
Forensic Services
Outside Legal Counsel
Public Relations/Brand reputation
Credit/ID monitoring
Call centers providing 24-hour hotline
Table Top Exercise
Today breach fines can surpass $5 million. This has a key impact on healthcare. Regardless if a healthcare organization has cyber insurance, to cover a ransomware bitcoin payment, declaring a breach is required to secure their insurance payment. Some healthcare organizations have paid a bitcoin ransom.
More damaging, however, a breach notification triggers on onsite HIPAA audit. Any healthcare’s leadership (CIO, CISO, Legal, Medical Records, Risk Management and the Office of Compliance) do not want to see auditors arriving.
Follow me here:View my Healthcare IT Flipboard Magazine.View my Medical Device Cybersecurity Flipboard Magazine.View my Medical Ransomware Flipboard Magazine.TwitterJanuary 4, 2018
Ivanti Interchange Podcast:
https://www.ivanti.com/blog/mckays-man-crush-elon-musk-hospital-security-stories-insider/Ivanti Patch for Windows review
One reply on “2017 Ransomware attacks on Healthcare”
[…] hospitals in the age of ransomware. The healthcare industry was confronted for the first time by a multi-headed monster in ransomware cyber […]