When one considers fiction about hackers, it is easy to see a typical villain lurking in the basement, threatening people and companies, and generally acting menacing. The Dark Overlord (TDO), for instance, has a name and mode of operating that sounds like something straight out of modern-day cyber thriller. TDO as one example has been getting a lot of press lately, mostly because TDO is stealing information people want to keep hidden and then, unlike other hackers, being very vocal about it. Recently this mysterious figure (or figures) even took yet-to-be-released episodes of a favorite show on Netflix and released them on the dark web.
The previously mentioned antics had little to do with healthcare, except the patients and workers that wanted to watch “Orange is the New Black.” However, there is an impact from even this one incident that should have healthcare IT professionals paying attention. For one, this shows that TDO is not nearly as worried about making money as they are about calling out poor security practices and embarrassing their victims in the most public way they can.
The biggest and most obvious reason that healthcare IT professionals should pay attention are the most recent activities for which TDO is gaining recognition. Why? Because in mid-2016 TDO stole around 180,000 individual patient health records from several small healthcare providers. Almost immediately TDO contacted the hospitals and demanded a ransom if they wanted to protect their files. Because none of the affected organizations were willing to be extorted in this manner, TDO released these records to the public earlier this month.
Extortion for Data is the New Kidnapping
No surprise, attackers are using extortion for financial gain and notoriety, and, unfortunately, the tactics seem to be working. Ransomware, which is just automated extortion, is on the rise year over year. Just this last weekend there was a major ransomware outbreak called WannaCry, which you can read more about here, here and here. If you look at the latest Internet Security Threat Report (ISTR) from Symantec, you will see that ransomware attacks increased 36% in 2016 in addition to the average ransom increasing from $294 in 2015 to $1,077 in 2016.
We see from the above statistics that ransomware infections are increasing at the same time as demands to decrypt the data are rising too. TDO has just taken this to a new level and is using a slightly different approach. Both attacks have similar results: a breach, public awareness of the offense, and a significant loss to the victim. The loss an organization suffers can come in the form of a monetary fine from a regulatory body (such as the Office for Civil Rights) for having a breach, loss of time and operational abilities, and reputational damage after the breach is identified and publicized.
What Can Healthcare Do?
These attacks are only possible because of human mistakes and poor security controls. If an organization wants to better protect themselves from extortion-based attacks, they need to do several things. All of the actions that will help mitigate the threat of these types of attacks are in the Center for Internet Security (CIS) top 20 critical controls. When an organization maintains a strong information security program and implements controls uniformly, they can markedly reduce the attacker's ability to be successful.
But, what about the human factor? People are the vector that most of these attacks use to gain control of an organization's sensitive data. Typically, ransomware or attacks like those carried out by TDO are initiated through social engineering. Meaning that someone in your organization fell for a scam, clicked a link, downloaded a file, or carried out some other insecure action that allowed the malicious code or attacker to access the target data. These issues are just further evidence that the current models of user awareness training are not as effective as they need to be.
Implementing awareness training is a big job, bigger than any one organization. Fortunately, there are several consortiums out there working to improve the situation. SANS Institute has its Securing the Human program available, and it is widely regarded as the industry leading solution. The SANS program includes all the training, tools, and extensive guidance needed to support security awareness programs.
OWASP (the Open-Source Web Application Project) has started work on their user awareness training project as well as several projects for developers and security professionals. On the OWASP project portal there are several applicable projects such as the OWASP Security Shepard program for IT pros, and the OWASP Top 10 project that is key to awareness training for developers and web administrators.
Despite the seemingly farcical nature of the recent actions of TDO, the threat this entity and the rest of the criminal world poses to modern healthcare organizations is as real as it gets. Ensuring that users are aware of risks and know how to act in a secure manner will take your organization a long way toward being safer. Also, making sure the necessary controls (CIS Top 20) are assessed and implemented will take security to an even greater level. Finally, it’s crucial to have a plan in case of an extortion demand, and have offline backups and a recovery plan in place so these criminals can’t easily take advantage of you and your organization.
John Nye has spent nearly a decade in information security which includes time with the U.S. Army, CSG International, Peter Kiewit and Sons, First Data Corp, and KPMG LLP before joining CynergisTek. John has been working exclusively as a professional penetration tester for the last four years and has presented at numerous local conferences for developers and other IT professionals.