The tech, law enforcement, and privacy worlds are abuzz with the recent decision by Apple to refuse to help the FBI crack the security on an iPhone, even though the iPhone in question belonged to an alleged terrorist/mass murderer. As fascinating and important as that story is, I was even more interested in another cybersecurity story, about a hospital paying ransom to hackers in order to regain access to its own computer systems.
This was not the first such occurrence, and it won't be the last.
In early February, Hollywood Presbyterian Medical Center found itself locked out of its computer and electronic communication systems, along with a demand for ransom. The hackers apparently didn't steal anything, but, rather, encrypted the hospital's files so that they couldn't be accessed.
In the end, the hospital not only paid the random, but also publicly admitted what had happened. A hospital spokesperson stressed that patient care had not been compromised, and that paying the ransom was "the quickest and most efficient way" to restore its systems. A cybersecurity expert told US News & World Report: "From an economics perspective it was probably the best – or only thing
to do,” while adding: “From a
strategic perspective it is terrifying to me that most companies pay
because the alternative is too painful."
This kind of blackmail is more common than we may realize. Symantec's 2015 Internet Security Threat Report estimated that 317 million new pieces of malware were created in 2014, with ransomware attacks up 113%. "Crypto-ransom"attacks, like HPMC suffered, went up 4,000%.
According to NBC News, health care record hacking rose 11,000 percent last year alone, with as many as one-in-three Americans having had their health data compromised -- usually without them being aware. In most of these cases, actual patient information was taken, as it can then be used to perpetuate fraud. We've all read about these breaches, since HIPAA requires disclosure when patient information is compromised...assuming the organization is even aware of the breach.
Locking down hospital systems rather than simply stealing the data -- and, of course, there is no guarantee that the HPMC hackers didn't also steal patient data -- is a tactic that is less often reported. As another security expert told CBS News: "Unfortunately, a lot of companies don't tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals."
As with kidnapping (or terrorists), experts are split about whether to give in to ransom demands or not. There are often ways to recover the data or restore control of systems without giving in to the demands. In the case of HPMC, one expert told CBS News, "If they decided to pay the ransom, it probably means that they didn't
have very good backups, they weren't able to recover the data, and that
the data would have been lost if they didn't pay the ransom."
Two things about the HPMC situation especially struck me. For one thing, the hackers only got $17,000. I mean, HPMC is not a huge hospital, but it is not a small one either, and one would expect that access to their systems would be worth more than $17,000. They probably would have paid their IT staff more than that in overtime to fix the problem, if they could have.
Maybe the hackers just needed some quick cash to buy a Yaris.
The second interesting thing was that the hackers demanded payment in Bitcoin. I hadn't realized it, but Bitcoin apparently has become the preferred currency of ransoms, especially crypto-ransoms. Being both virtual and not issued by a government or financial institution, it is much harder to trace, and it can be easily transformed into "real" money. As one expert told The New York Times, "The criminal underground very much likes Bitcoin. It’s enabled a
greater sense of obfuscation.”
It probably took longer for HPMC to figure out how to pay in Bitcoin than whether to pay at all. Other healthcare organizations may want to be brushing up on their Bitcoin expertise, just in case.
It seems likely that there will be more such attacks, especially now that the HPMC ransom payment became public. As one expert told Newsweek, "I think whenever a ransom demand is shown to work for the bad guys—meaning victims pay up—it is an incentive for criminals." These kind of hackers are anything but stupid, and they will keep attacking until it is shown that their efforts no longer work.
Moving more data and more operating systems to the cloud is one strategy that has been touted as a way to counter cyberattacks, since the cloud vendors claim to have more robust defenses, but it becomes a risk/reward proposition. A cloud computing vendor might have bigger and tougher walls, but, once penetrated, there would be "a fruit-bearing jackpot" for hackers.
The really scary thing about health care hacking may not be being locked out of computer systems or even loss of patient data. It may be that any medical device that is connected to the Internet or WiFi could be hacked, even taken over. As proof, a security researcher recently hacked into a hospital's MRI. He noted, "In this case it was easy. Medical devices are still insecure, I can see
it. Some manufacturers really secure them but some [developers] are
thinking about internet security in second or third place."
The researcher was doing it as to make a point, but how much would someone pay to regain control of, say, their pacemaker? How much business would an imaging center lose if it became known that hackers could digitally alter its scans? Would you undergo a laser procedure or robotic surgery if you weren't 100% certain their software hadn't been hacked? Would you trust a mobile app that might have been compromised?
The Internet of Things offers many exciting possibilities for "smart" devices and better tracking, but it also vastly expands the range of things that could be hacked. This fear was a hot topic at this year's Consumer Electronics Show (CES), with no easy answers but with many pleas for developers to build in security as a foremost consideration as IoT is developed.
There aren't any easy answers. Health care has never been known for its leading edge systems or programming expertise, but when it comes to combating cyberattacks, it needs to be in the forefront.