Ransomware makes healthcare wannacry

What companies need to be do next to protect patient data

medical records laptop doctor
Credit: Thinkstock

Around 200,000 systems have been hit by the malware WannaCry, resulting in doctors being blocked from gaining access to patient files and forcing emergency rooms to send people away.

Despite Microsoft sending out a patch for the vulnerability a few months ago, those unpatched Windows XP and Server 2003 systems were the culprit of the mass ransomware worm spread around the world. It only took one click of a link in an email to send mass hysteria through many organizations.

“Healthcare organizations are particularly vulnerable to these attacks because awareness about email authentication is still quite low in the sector as a whole. In order to protect the nation’s healthcare infrastructure from future ransomware attacks, we encourage all security executives to ensure their organizations have proper email authentication at enforcement,” said ValiMail CEO Alexander Garcia-Tobar. “It only takes a click from one person to endanger an entire enterprise.”

He said hopefully this will be a wake-up call for organizations to redouble their efforts and at least "lock the front" door.

Paul Zeiter, president of Zerto, said last week’s news demonstrated a fundamental flaw in IT security strategy for many enterprises that lack IT resilience to quickly neutralize these types of attacks and other business disruptions.

“This sinister, criminal activity shows no mercy with victims ranging from cancer-related nonprofits, to vital societal services such as healthcare, global transportation infrastructure, and global banking systems. The leading practice to protect organizations from this technological scourge – though surprisingly vastly underutilized – is integrating disaster recovery capabilities that simply ‘rewind’ to the seconds just before ransomware encryption hits, thereby nullifying the threat,” he said.

Dante Orsini, senior vice president of business development at iland, said with the recent large scale ransomware attack on the the National Health Service (NHS), IT organizations should be reviewing their own policies and hoping they are protected, further reinforcing the need for organizations to have a comprehensive back up and disaster recovery processes.

“The problem with malicious software is there is no single magic bullet. Organizations need to fundamentally change how they tackle this threat and approach it from multiple angles,” he said.

It starts with user education and training then it is IT's job to deliver both preventative measures and protection policies to create a resilient IT, he said.

Last week is an example of how vulnerable some of our most important infrastructure is to attack. “This is an unfortunate example of the very real and potentially devastating effects cybercrime can have on society, " said Ebba Blitz, CEO of Alertsec. "Make sure all the software on your system is up to date. This includes the operating system, the browser and all of the plug-ins that you would normally find in a browser. In order to minimize the impact of ransomware attacks like this, IT departments should also be sure to install a scanning software that blocks or sandboxes suspected files.”

According to Rick Hanson, executive vice president of Skyport Systems, “We as an industry must share intelligence and start taking real action to segment our networks into trusted and un-trusted segments. Focus your security efforts on building secure enclaves around those applications and data that you care about most. Network-based security for the lowest common denominator is no longer a solution."

Hanson added, "As the NHS is dealing with a disastrous attack, this is a wake-up call to other agencies that these threats are not only real, but entirely possible. We rely on compliance alone to give ourselves the feeling of being safe. This is a real-world example where a defensive in-depth strategy needs to be employed."

Another week, another incident

Despite all the best practices and tips sent out by vendors, healthcare breaches continue to occur. Recently 7,000 patient records were compromised at the Bronx Lebanon Hospital Center in New York.

Robert Lord, CEO, Protenus, said after a relatively quiet start to the year, there has been an uptick in the number of health data breach incidents and a drastic increase in the number of breached patient records this month, with almost 700,000 patients breached in a single incident.

Protenus tracks healthcare breaches through its breach report. He said there is no way to predict when there will be a spike in the number of health data breach incidents. 

Some recent events according to the U.S. Department of Health and Human Services:

  • In March, Urology Austin, PLLC had 279,000 records breached during a hacking incident.
  • In April, Harrisburg Gastroenterology Ltd had a breach where 93,000 records were compromised because of a hacking incident on its network server.
  • In March, VisionQuest Eyecare in Indiana had 85,000 records stolen.
healthcare at 4.05.18 pm Department of Health and Human Services

Latest healthcare breaches according to the Department of Health and Human Services.

Ponemon Institute estimates data breaches cost the healthcare industry $6.2 billion last year.

Joe Ferrara, president and CEO of Wombat Security, said when the healthcare industry is hit with a data breach or ransomware attack it presents a huge risk to the delivery of care and patient data. The healthcare industry faces distinct challenges in their environment. It’s key for a training program to work in harmony with busy, irregular, unpredictable schedules. Training staff empowers them to be the first line of defense in cyber security. The best way to arm the healthcare industry is with the right training and tools that works with their schedule to avoid these kind of attacks in the future.  

