Ransomware: The Secret is Out,

Healthcare is Vulnerable

Rod Piechowski, MA

Senior Director, HIS, HIMSS

Speaker has no real or apparent conflicts of interest

Learning Objectives • Identify the types and sources of ransomware • Discuss the challenges presented to healthcare organizations • Review ways to address the risks of ransomware

Why is Healthcare Vulnerable? • Adoption of digital records • Antiquated systems • Ease of exchanging ePHI • Heterogeneous networks • Rapidly evolving threat landscape

Source: KPMG 2015 Cyber Healthcare Survey

Greatest Vulnerabilities • 65% - External attacks • 48% - Sharing data with third parties • 35% - Employee breaches and theft • 35% - Wireless computing • 27% - Inadequate firewalls

Source: KPMG 2015 Cyber Healthcare Survey

Top Information Security Concerns • 67% - Malware infections • 57% - HIPAA violations / compromised data • 40% - Internal vulnerabilities • 32% - Medical device security • 31% - Aging hardware

Source: KPMG 2015 Cyber Healthcare Survey

Prepared to Defend

66% Payers

53% Providers

Source: KPMG 2015 Cyber Healthcare Survey

Security a Board-Level Topic?

89% Payers

85% Providers

Source: KPMG 2015 Cyber Healthcare Survey

Attack Frequency • 81% have been attacked in last year

– Others are either secure, or: – Not willing to admit attack, or: – Don’t know they’ve been compromised

Source: KPMG 2015 Cyber Healthcare Survey

Malware Threats • Viruses • Worms • Spyware • Adware • Rootkits • Trojan Horse • Keyloggers • Scareware • Ransomware

Ransomware • Relatively new • Blocks ability to use computer • Encrypts data • Demands ransom to decrypt data • Payment in bitcoin • Increasing sophistication

– Cryptolocker, – Cryptowall (improved version of CryptoDefense) – Locky – CTB Locker

Subtle Signs of Infection

Cryptolocker

FBI Ransomware (Credit: Corero Network Security)

Hydracrypt (Credit: Cyberwarzone)

PRISM (credit: Thrive Networks)

Noteworthy Incidents (past month) • Hollywood Presbyterian Medical Center

– Ransomware attack – Paid $17,000 in bitcoin to decrypt files

• Lukas Hospital, Neuss, Germany – Computers, servers, email affected

• Klinikum Arnsberg, Germany – Only one server affected – Caught and restored in time

• Los Angeles County Health Department – Five computers, no damage to patient data

How does it get into systems?

Primary Entry Points Include: • Fake virus detectors • Fake updates of real software • Flash • Silverlight • Word documents with macros • Spoofed emails • Attachments

Primary Enablers: • Employees • Habit • Play on emotions:

– Greed – Humor – Social interaction – Sense of community

• Lack of security focus throughout enterprise

Obstacles • Source difficult to trace • Will they actually unlock the data? • Even after decrypt, ransomware may remain (back for more?) • Backups may be infected • Becoming well-funded • Cost of entry low / reward high • Paying encourages activity • Easy access to “kits” • Most attacks generated remotely

New Variants: Locky • Email appears to be a company invoice • Word Document with Macros • Mid February was spreading at 4,000 infections / hour

The Hacker News

Hacer News The Hacker News

BleepingComputer tracked17K infections in one hour

New Variants: Locky • Encrypts almost all file formats • Seeks out network and mapped drives to encrypt • Seeks out network BACKUP files to encrypt • Affected files have .locky extension • Seeks between $200 and $800 in bitcoins

The Hacker News

New Variants: CTB Locker • One version is designed for servers • Attacks websites • Replaces the index.php or index.html page

The Hacker News

The Hacker News

New Variants: CTB Locker • Offers free decryption of two files

– 'Congratulations! TEST FILES WAS DECRYPTED!!‘ • Chat with the criminals about your files • Files added as part of the package known by researchers • Three servers used are known • Payment in bitcoin

The Hacker News

New Variants: CTB Locker • Another version for Windows • Uses stolen authentication certificates • Easier to recover from with good backups

The Hacker News

What to do? • Backups • Consider third party backups • Dedicated security team/department • Security is enterprise initiative • Educate employees • The Internet of Things opens many doors to attacks

– Medical devices – Specific attacks customized for healthcare

• Address any software/hardware vulnerabilities • Contact law enforcement / FBI

“The healthcare sector is the most targeted yet underprepared genre within our Nation’s critical infrastructures.” – ICIT “Hacking Healthcare IT in 2016”

Thank you!

Rod Piechowski, MA Senior Director, HIS, HIMSS

rpiechowski@himss.org