In mid-March, news first broke about a ransomware attack at The Ottawa Hospital in Ottawa, Ontario.
The hospital released a statement soon after the attack confirming ransomware had infected four of its 9,800 computers. It is believed a staff member clicked on a suspicious link that in turn downloaded the ransomware onto the hospital’s computers.
Fortunately, the attack had very little impact on the hospital’s day-to-day operations.
“No patient information was affected. The malware locked down the files and the hospital responded by wiping the drives,” said Kate Eggins, a spokeswoman for the hospital. “We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security. We would like to reiterate that no patient information was obtained through the attempt.”
The hospital ultimately restored access to its systems via the use of data backups.
Although the story of The Ottawa Hospital had a happy ending, it is important to note that malware continues to threaten healthcare organizations on a daily basis. If anything, ransomware authors have used the first few months of 2016 to ramp up their attacks against hospitals and medical centers, a reality of which the United States Computer Emergency Readiness Team (US-CERT) and the Canadian Cyber Incident Response Centre (CCIRC) have warned, though perhaps too late.
To better understand this ongoing spate of ransomware attacks, we must examine how a hospital could become infected by ransomware and identify the risks of infection for a healthcare organization.
WHAT ARE THE MEANS OF ATTACK?
One of the most common methods by which bad actors deliver ransomware to hospitals is phishing attacks. All an attacker needs to do is send out an email that includes a link to an infected website, sometimes even a hospital’s website, or a Word attachment containing malicious macros. Clicking on the link or downloading the attachment activates a malware executable that downloads the ransomware onto the victim’s computer.
However, that’s not to say attackers can’t get a little creative with their phishing, especially if bad actors lack the technical expertise and/or money to develop or purchase malware.
“There’s another type of social engineering attack, which is pretty costly for some organizations,” explains Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP). “It has nothing to do with malware, but it’s called the CEO fraud. That also comes in through a social engineering technique, where someone is sending an email that looks like it’s coming from the CEO of the organization. They’ll send it to the accounting/finance folks and say, ‘Can you approve a wire transfer?’ There’s no links in it, but if they don’t have good internal controls, they may actually process the wire transfer. And there was a company in San Jose that got taken for about $46 million in that way. So, there’s some big money in that.”
As Andre reveals, bad actors can leverage phishing emails to disseminate ransomware and steal money via wire fraud and other illegal means. That realization provides some insight into the risks behind a ransomware infection for a healthcare facility.
WHAT ARE THE RISKS OF INFECTION?
Ransomware poses a significant financial risk to healthcare organizations. Let’s take the case of Hollywood Presbyterian Medical Center as an example. Back in February, the hospital declared an “internal state of emergency” and temporarily shut down its computer systems after computer forensics experts found ransomware on the hospital’s network.
Shortly following the infection, a local computer consultant said that the ransom fee was 9,000 BTC. At US $3.6 million, this would have been the largest malware-related ransom demand ever recorded. But the claim was incorrect. Spokespeople for the hospital clarified that the real ransom fee was only 40 BTC, or US$17,000. Ultimately, the hospital decided to pay the fee.
$17,000 is not too much for a hospital to lose. At the end of the day, however, the hospital probably lost a lot more.
“I would look at how much productivity was lost,” Andre says. “I believe, from the CEO’s statement on the hospital’s website, they first noticed the infection on Friday, the 5th of February, and their electronic health records systems were back up on the 15th. So that’s nine to ten days of not being able to access that information. They were relying on paper, they were relying on faxes and phone calls. That would be a productivity hit to the hospital, because all that information that was collected on paper would then have to be back-filled into the hospital system. That’s some of the major risk.”
But that’s not all. By also factoring in the price of recovery, which includes money needed to investigate the hospital’s IT systems, to pay off HIPAA fines for compromised personal health information (PHI) and associated lawsuits, and to overhaul its IT security and communication infrastructure to prevent future incidents, the total cost of the attack could very well have grown to become several orders of magnitude larger than the original ransom fee.
Last but not least, let’s not forget high-profile ransomware infections can have a reputational effect. In this instance, Hollywood Presbyterian Medical Center decided to transfer people to other local hospitals because it could not access patients’ medical records on its computer system. The medical center lost customers as a result of the ransomware infection. Unfortunately, it could take the hospital months or even years to rebuild that customer loyalty and trust.
Given the risks ransomware poses to healthcare organizations, it is important that IT departments at hospitals and medical centers focus on preventing an infection from occurring in the first place. That should include implementing user awareness among all employees and proactively monitoring endpoints for suspicious behavior.
For more helpful ransomware prevention tips, please click here.