The exponential growth and use of computer networks and remote access devices has resulted in cybersecurity risk to every service sector, including healthcare. As more aspects of the healthcare delivery system depend on information technology, a particular cyber threat - ransomware - has evolved into a highly sophisticated and extremely damaging and costly crime that can cause days and weeks of downtime for critical networks. Unfortunately, healthcare providers appear especially vulnerable to it as cyber criminals have become keenly aware of the industry’s reliance on IT and the crisis created by any inability to access necessary information. Accordingly, this article offers strategies to help healthcare professionals identify, avoid and respond to ransomware dangers.
What is Ransomware?
Ransomware is a type of malicious software, which targets weaknesses in humans and technology and renders IT systems inaccessible. It is typically delivered through phishing emails and vulnerabilities in Remote Desktop Protocols. Once deployed, the malware may encrypt files on local drives, attached drives, backup drives, and other computers on the same network. Users are often unaware of the infection until they are unable to access their data or receive a message demanding a ransom payment in exchange for a decryption key. Because of the anonymity of virtual currency, payment generally must be made in bitcoin. If the demands are not met, the system or data remains locked down or, in extreme cases, may be wiped out.
Remarkably, the first recorded ransomware incident occurred in 1989, before the advent of internet itself. Joseph L. Popp, a Harvard-trained biologist carried out the attack by distributing 20,000 infected floppy disks at the World Health Organization’s international AIDS conference. The malware embedded on those disks encrypted the user’s computer files and required payment of $189 to regain access. While decryptions were quickly coded and the perpetrator was arrested and tried, a new business model was born. In the intervening years, it has been improved upon greatly and now ransomware variants are broadly and indiscriminately deployed through unsolicited emails and disreputable websites.
By the end of 2016, the cyber threat had grown to such an extent that Kaspersky Lab estimated a ransomware attack occurred every 40 seconds. Cybersecurity Ventures predicts that this time interval will shrink to one attack every 11 seconds by 2021. At that time, global ransomware costs will likely reach $20 billion, a number nearly fifty-seven times greater than that incurred in 2015.1 Notwithstanding, it should be pointed out that ransomware remediation is rarely limited to the ransom payout and expenditures can quickly escalate when lost productivity, forensic examinations, regulatory compliance, reputational harm, and the need to restore data are factored in.
Underscoring the gravity of the situation, the FBI’s Internet Crime Complaint Center (IC3) notes that ransomware attacks are gaining in specificity and sophistication. Most recently, cyber criminals have turned to sending spear fishing emails to lure key individuals in sensitive positions or exploiting unpatched software on end-user computers.2 There is also little doubt that ransomware developers are rapidly adapting to IT security enhancements and improving the features of their malware in order penetrate systems. The McAfee Labs Threat Report for August 2019 indicated a 118% spike in network encrypting attacks with code innovations.
Who Does This Stuff?
Are ransomware attackers individual hackers, organized criminal gangs, or state-sponsored entities? The answer to that question is yes, yes and yes. And, interestingly, the nature of a ransomware attack offers insight into its source.
Amplifying this point, malicious code that makes ransomware work is readily available for purchase among individual hackers and hacker groups, who often randomly distribute their attacks. While one of their motivations may be financial gain, another is as simple as the bragging rights and community recognition that accompany a successful launch.
Organized criminal groups, on the other hand, are continually creating new code to maximize network destruction and target specific industries which are most likely to quickly pay a ransom request to regain access to their data. Such groups may deploy the malware themselves via a spear phishing email from an apparently trustworthy source or lease the ransomware to other criminal groups in exchange for a cut of the illicit profits. Either way, money is the motivating factor. Additionally, these organizations tend to operate out of Eastern Europe and have sophisticated infrastructures which include research and development departments, automated collection services, and customer (aka victim) support. The money they collect (which can run in the millions of dollars) is often reinvested in human capital in the form of highly skilled programmers and software engineers. Examples of their handiwork are found in the Dharma, Ryuk, and WYSIWYE (What You See Is What You Encrypt) ransomwares.
State-sponsored attacks typically originate in countries such as Iran, North Korea, and Russia (not Nigeria). While revenue generation can be a driving force behind the behavior, the desire to cause mayhem is equally attractive. One of the most high-profile state-sponsored (or at least state-sanctioned) cyberattacks was WannaCry, which was linked to North Korea and is renowned for the speed with which it spread. Just four days after it was discovered in 2017, there were more than 250,000 instances of the infection reported in 116 countries. Not to be outdone, Russia weighed in with its NotPetya ransomware, which is believed to have been initiated by the GRU, the Main Directorate of the General Staff of the Armed Forces of the Russian Federation. Because NotPetya had no functioning payment mechanism, it is speculated that it was launched purely for its disruptive effect.3
How Can I Lessen My Ransomware Risk?
