Criminals use e-mails and social engineering to infiltrate random employee computers but also release more-targeted attacks known as business e-mail compromise scams.


May 9—If there is a silver lining in the increase in ransomware attacks on healthcare organizations, it’s that the rising threat has led leadership to do something about it, according to a new Internet Security Threat Report from Symantec Corp., a Mountain View, Calif.-based computer security firm.

This “ironic turn,” according to the report, stems from the realization that ransomware affects not only IT systems but also patient care, clinical operations, and billing.

“This in turn drove awareness of the issue to executive management and even boards of directors,” the report concluded. “The more dependent healthcare becomes on electronic and internet-connected systems, the less the industry can afford to be shut down for any reason. Security has become a patient care issue, due in no small part to ransomware.”

One of the highest-profile incidents occurred in February 2016, when hackers took control of computers at 434-bed Hollywood Presbyterian Medical Center in Los Angeles and demanded 40 bitcoins, equivalent to roughly $17,000 at the time, to unlock the system. The hospital gave in to the demands, with President and CEO Allen Stefanek saying it was done “in the best interest of restoring normal operations.”

More recently, criminals hit Greenway Health last month. The Carrollton, Ga.-based health IT company, reported May 3 that functionality had been restored to all affected electronic health records and practice management systems.

‘Easy Money’

Online criminals have found “there was easy money to be made in healthcare,” according to the Symantec report, which was developed with data from insurance claims and the U.S. Department of Health and Human Services (HHS).

“Healthcare tends to have a lower security posture and with patient health at stake, pressure to restore data and services is high,” the report stated. “This is understood by hackers and has resulted in a number of high-profile ransom incidents in the US and abroad.”

E-mails are a common “attack vector” for cybercrimes, with 1 in 204 healthcare-services e-mails containing some type of malware virus, Symantec reports, up from 1 in 396 in 2015. There are clues to watch out for. The word “invoice,” for example, appeared on the subject line of 26 percent of malware spam in 2016.

While some of these scams cast a wide net and seek to infiltrate via the computer of a random unknowing or careless employee, business e-mail compromise scams seek bigger targets and have come to be known as “whaling.” In these scams, criminals study an organization and its finance work flow. They then send malware-containing e-mails to finance department employees while posing as the CFO or CEO.

Report co-author David Finn describes these techniques as “social engineering.”

“E-mail is a huge delivery tool,” Finn said in an interview, and the e-mails are designed to look like they could be expected from someone the recipient may know.

Rod Piechowski, senior director of health information systems for the Healthcare Information and Management Systems Society, agreed.

“As in other sectors, a healthcare organization can have excellent network perimeter defenses, but if someone inside falls for a phishing attack, it opens the door to ransomware,” Piechowski said in an e-mail. He that added ransomware attacks on healthcare organizations grab people’s attention “because it’s hard to believe someone would deliberately attack an organization” responsible for people’s lives.

Foreign criminals hit the United States because U.S. organizations are more likely to pay, Finn said. Globally, about 34 percent of victims pay the ransom, but that share rises to 64 percent in the United States, he said. Average ransom demands have shot up to $1,077 in 2016 from $294 in 2015.

“We have more money, we don’t like to be delayed, and we don’t do security well,” Finn said.

More Threats Detected

The report did note that security is improving, with the number of ransomware detections increasing to 463,000 in 2016 from 340,000 in 2015. By the end of 2016, average daily detections of ransomware increased to 1,539, from 846 at the beginning of the year.

“We’ve seen a decline in sophisticated attacks, and the bad guys now use everyday tools,” Finn said. “They’re using stuff that wouldn’t catch a security person’s eyes.”

Cyberattack via medical devices is a growing concern, the report stated.

“We have no evidence that medical devices have been targeted with the goal to harm a patient,” Finn and his co-author, Axel Wirth, wrote in the report. “But they are recognized as the weak spot in a hospital’s defenses and an easy entry point for an attack.”

Staffing for cybersecurity has increased, according to the Symantec report, but “unfortunately, head count is only half the problem; skills and experience are vital as well.”

Michael Ebert, cyber leader for healthcare life sciences at KPMG, agreed.

KPMG is preparing its own cybersecurity report, which will be released in a few months, and Ebert said more than 50 percent of healthcare organizations are understaffed and have no plans to hire additional cybersecurity staff.

Issues plaguing healthcare organizations include a reluctance to trust third-party security partners and a reliance on technology instead of staff.

“Clients have bought technology, but they haven’t implemented it or hired staff to run it,” Ebert said in an interview. “But they tell their board, ‘We bought X.’”

Sometimes the main operator of a security system leaves an organization, and no one left on staff knows how to run it, Ebert said.

“There is an emphasis on technology and processes, but not people,” Ebert said. “You need all three.”

A Holistic Approach

Rapid consolidation has led to uneven security coverage. Ebert recalled a client consisting of four entities that had merged in the past eight years. A criminal attempted to infiltrate two of their systems with a ransomware “bot” embedded in a PDF file. It was instantly blocked by one system but got in through another.

An HHS report on cybersecurity, mandated by the Cybersecurity Act of 2015, is set to be released soon. An advance copy was leaked to Politico, which reported that recommendations will include a phase-out of old IT systems, similar to how 2009’s “Cash for Clunkers” program was aimed at stimulating the economy while putting more fuel-efficient cars on the road.

While not commenting specifically on the report, Ebert stressed that action is needed.

“I don’t have a client who hasn’t been hit,” Ebert said, but he noted that health care’s small margins don’t leave much room for hiring cybersecurity staff. “Health care is dramatically behind everyone else.”

Ebert said the industry could still do a better job by implementing more-restrictive access privileges and better monitoring who is logging into the system. He added that “you can’t stop stupid,” but awareness training is key.

This approach was echoed by Piechowski, who called on healthcare organizations to embrace the “holistic security” concept wherein everyone on staff plays a part, receives training, and participates in mock exercises that reveal an organization’s security soft spots.

“Everyone is involved and responsible, regardless of their role in an organization,” he said. “While ransomware is still in a growth phase, we should not forget that it is just one type of threat and others are growing as well. A solid security program, supported by the entire organization from the top down, is key.”


Andis Robeznieks is a freelance writer based in Chicago. Follow Andis on Twitter at @AndisRobeznieks.

Publication Date: Wednesday, May 10, 2017