A 77-bed hospital in Indiana fell victim to a ransomware attack on April 4 via an ordinary looking email sent to a clinical worker’s Outlook inbox. The worker opened the email and inadvertently released the malware. Recognizing something was wrong, the worker notified the IT department which immediately shut down all of the hospital’s computer systems, including its electronic health record system.
The EHR system was not affected by the malware even though it was open on the infected computer. But the attack forced the hospital to go without e-mail and use paper to document patient encounters until the system’s corrupted files could be deleted and replaced. (“Ransomware scare: Will hospitals pay for protection?” Modern Healthcare, April 9, 2016)
The recent occurrences of ransomware attacks have hospitals trying to decide whether to pay now to fortify IT systems or risk paying criminals to unfreeze their data. In the case of the Indiana hospital, a spokesperson said the organization had a backup and had added some security software to monitor its systems. It paid no ransom.
What happened was the email, one of several that made it past the hospital’s firewall, unleashed a virus that encrypted files on the worker’s computer hard drive and connected to a server. A window popped up giving instructions and links to retrieve a key to unlock the files.
Something similar has happened in several hospitals in recent weeks, including six in the last month. MedStar, a much larger and more sophisticated organization than the hospital in Indiana, had its computer systems disabled.
Hospitals are seeking protection from a variety of sources including legal services, security consultants, training, systems testing, cyber insurance, security software that runs on and defends computer systems, and remote-hosted software and services that can include fully staffed security operations centers that provide computerized and human watchdogs on the lookout for cyber threats 24/7. (“Ransomware scare: Will hospitals pay for protection?” Modern Healthcare, April 9, 2016)
Locky and Samas—Newest Ransomware
Locky and Samas, the newest in ransomware, have been used this year against healthcare organizations, according to a March 30 threat alert by the U.S. Department of Homeland Security and the Canadian Cyber Incident Response Centre.
Locky uses e-mail as a vector. It deploys a virus hidden in a document that, when opened by an unwitting e-mail recipient, launches other software that moves through an infected computer system, scrambling computer files with near-bulletproof encryption, then posts a demand that the victim pay a ransom to the hackers.
Its signature, the .Locky extension, attaches to the data files it encrypts. It was Locky that struck the hospital in Indiana.
Samas uses vulnerabilities in an organization’s Web servers. According to the federal alert, the server of an unnamed healthcare organization was compromised this year by Samas, which uploaded ransomware that infected its network.
According to the Associated Press, Samas was likely the virus that attacked MedStar Health in late March. MedStar’s Georgetown University Hospital in Washington and other facilities were affected, forcing clinicians to return to paper record-keeping and knocking out at least some of its computer systems for more than a week. (MedStar has not commented about the nature of its attack.) (“Ransomware scare: Will hospitals pay for protection?” Modern Healthcare, April 9, 2016)
Cyber security experts cannot yet identify who is behind the latest ransomware attacks. However, they warn that these are not amateurs, but well-trained professionals. One security software developer estimated that ransomware was yielding $33,000 a day, and that amount is probably climbing significantly each day.
iProtean subscribers, the advanced Governance course, Committee Effectiveness, is in your library. This course features Barry Bader and Pam Knecht, who cover committee structure and task forces, ideal committee size and composition, independent members, the committee charter, information and reports, and committee evaluation.
And watch for our upcoming course, Population Health and Alternative Payment Models, featuring Marian Jennings and Dan Grauman.
For a complete list of iProtean courses, click here.
For more information about iProtean, click here.