February 29, 2016

“Ransomware” attacks are malicious intrusions into information systems that encrypt the victim’s sensitive data and demand payment in exchange for a key to unlock the data.  They have become increasingly common in the last few years.  Since January 2013, there have been at least 100,000 cases of recorded ransomware attacks.

The installation of such malware on third parties’ computer systems is usually paired with a demand for payment by a certain deadline or the computer data will be deleted.  This is a more direct means for criminals to realize profits from hacking into hospital systems than selling medical records.  It is also a more immediate, direct threat to patient welfare. 

On February 5, 2016, Hollywood Presbyterian Medical Center in Los Angeles became one of the latest and highest-profile victims, demonstrating that “ransomware should be a permanent concern for anyone or any business using the internet, and it’s going to get worse before it gets better.”  (Stone J. Ransomware Hackers A Bigger Threat Than Ever, Forcing Hospitals And Police To Pay Hostage Fees.  IBT, February 23, 201.)  Hollywood Presbyterian quickly paid the ransom of 40 bitcoins or about $17,000 (not $3.4 million as was initially reported) and finally, on February 15th, restored its electronic medical record (EMR) system.  (Public letter from Allen Stefanek, Hollywood Presbyterian Medical Center President and CEO, February 17, 2016.)

During the ten days that the hospital’s computer systems were down, the staff was forced to revert to manual documentation using pen and paper to take down patient information and to jammed fax lines and telephones to communicate from one department to another.  Patients were diverted to other facilities.  Some outpatients missed treatments and others resorted to driving around town to pick up test results and other medical documentation that would normally be delivered electronically.  It is unknown how many patients’ records or what types of information were affected, or if staff records and personal information were accessed.

Anesthesiologists and other hospital-based physicians who use the hospitals’ Information Management Systems (IMS) are just as vulnerable as the institutions themselves, and have considerable interest in encouraging the administration to make sure it is doing all it can to protect against ransomware attacks.  Anesthesia groups running their own AIMS—and anesthesiologists who use smartphones; in 2014, four of the top five malware programs encountered by Android users in the United States were ransomware, posing as a legitimate app and then, after installation, locking the phone and demanding payment—should take their own preventive measures.  Some of these are described below.

Actions Hospitals and Anesthesia Practices Can Take to Prevent a Malware Attack

As Stone says, “The best way to avoid an infection is to plan on being infected anyway.  The only catch-all way to mitigate the damage is regular data backups, in the form of either cloud storage or a physical hard drive.”  When a criminal then wipes all the data in the computer system, another up-to-date copy can be restored quickly.  That is the single most important and most effective strategy to protect against a ransom demand.

Hospitals or practices that are doing backups on site should make sure they can recover an image of the data for months in the past and keep multiple copies.  Any backups made between the time of infection and when the attack is detected will be encrypted, and thus unrecoverable without paying the ransom.  For that reason, online backups with automatic incremental backups can be very useful.  At the very least, providers should be keeping at least one set of backups offsite.

Mark Dill, a consultant at tw-Security and former Chief Information Security Officer at the Cleveland Clinic, encourages organizations to use a “People, Process and Technology” approach including the following steps, as described in 10 Steps to Reduce Your Ransomware Risks on the Health Data Management website:

1. Educate the workforce to be suspicious of and to resist clicking on links embedded in email or on a website while surfing the internet.
2. Ban all personal webmail and surfing on corporate devices.  Make staff who bring their own mobile devices to work use those devices connected through a “guest” wireless network, to protect the internal network.
3. Implement a data backup plan with a longer retention schedule.  Retain at least two months worth of full disk backups.  Require staff to store all work-related data on a network drive rather than on a local or personal hard drive.
4. Create incident response procedures.  Establish specific procedures and playbooks to address the most common types of attacks, and keep them updated.  The first 48 hours after an attack are critical.
5. Filter internet traffic more closely.  Consider restricting inbound and outbound internet traffic by creating a blacklist and/or a whitelist.  Block inbound email traffic that comes from newly created domains, since hackers typically are using domains that are less than 72 hours old to launch their phishing attacks.
6. Review access rights on network drives.  Only those employees who need to be able to write data to the hard drive should have access other than “read only.”  “Least privilege” is a venerable information security principle.
7. Consider next-generation anti-malware tools that use advanced math to predict malware.  The older antivirus solutions rely on pattern file updates and they are struggling to keep up with recent threats such as ransomware.  You should also keep a pop-up blocker running in your web browser.
8. Evaluate advanced persistent threat (APT) tools.  Many variants of the original and most successful ransomware start with an initial infection that requires them to access a Command and Control server on the internet to get the key that will encrypt the victim’s data.  APT can see and block this communication and prevent the encryption.
9. Implement intrusion prevention systems (IPS).  These function like APT tools by blocking the communication to the Command and Control server. 
10. Patch vulnerable versions of PDF viewers and Flash players.  Maintain software patches and make sure your operating system and all your applications are all up to date so no vulnerability can be exploited in order to deliver malware to your computers.

The number of cyberattacks, unfortunately, continues to grow.  Last year in the U.S. more than 111 million individuals' data were breached due to a hack or IT incident, according to the Bitglass 2016 Healthcare Breach Report, cited by Becker’s Health IT & CIO Review in Large-scale cyberattacks account for 98% of breached health records (January 27, 2016).  The article quotes the CEO of Bitglass as saying “As the IoT [Internet of Things] revolution compounds the problem with real-time patient data, healthcare organizations must embrace innovative data security technologies to meet security and compliance requirements.”  Individual physicians and healthcare personnel, practice groups and healthcare systems must all make the necessary investments in cybersecurity.

With best wishes,

Tony Mira
President and CEO