Hospitals remain key targets as ransomware attacks expected to increase
The British National Health Service was attacked with "WannaCry" ransomware.
— -- The massive cyberattack this weekend that used “Wannacry” ransomware to infiltrate hundreds of thousands of computers has left organizations around the world – including medical care providers – on high alert.
The attack on the British National Health Service that affected 16 hospitals became the most visible and frightening symbol of the attack, after several patients were sent to other hospitals and surgeries were canceled. While the scale of this weekend’s attack has been massive, authorities say it is just part of what will be a continuing pattern of ransomware attacks.
Last year, multiple medical facilities in the U.S. were targeted in different attacks, with some paying thousands of dollars to recover their files. The hackers used ransomware to encrypt data, lock computers and hold the information for ransom payments.
In April 2016, the FBI published a ransomware explainer that mentioned recent attacks on U.S. hospitals, along with school districts, state and local governments, and law enforcement agencies.
"During 2015, law enforcement saw an increase in these types of cyber attacks, particularly against organizations because the payoffs are higher," FBI officials wrote.
Hospitals can be especially vulnerable, since their networks are rarely offline, according to Mark Burnette, a cyber-security expert and shareholder at the LBMC Information Security, which specializes in healthcare security.
"For hospitals to maintain their systems, they need to have a planned down time," Burnette explained. "You have to reboot a system ... It's difficult for hospitals to justify a lot of planned down time."
As a result of being unable to easily update and reboot their systems, hospitals may put off updating vulnerable software. The most recent attack, using a form of ransomware called "WannaCry" that was discovered by the National Security Agency, targeted a specific vulnerability in Microsoft Windows.
Microsoft released a patch for this vulnerability in March, but networks that had neglected to upgrade their systems were still vulnerable to attack.
Burnette said that hospitals are valued targets since they are seen as "treasure trove of information."
"You have Personal ID info, like social security numbers or home addresses or bank acct info, then you have protected health info, which is HIPAA data, and then you've got cardholder data," he said.
Hospitals are increasingly attempting to "harden" their systems by discarding unneeded software that would make systems more vulnerable, Burnette said. Hardening systems and creating more separation between systems can create additional levels of security, so that if the network is compromised, it doesn’t affect every computer or device on that network.
"Hardening a system can be described as turning off unnecessary services and capability so they are not available to be targeted," Burnette said. He explained that if a system is supposed to work as a file server, the IT department can remove other software like email and web browsers that would make it more vulnerable to be hacked.
But, Burnette said hospitals are particularly vulnerable because many haven’t yet completed those steps. They also typically have open networks where "everything is accessible to everything else on the network."
"You take systems that are similar and put them in certain segments of network and put in security rules," so only stuff that needs to get in, gets in, Burnette said.
He said an increasing number of healthcare providers are becoming aware of the risks and trying to take action.
The FBI has advised a multi-pronged approach to battling hackers including implementing software restriction policies, backing up data regularly, patching operating systems and restricting access to certain key files or directories.
“There’s no one method or tool that will completely protect you or your organization from a ransomware attack,” said FBI Cyber Division Assistant Director James Trainor in the statement. “But contingency and remediation planning is crucial to business recovery and continuity — and these plans should be tested regularly.”