Post on 20-Jul-2020
Ransomware: The Secret is Out,
Healthcare is Vulnerable
Rod Piechowski, MA
Senior Director, HIS, HIMSS
Speaker has no real or apparent conflicts of interest
Learning Objectives • Identify the types and sources of ransomware • Discuss the challenges presented to healthcare organizations • Review ways to address the risks of ransomware
Why is Healthcare Vulnerable? • Adoption of digital records • Antiquated systems • Ease of exchanging ePHI • Heterogeneous networks • Rapidly evolving threat landscape
Source: KPMG 2015 Cyber Healthcare Survey
Greatest Vulnerabilities • 65% - External attacks • 48% - Sharing data with third parties • 35% - Employee breaches and theft • 35% - Wireless computing • 27% - Inadequate firewalls
Source: KPMG 2015 Cyber Healthcare Survey
Top Information Security Concerns • 67% - Malware infections • 57% - HIPAA violations / compromised data • 40% - Internal vulnerabilities • 32% - Medical device security • 31% - Aging hardware
Source: KPMG 2015 Cyber Healthcare Survey
Prepared to Defend
66% Payers
53% Providers
Source: KPMG 2015 Cyber Healthcare Survey
Security a Board-Level Topic?
89% Payers
85% Providers
Source: KPMG 2015 Cyber Healthcare Survey
Attack Frequency • 81% have been attacked in last year
– Others are either secure, or: – Not willing to admit attack, or: – Don’t know they’ve been compromised
Source: KPMG 2015 Cyber Healthcare Survey
Malware Threats • Viruses • Worms • Spyware • Adware • Rootkits • Trojan Horse • Keyloggers • Scareware • Ransomware
Ransomware • Relatively new • Blocks ability to use computer • Encrypts data • Demands ransom to decrypt data • Payment in bitcoin • Increasing sophistication
– Cryptolocker, – Cryptowall (improved version of CryptoDefense) – Locky – CTB Locker
Subtle Signs of Infection
Cryptolocker
FBI Ransomware (Credit: Corero Network Security)
Hydracrypt (Credit: Cyberwarzone)
PRISM (credit: Thrive Networks)
Noteworthy Incidents (past month) • Hollywood Presbyterian Medical Center
– Ransomware attack – Paid $17,000 in bitcoin to decrypt files
• Lukas Hospital, Neuss, Germany – Computers, servers, email affected
• Klinikum Arnsberg, Germany – Only one server affected – Caught and restored in time
• Los Angeles County Health Department – Five computers, no damage to patient data
How does it get into systems?
Primary Entry Points Include: • Fake virus detectors • Fake updates of real software • Flash • Silverlight • Word documents with macros • Spoofed emails • Attachments
Primary Enablers: • Employees • Habit • Play on emotions:
– Greed – Humor – Social interaction – Sense of community
• Lack of security focus throughout enterprise
Obstacles • Source difficult to trace • Will they actually unlock the data? • Even after decrypt, ransomware may remain (back for more?) • Backups may be infected • Becoming well-funded • Cost of entry low / reward high • Paying encourages activity • Easy access to “kits” • Most attacks generated remotely
New Variants: Locky • Email appears to be a company invoice • Word Document with Macros • Mid February was spreading at 4,000 infections / hour
The Hacker News
Hacer News The Hacker News
BleepingComputer tracked17K infections in one hour
New Variants: Locky • Encrypts almost all file formats • Seeks out network and mapped drives to encrypt • Seeks out network BACKUP files to encrypt • Affected files have .locky extension • Seeks between $200 and $800 in bitcoins
The Hacker News
New Variants: CTB Locker • One version is designed for servers • Attacks websites • Replaces the index.php or index.html page
The Hacker News
The Hacker News
New Variants: CTB Locker • Offers free decryption of two files
– 'Congratulations! TEST FILES WAS DECRYPTED!!‘ • Chat with the criminals about your files • Files added as part of the package known by researchers • Three servers used are known • Payment in bitcoin
The Hacker News
New Variants: CTB Locker • Another version for Windows • Uses stolen authentication certificates • Easier to recover from with good backups
The Hacker News
What to do? • Backups • Consider third party backups • Dedicated security team/department • Security is enterprise initiative • Educate employees • The Internet of Things opens many doors to attacks
– Medical devices – Specific attacks customized for healthcare
• Address any software/hardware vulnerabilities • Contact law enforcement / FBI
“The healthcare sector is the most targeted yet underprepared genre within our Nation’s critical infrastructures.” – ICIT “Hacking Healthcare IT in 2016”
Thank you!
Rod Piechowski, MA Senior Director, HIS, HIMSS
rpiechowski@himss.org