The Cost of Ransomware Attacks Can Reach Far Beyond the Ransom Payment Itself | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

The Cost of Ransomware Attacks Can Reach Far Beyond the Ransom Payment Itself

December 22, 2016
by Ryan Bergsieker and Allison Chapin, Gibson, Dunn & Crutcher
| Reprints

The ransomware epidemic continues to spread. According to the Federal Bureau of Investigation, ransomware victims in the United States reported a total of more than $209 million in losses in the first three months of 2016 alone. The U.S. Department of Justice has reported that an average of 4,000 ransomware attacks occur in the United States each day.

Given the amount of sensitive data maintained by healthcare providers, and the reality that certain providers’ cyber defenses are less robust than those in place in other industries such as financial services, the healthcare industry is an attractive target for cybercriminals. As the proliferation of ransomware continues, an increasing number of healthcare providers have fallen prey to these attacks. In a blog post, Jocelyn Samuels, director of the U.S. Department of Health and Human Services Office for Civil Rights (OCR), described the possibility of cyberattacks conducted using ransomware and other means as “[o]ne of the biggest current threats to health information privacy.” Indeed, many recent ransomware attacks have targeted major healthcare institutions. For example, in February 2016, ransomware at Hollywood Presbyterian Medical Center in California compromised access to the hospital’s computer systems for several days. Hollywood Presbyterian announced that it paid a ransom to unfreeze its files, but the cost of a ransomware attack can reach far beyond the ransom payment itself.

Paying the Ransom: Just the Beginning?

In the prototypical ransomware attack, a hacker installs malware on a company’s computer systems that prevents users from accessing critical data, often by encrypting that data. As the moniker “ransomware” would suggest, perpetrators then demand payment from the victim company in exchange for unlocking or returning the data.

Hackers can gain access to company computer systems through a variety of means, ranging from “planting” a seemingly misplaced thumb-drive carrying malware in a company parking lot (where it can be discovered by a well-meaning employee and inserted into a company computer), to spear phishing or other social engineering ploys to gain login credentials. Thanks to the availability of digital currency transactions, hackers can enjoy fast, remote, relatively anonymous access to cash paid by their sometimes desperate victims.

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

The healthcare industry is a particularly attractive target for ransomware attacks given the amount of data providers maintain, the importance of the data, and the gravity of denying access to that information. Blocking critical patient data can have crippling effects on the operations of a healthcare provider. When faced with potentially deadly consequences, some healthcare providers may feel pressure to pay the ransom, but succumbing to a hacker’s ransom demands may mark only the beginning of the company’s problems.

First, paying the ransom does not guarantee that the hackers will unlock the company’s data, and there is no way to ensure that the hackers will not corrupt or otherwise alter the data before returning the information to the victim healthcare provider. Paying a ransom also may embolden the attacker, encouraging further attacks on the institution itself or on other similarly-situated organizations within the industry.

Moreover, paying a ransom does not resolve the issue of any protected health information (PHI) affected by the attack. Ransomware attacks resulting in unauthorized “acquisitions” of PHI barred by the Healthcare Insurance Portability and Accountability Act (HIPAA) may trigger a provider’s notice obligations unless the covered entity can demonstrate a “low probability that the [PHI] has been compromised,” according to federal regulations. Otherwise, victim healthcare providers may need to provide notice to HIPAA’s primary enforcement agency, HHS OCR, and affected patients, among others. Companies then may face exposure to broad and often burdensome investigations, the scope of which may extend far beyond the parameters of the initial breach into a company-wide security program review.

Substantial payments can be required to resolve government investigations initiated by instances of unauthorized acquisitions of PHI. For example, earlier this year, HHS OCR announced that Advocate Health Care Network agreed to adopt a corrective action plan and pay $5.55 million to resolve potential HIPAA violations following breaches that affected the electronic PHI of approximately four million individuals. Similarly, in 2014, New York Presbyterian Hospital agreed to a corrective action plan and a $3.3 million payment to settle potential HIPAA violations.