While cyber criminals use a variety of techniques to penetrate systems and employ continuous quality improvement principles to their work, most ransomware attacks follow one of three formats:
Email phishing campaigns are by far the most prevalent source of ransomware infections and account for nearly 94% of all malware delivered.4 In such campaigns, the bad actor distributes emails to which a malicious file is attached or linked. When the file is opened or the link clicked, the malware is downloaded and may be disseminated further by the victim’s own email account.
Drive-by downloading occurs when a user unknowingly visits an infected website which has been spoofed or hacked and has code embedded on it.
Exploitation of security weaknesses in widely used software programs is another favorite criminal tactic used to push out ransomware.
To minimize threats, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) suggests:
Training users to review and verify emails from trusted sources before clicking on links or opening attachments. When an email is unexpected or an aspect of it appears unusual, the recipient should reach out by phone to confirm its authenticity.
Updating software and operating systems with the latest patches and security upgrades.
Following safe internet browsing practices.
Restricting the ability of a user to install software applications on a computer or device.
Allowing only approved programs to run on a network.
Enabling strong spam filters to prevent phishing emails from reaching end users and authenticating inbound email to prevent email spoofing.
Scanning all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
Configuring firewalls to block access to known malicious IP addresses.
Immediately and regularly backing up all critical systems and data on separate devices and system.
Developing and refining cyber incident response plans and making sure that they cover cyber insurance, business continuity, and risk analyses.
Conducting annual penetration testing and vulnerability assessments.5
What Should I Do If I Am the Victim of an Attack?
When a ransomware attack occurs, legal counsel should be consulted to help coordinate business continuity, forensic investigation, law enforcement, liability and reputational issues. Additionally, for healthcare providers and their business associates, ransomware triggers significant HIPAA compliance concerns as its presence on computer systems is considered a security incident which must be resolved by:
Analyzing the malicious software
Containing the impact and propagation of the ransomware
Eradicating the malware and remediating the vulnerabilities that enabled the attack
Recovering or restoring impacted data
Conducting post-incident reviews to determine whether any regulatory or contractual obligations result from the incident including reporting a data breach.6
Moreover, unless it can be demonstrated that the ransomware has not caused greater than a low probability of compromise to any protected health information, a breach is presumed to have occurred and the entity must comply with applicable HIPAA breach notification requirements.7
Should I Pay the Ransom?
Most law enforcement officers, including the FBI, do not recommend paying ransom as it does not guarantee that access to systems or data will be regained. There have been numerous cases wherein a victim has not been provided a decryption key or a flaw in the decryption algorithm has prevented recovery of some or all of the affected data. Additionally, paying ransom may enhance the profit motive and encourage bad actors to target others. That said, a ransom payment does not violate federal or state law and ultimately may come down to an assessment of the impact of the attack on the organization’s healthcare and business operations. Once a decision to pay has been made, however, it should be noted that the likelihood of future cyberattacks increases dramatically.
What Are My Takeaways
As information technology plays an ever-increasing role in healthcare delivery, ransomware attacks are becoming more frequent and sophisticated due to the life and death situations they create and the payment decisions they drive. Accordingly, it is vitally important for healthcare providers to be proactive when it comes to implementing best practices in data security so that cyber criminals are unable to profit from system vulnerabilities.
Footnotes
Christopher Budke (left) is a special investigator and former FBI agent and Peter Enko, JD, (right) is a partner in the Kansas City office of Husch Blackwell. Mr. Budke leads a team of investigators as part of the firm’s legal support team. Mr. Enko represents a full spectrum of health care providers on HIPAA compliance and other regulatory matters. The information contained in this article should not be construed as legal advice or a legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and readers are encouraged to consult their own attorney concerning their specific situation and specific legal questions.
Contact: peter.enko@huschblackwell.com
References
- 1.See https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021.
- 2.See High-Impact Ransomware Attacks Threaten U.S. Businesses and Organization, Internet Crime Complaint Center Alert Number I-100219-PSA, published October 2, 2019.
- 3.See https://blog.chainalysis.com/reports/decoding-ransomware-attacks.
- 4.See 2019 Verizon Data Breach Investigations Report.
- 5.See https://www.us-cert.gov/Ransomware.
- 6.See 45 CFR 164.304 and 164.308(a)(6). See also NIST SP 800-61Rev.2, Computer Security Incident Handling Guide.
- 7.See 45 C.F.R. 164.400-414.