U.S. hospitals have been faced with an alarming surge in ransomware attacks this year. In these attacks, hospitals find themselves without access to critical patient information. In addition to seriously threatening patient safety, hospitals themselves are also harmed. Necessary interruptions to services while recovering from the attacks damage organizations’ reputations, and financial costs can include ransoms along with costs associated with liability.

Ransomware attacks are a growing threat. Organizations need to focus on necessary steps to protect their data and to stay current on new security requirements arising to meet this threat.

In the first part of this two-part series, we’ll look at what ransomware is, and what makes hospitals and healthcare organizations particularly vulnerable to ransomware attacks. In the second part, we’ll take a look at solutions all organizations (not just hospitals) can employ to mitigate the risk from these attacks, and also discuss possible future changes to security requirements that may develop in response to the increase of ransomware related cybercrime.

What is ransomware?

In their January 2016 brief, “Hacking Healthcare IT in 2016,” the Institute for Critical Infrastructure Technology refers to  ransomware as “the primary threat to organizations in 2016.” Ransomware is a specific type of malware that works by preventing or limiting users from accessing their systems or data, often by encrypting the data. This kind of malware requires payment of a ransom in order to regain access to systems or data. Of course, even after a ransom is paid, there is no guarantee that access will actually be returned or that data will be undamaged. Some examples of ransomware include Locky, CryptoLocker, and CTB Locker.

Why are healthcare organizations so vulnerable to ransomware attacks?

Within just the past few months, hospitals that have reported attacks include Hollywood Presbyterian Medical Center in Los Angeles, Methodist Hospital in Kentucky, and MedStar Health’s ten hospitals and over 250 outpatient clinics in Maryland and Washington D.C. Officials suspect that additional attacks may have gone unreported by organizations choosing to deal with such matters internally rather than risking the damage to their reputations that publicly acknowledging vulnerabilities can bring.

What makes hospitals such tempting targets for cyber criminals? One reason is that hospitals rely on having fast access to accurate and up-to-date information in order to provide care for patients. This means they are more likely to pay a ransom than other organizations might be, as they are trying to avoid harm to their patients (up to and including death) and of course, lawsuits.

Another less obvious reason is that hospitals have until present been focused primarily on educating their employees mainly in HIPAA compliance, and much less on cybersecurity. This leaves hospitals employees especially likely to fall victim to social engineering attacks such as phishing, which can give ransomware attackers the entry they need.

The older software used by some hospitals can also provide a tempting point of entry for ransomware attackers. For example, a recent alert from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team warns that certain systems used to automate the tracking and dispensing of medical supplies contain numerous security vulnerabilities.

Additional Links:
TrendMicro – History of ransomware.
Wired.com – Why hospitals are the perfert target for ransomware.
DataBreachToday.com – Security flaws in legacy medical supply systems.

With data breaches on the rise for companies around the world, the goal of reliable cyber security remains a challenge. In just the past month, Verizon Enterprise Solutions faced an attack that reportedly compromised the basic contact information of 1.5 million customers, potentially exposing those users to additional risk from phishing attacks. Hospitals also struggled with ransomware attacks, including MedStar Health in Maryland and Washington, D.C., Methodist Hospital in Kentucky, and two California hospitals operated by Prime Healthcare, Inc. Several of these hospitals were forced to temporarily shut down their systems in order to keep malware from spreading. Disturbingly, at least one such hospital has admitted to paying a ransom to have its data unlocked.

Why Users Don’t Follow Security Requirements

Driven by the constantly increasing need to improve security, IT professionals often advise their clients to follow requirements that are seen as cumbersome. As a result, many otherwise well-intentioned users do not comply with these requirements. Even worse, some users are actually willing to sell password information for surprisingly low prices. In a study performed by SailPoint Technologies this year in which 1,000 office workers in various industries and from multiple countries were interviewed, an appalling number admitted to poor password practices such as:

• Using a single password among several applications. (65%)
• Sharing their passwords with co-workers. (30%)
• Willingness to sell their passwords to outsiders for as little as $1,000. (20%)

Surprisingly, SailPoint’s study showed that even though employees expect other companies to make protecting their personal data a priority, they fail to do the same for their own clients. The study showed that 32% of the respondents had been impacted by security breaches at other companies. But in spite of this, many still continue to engage in poor security practices.

The Multi-Factor Authentication Solution

So if the worst users are actively dishonest and the best are still too likely to engage in risky security practices, what is the solution to the password problem?

One possible approach already in use by some companies is multi-factor authentication. With this approach a password is still used, but is combined with additional factors. For example, a company might not complete your online request to change your password until you provide a code they have sent to a phone number you previously designated. In another example, a user signing on to a company laptop might also be required to have their fingerprint or voiced scanned. Here, employees are effectively discouraged from using unwise security practices – you can share a password, but it’s prohibitively difficult to share fingerprints. And hackers who may have acquired a password are much more likely to be blocked by the additional requirement.

Some biometric technologies to facilitate multi-factor authentication already exist and more are on the way. Most of us are familiar with the use of fingerprints and voice recognition. Along with these, additional technologies include keystroke recognition, which focuses on the unique typing rhythms of users; palm vein recognition, which identifies unique vein patterns in palms and/or fingers; and heartbeat recognition, which relies on the unique electrocardiographic signals produced by an individual’s heart; and many more.

Not all of these technologies are sufficiently mature to provide reliable and cost-effective security at present. However, technology changes rapidly. What was expensive yesterday may well be affordable tomorrow. (For an example, see DIY Is Shaping Our Future – design student creates his own braces using 3D printing.)

Biometrics alone or multi-factor authentication are likely to be used in the future to meet security needs. In July, 2015, the Bloomberg BNA Privacy & Security Law Report published a report titled “Should the FTC Kill the Password? The Case for Better Authentication.” In this report, the authors argue that “…in certain circumstances the FTC should start requiring better methods of authentication than passwords alone.” Companies interested in preparing for the future will need to explore this approach.

Hello everyone,

We would like to introduce you to our newest employee.  Tracie has accepted our offer of employment as our Inside Sales Specialist.  Her first week started today and she has already started out doing an amazing job.  Tracie has multiple years of experience as a Life Insurance Agent and graduated with one of highest IQ’s in her class.

As an Inside Sales Specialist, Tracie is responsible for assuring that our clients’ are ordering the right products and that all of their services are being renewed.

Here are some of Tracie’s responsibility:

-Assists the sales team by preparing and then following up on any sales quotations made for clients,

-Negotiating terms with distributors to find a cost best suited for our clients

-Liaise between other departments and the client to provide the service most suitable to the client’s needs, cost and time restraints

-Work closely with the sales team to assess the progress of the department and develop sales strategy accordingly

-Produce reports on progress within the department and outline any developed strategies to improve

We are really excited to add Tracie to the team and she is going to be a big help by being able to fully dedicate herself to her new role.

Thanks for Welcoming Tracie,

-Cary Warner CMO