How to Be Prepared

The time to start thinking about containment and mitigation is before an attack occurs. Responding to a ransomware attack can be daunting, but healthcare providers should consider the following key data management and information governance strategies when assessing the security of their systems:

  • Conduct periodic cyber-risk audits to identify any areas of weakness, ranging from potential external penetration to insider actions.
  • Develop, codify, and train personnel on a comprehensive data breach response plan with clearly assigned responsibilities.
  • Maintain proper computer system hygiene, including implementing regular system and application updates to avoid exposure to malware through outdated, unsupported, or improperly patched software.
  • Implement robust data back-up systems, segregated from other company systems. 
  • Enable mechanisms for quick system restoration from these back-ups when required.
  • Evaluate sources of ransomware risk, educate personnel on common strategies employed by hackers, and implement basic supporting mechanisms (e.g., train personnel to avoid phishing techniques and alert personnel when email has been sent from outside the company).
  • Regularly update policies and procedures to incorporate lessons learned and to stay abreast of current trends.

If an incident does occur, providers should be prepared to activate their data breach response plan.  A key component of such plans is engaging with law enforcement and regulators. Given the sensitive nature of these communications and the potential impacts on future regulatory investigations and litigation, it is often helpful to engage in such communications through experienced outside counsel.

Healthcare providers must take deliberate steps to prevent and mitigate the impact of ransomware attacks. While not exhaustive, the steps enumerated above can help better position companies for successful navigation through these high-pressure and often high-stakes situations. 

Guidance on how to protect against ransomware is available from the U.S. Department of Homeland Security, the U.S. Department of Health & Human Services Office for Civil Rights and the U.S. Federal Trade Commission.

Ryan Bergsieker is of counsel in Gibson, Dunn & Crutcher's Denver office and a faculty member of CGOC, an information governance and compliance think tank. He is a former federal prosecutor and a courtroom advocate. His practice is focused on government investigations, complex civil litigation, and information security/data privacy counseling and litigation. Allison Chapin is an associate in Gibson, Dunn & Crutcher’s Denver office


The Health IT Summits gather 250+ healthcare leaders in cities across the U.S. to present important new insights, collaborate on ideas, and to have a little fun - Find a Summit Near You!


/article/cybersecurity/cost-ransomware-attacks-can-reach-far-beyond-ransom-payment-itself
/article/cybersecurity/guest-blog-cybersecurity-shortage-closing-gap

GUEST BLOG: The Cybersecurity Shortage: Closing the Gap

October 17, 2018
by Mac McMillan, Industry Voice
| Reprints
The gap between the level of cybersecurity preparation that should exist in the current environment, and the reality, is both troubling and in need of closer examination

We are by all estimates well over a million cybersecurity professionals short of what we need and racing towards an even bigger shortage in the decade to come.  Current approaches are not likely to produce the number of cyber warriors we are going to need to close this gap.  Not for want of good intention, but I believe we won’t achieve our intended goal, because the environment has changed and if we don’t recognize this change we may never catch up.  There are multiple factors affecting this paradigm shift, but the biggest of them all is the rapidly evolving nature of technology that is moving at lightning speeds and the associated exponential growth in threat produced as a byproduct. 

Closely related is what this means for the rapidly expanding competency that cybersecurity professionals will have to possess just to be effective in the future.  We have known for decades that cybersecurity is a dynamically changing field affected by changes in the physical environment, changes in technology, the evolving nature of threat and the operational impacts of users.  The enterprise is never static, and every change presents a new opportunities and new risks.  If we take healthcare as one example of this just the past two decades have witnessed amazing changes in technology adoption, the rise of hyperconnectivity, the increase in the sophistication and frequency of attacks and the endless application of technology to operations, simple and complex.  This will move even faster in the future as technologists are already talking about faster processing speeds, quantum computing, artificial intelligence, etc.  Making it harder and harder for those who have to secure the enterprise to do that.

In fact, today’s cybersecurity professionals have to be as diverse as the thing they are trying to secure, meaning many different cyberwarriors with very different specializations.  Analysts, administrators, engineers, program experts, threat hunters, monitors, architects, etc.  Making it all the more impossible for current approaches to succeed.  The supply is not going to catch up with the demand one cyberwarrior at a time.  That ship has sailed.  All the college programs in the land, although important, are not going to get us there.  You cannot create a cyberwarrior army large enough, fast enough to solve this problem.  We need a different approach.

In today’s and tomorrow’s information technology environment, everyone who uses a computer will need basic cybersecurity skills, and everyone who works in IT will need specific job-related cybersecurity knowledge and we need both general and specialized cybersecurity professionals.  Individuals who write code should know how to do so with security in mind.  Database developers and administrators should understand the threats associated with what they are doing and how to avoid them.  System engineers should understand network security principles and how to apply them to what they do.  And on and on.  Information system designers, developers, manufacturers, consumers and users need to accept and embrace this basic requirement.  Curriculums from the earliest stage where information technology is introduced should include cybersecurity training.  Curriculums in career fields where information technology will be critical to accomplishing that skill should include cybersecurity training.  No information technology degree should be achievable without cybersecurity as part of the curriculum.  We should promote greater professionalization of the cybersecurity field to define specific career paths from the very specialized to the general practitioner to the strategist to ensure not only the expertise needed at the tactical level, but the professionals with the breadth and scope of knowledge and experience needed at the higher levels of responsibility to lead and develop effective cybersecurity strategies and programs. 

The gap between the good guys and the bad guys is growing, because we are still trying to solve the problem in the same antiquated way, one cyberwarrior at a time.  There is zero unemployment in the field right now, and many of the people filling cybersecurity roles today are only marginally competent.  Because not only does it take education in multiple disciplines to be become knowledgeable in the field it takes experience, which can only be attained in time.   We are never going to be successful following the path we’re on today.   We need to recognize the paradigm shift that has occurred and embrace the new reality.  Everyone who deals with information technology has to be part cyberwarrior.  Everyone has the responsibility to understand basic computer security skills and the cyber threats that can keep them from accomplishing their mission.  In the military we call this awareness of risk operational security and every soldier, sailor, airman and Marine from top to bottom is charged with understanding operational risks so they can mitigate them regardless of their job specialty.  

Some organizations are beginning to realize this new reality and are taking steps to change how they approach educating the workforce of the future.  One such organization is the University of Texas, which I had the pleasure of supporting recently, who is building a new graduate certificate program within their healthcare curriculum to train members of the workforce to move into healthcare, particularly former veterans.  What is unique about this curriculum is that they have integrated cybersecurity knowledge so that graduates of this program not only prepare themselves for a career in healthcare by learning practical skills, but they learn about where cybersecurity is important and why they need to understand it to be successful.  Their lab environment is unique in that it replicates the hospital experience, admissions, ER, the smart patient room, OR, radiology, pharmacy, etc. and in each lab cybersecurity will be taught along with the information technology associated with those environments as well as the cyber threats that affect both privacy and security there.  A curriculum that teaches not only practical skills needed to work in healthcare, but how to protect patient data and operations.  The program has included several experienced healthcare CISOs as contributing staff lending real world expertise to what they are building.  These are the type of visionary programs we need more of if we are going to close this gap in cybersecurity skills.

Mac McMillan is president and CEO of the Austin, Texas-based CynergisTek consulting firm.

 


More From Healthcare Informatics

/article/cybersecurity/six-lessons-boston-children-s-hacktivist-attack

Six Lessons From Boston Children’s ‘Hacktivist’ Attack

October 17, 2018
by David Raths, Contributing Editor
| Reprints
CIO Daniel Nigrin, M.D., says hospitals must prepare for DDoS and ransomware

Most health system CIOs have heard about the 2014 attack on Boston Children’s Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospital’s senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack.

Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016. 

 According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Children’s Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Children’s Hospital computer network that he temporarily knocked Boston Children’s Hospital off the Internet. 

 In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. “The bottom line is that in healthcare, we have not paid attention to cybersecurity,” he said. “In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations — educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.”

He offered six lessons learned from Boston Children’s experience:  

Webinar

How to Assess IT Risk in a Healthcare Environment

In this webinar, Community Health System’s CISO Scott Breece and Lockpath's Sam Abadir will discuss the unique IT landscape of the healthcare industry and the challenges this presents for IT risk...

1. DDoS countermeasures are critical. No longer can healthcare organizations assume that a DDoS attacks are things that only occur against corporate entities, he said. “Prior to this event, I had never thought about the need to protect our organization against a DDoS attack,” he said. “I will submit that the vast majority of my CIO colleagues were in the same boat. And that was wrong. I think now we have gotten this understanding.”

2.  Know what depends on the internet. Having a really detailed understanding of what systems and processes in your organization depend on internet access is critical, Nigrin stressed. You also mush have good mitigation strategies in place to know what to do if you lose internet access — whether it is because you have a network outage due to a technical issue or a malicious issue. “As healthcare has become more automated and dependent on technology, these things are crippling events. You have got to know how you are going to deal with it ahead of time. Figuring it out on the fly is not going to work.”

3. Recognize the importance of email. Email may be seen as old-school, Nigrin noted, but it is still the primary method to communicate, so you have to think about how you can communicate and get the word out in scenarios where you don’t have email or lose voice communication. “In our case, we were super-lucky because we had just deployed a secure texting platform, so we could do HIPAA-compliant texting, and when our email was down, that was how we communicated, and it was very effective,” he explained.

4. Push through security initiatives – no excuses anymore.  Because he is a doctor himself, Nigrin feels OK picking on doctors about security. Historically they have always pushed back on security measures such as dual-factor authentication. He paraphrases them saying “Come on, Dan, that is an extra 10 seconds; I have to carry a secure ID, or you have to send me a text message on my phone. It is a pain. I don’t want to do it. I am the highest-paid employee in your organization and that is time better spend on something else.” But Nigrin argues that we can’t afford to think like that anymore. He used the Anonymous attack as an opportunity to push through four or five security initiatives within the next two to three months when he had everyone’s attention. “The platform was burning, and the board of trustees was willing to expend the money to pay for it all. They all of a sudden recognized the risk.”

5. Securing audio- and teleconference meetings. Nigrin said this topic wouldn’t have occurred to Boston Children’s until they were warned by the FBI. “The FBI told us about an attack that affected them when they were dealing with Anonymous. When Anonymous was attacking the FBI, the FBI convened internal conference calls on how to deal with it. Anonymous had already breached their messaging platform and intercepted the calendar invites that invited everyone to dial in. Anonymous basically was called into the meeting. Within 30 minutes of one of those meetings, the entire audio transcript of the conference call was posted to YouTube. “So we took heed of that and made sure that when we had conference calls, we sent out PINs over our secure texting platform,” he said.

6. Separating signal from noise. During the attack, Boston Children’s set up a command center and told employees: if you see something, say something. “We didn’t know what attack was coming next. We were flying blind,” Nigrin said. “We started to get lots of calls into our command center with reports of things that seemed somewhat suspicious,” he remembers. People got calls on their cell phone with a recorded message saying your bank account has been compromised. Press 1 to talk to someone to deal with it. “Today we would recognize this as some type of phishing scam and hang up,” he said, “but at the time it was sort of new. People started calling us and we didn’t know if this was Anonymous trying to get into the bank accounts of our senior clinicians. Was it part of the attack? It was tough for us to detect signal from noise.”

In the Q&A after his presentation, listeners were curious about how much the incident cost the hospital. Nigrin said there two big costs incurred: One was the technology it had to deploy in an emergent way to do DDOS protection and penetration testing. The other was revenue lost from philanthropic donations. Together they were close to $1 million.

Another person asked if the hospital had cyber insurance. Nigrin said they did, but when they read the fine print it said they were covered only if they were breached and technically they were never breached, so the insurance company was reluctant to pay. Although they eventually got compensated for a good share of it, the hospital also made sure to update its policy.

Still another attendee asked Nigrin if ransomware attacks were still targeting hospitals. He said they definitely were. “Think about community hospitals just squeaking by on their budgets,” he said. “They don’t have millions to spend, yet their data is valuable on the black market. Attackers recognize we are dead in the water as entities if we don't have these systems. We have important data and will do anything to get our systems back up and running.”

Nigrin said even large health systems can be vulnerable because some technology they deploy is run by third-party vendors who haven’t upgraded their systems. An example, he said, might be technology to record videos in the operating room setting. Some vendors, he said, are not accustomed to thinking about security. They are unable to update their software so it works on more modern operating systems. That leaves CIOs with a tough choice. “We can shut off the functionality or take the risk of continuing to use outdated and unpatched operating systems. Those vendors now have woken up and realize they have to pay more attention.”

 

 


Related Insights For: Cybersecurity

/news-item/cybersecurity/anthem-agrees-record-payment-16m-largest-us-health-data-breach

Anthem Agrees to Record Payment—$16M—for Largest U.S. Health Data Breach

October 16, 2018
by Heather Landi, Associate Editor
| Reprints

Anthem, Inc., the second largest health insurance company in the U.S., has agreed to pay $16 million to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) to settle potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules violations in the largest U.S. health data breach in history.

In early 2015, Anthem, based in Indianapolis, was hit with a series of cyberattacks that led to an unprecedented health data breach that exposed the electronic protected health information (PHI) of almost 79 million people.

The $16 million settlement is a record HIPAA settlement that eclipses the previous high of $5.55 million paid to OCR in 2016, according to a press release from OCR. As part of the settlement, Anthem also agreed to take substantial corrective action.

Anthem is an independent licensee of the Blue Cross and Blue Shield Association operating throughout the United States and is one of the nation’s largest health benefits companies, providing medical care coverage to one in eight Americans through its affiliated health plans.  This breach affected electronic protected health information (ePHI) that Anthem, Inc. maintained for its affiliated health plans and any other covered entity health plans.

As reported by Healthcare Informatics Feb. 5, 2015, the payer announced details of the breach late Wednesday (Feb. 4) in a letter from President and CEO, Joseph R. Swedish. He said that Anthem was the target of a “very sophisticated external cyber attack.” The hackers gained access to current and former members’ names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, and income data. Anthem says that credit card and medical information, such as claims, test codes, and diagnostic codes were not compromised.”

On March 13, 2015, Anthem filed a breach report with the HHS Office for Civil Rights detailing that, on January 29, 2015, they discovered cyber-attackers had gained access to their IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack.  After filing their breach report, Anthem discovered cyber-attackers had infiltrated their system through spear phishing emails sent to an Anthem subsidiary after at least one employee responded to the malicious email and opened the door to further attacks.

According to OCR, the agency’s investigation revealed that between December 2, 2014 and January 27, 2015, the cyber-attackers stole the ePHI of almost 79 million individuals, including names, social security numbers, medical identification numbers, addresses, dates of birth, email addresses, and employment information.

“In addition to the impermissible disclosure of ePHI, OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014,” according to the OCR press release.

In the Healthcare Informatics story at the time of the breach, reported by Gabriel Perna, Anthem faced criticism from industry observers for its lack of encryption. Trent Telford, CEO of Reston, Va.-based Covata and a member of Anthem, said, at the time, that the company was irresponsible for not protecting the data.

“We do not know what they were after and we do not know what they plan to do with the data—what we do know is that they were after the data itself and it was left exposed and unsecured. The data was not encrypted making it a valuable target for thieves,” he said in a statement that was quoted in the story. “It is irresponsible for businesses not to encrypt the data. We have to assume the thieves are either in the house or are going to break in—they will always build a taller ladder to climb over your perimeter security - we must protect the data itself.

In addition to the $16 million settlement, Anthem will undertake a robust corrective action plan to comply with the HIPAA Rules.  The resolution agreement and corrective action plan can be accessed here.

 

See more on Cybersecurity

betebettipobetngsbahis