Varonis' Data Risk Report showed an average of 20 percent of folders per organization open to every employee. Additional key findings from the report include:

  • 236.5 million folders containing 2.8 billion files, comprising 3.79 petabytes of data were analyzed.
  • Of that figure, 48,054,198 folders were open to “global access groups,” or groups that grant access to the entire organization.
  • 47 percent of organizations had at least 1,000 sensitive files open to every employee; 22 percent had 12,000 or more sensitive files exposed to every employee.
  • 71 pecent of all folders contained stale data, accounting for almost 2 petabytes of data.
  • 24.4 million folders had unique permissions, increasing complexity and making it more difficult to enforce a least privilege model and comply with regulations like General Data Protection Regulation (GDPR).

When asked how hospital breaches have evolved over time, Brian NeSmith, co-founder and CEO of Arctic Wolf Networks, noted this transformation can be a life or death issue. “Medical devices, similar to many other IoT devices, were not designed with rigorous security in mind and are more vulnerable to being hacked. They also do not fall under normal security operations procedures since they are used as needed by the medical practitioners and not deployed and maintained by the IT department.”

He predicted we will see more of these, and some with fatal consequences. 

Hospitals are in a tough spot because the medical device vendors have not designed their equipment and devices to fit into industry standard security operations and processes, NeSmith said. Without this, the best they can do is to monitor everything in their environment and have a clear idea of what is and is not normal. Anything that does not look normal needs to be flagged and treated as a possible breach.   

“Prevention and detection need to be part of a broader security strategy that covers regular reviews and a robust remediation plan. When something happens, the speed of recovery will depend on how good the plan in place is,” he said.

NeSmith said there is an increase in phishing based on two factors: the proliferation of social media and the increase in usable information as bait in phishing.

Lord said healthcare organizations need a multi-layered approach when it comes to protecting their patient data.

  • Basic network protection like encryption and firewalls should be in place to protect the perimeter of an organization and ward off careless or malicious data leakage.
  • Employee training and education is also critical for protecting health data. Education also ensures the organization’s employees are aware of appropriate vs. inappropriate access to medical records. It’s important for employees to understand the ramifications for both the organization as well as the employee should a privacy violation occur. Healthcare organizations can often face penalties and fines when there has been a breach to patient privacy. If an employee is found responsible, they can face termination or even criminal charges depending on what the investigation concludes.
  • Behavioral analytics, like proactive privacy monitoring, is a final layer to ensuring healthcare organizations are notified as soon as there is inappropriate activity occurring within the hospital’s EHR. Subtle differences in behavior that are identified through a deep understanding of how workforce members normally act can be the reason you identify a case of compromised credentials. Insiders or accounts with compromised credentials act differently when they are attempting to do harm. The sooner it is identified, investigated, and resolved, the lower the impact of that breach.

Breaches take several different forms, including malware and hacking. Device attacks do also occur, but Lord said the vast majority of these attacks are focused on gaining access to the data. “It seems that when trying to gain access to sensitive patient information, the most effective way in is by exploiting trusting human beings,” he said.

Insiders are among the biggest threats to sensitive patient data because bad actors often go unnoticed due to the fact that they have legitimate access to the electronic health records, he said. Healthcare organizations can begin to understand and oversee all employee behavior within the EHR with the use of artificial intelligence. Privacy and security teams can detect when something inappropriate is taking place and remediate the situation quickly - saving the healthcare organization and patients time and resources.

According to Protenus’ report, insiders were responsible for 44 percent of March’s total breach incidents (17 incidents), affecting 179,381 patient records. Scenarios vary for why insiders choose to access patient records inappropriately, common causes include: family/friend snooping; VIP/celebrity snooping; criminal intent; and fraud.

“Selling patient records on the Dark Web is more common than we’d all like it to be, and medical records are especially valuable - more than 10 times the value of financial information alone. This can create enough incentive for insiders to take patient information and sell it on the Dark Web,” Lord said.

Timing to report breach lags

Over the past few months, Protenus has reported that it has taken several months or years for a healthcare system to discover and report a health data breach to HHS.

Lord said in some cases it took several years for healthcare organizations to find out that they have had a breach to patient data. “This is often the case because healthcare organizations spend only 10 percent of what other industries, like finance and retail, spend to secure their data. Privacy and security teams continue to be stretched thin and only the most obvious violations are detected through traditional methods,” he said.

“For healthcare organizations, it’s just like seeing the tip of the iceberg, knowing that 95 percent is still hidden below the surface. The good news is that advances in machine learning and artificial intelligence allow proactive patient privacy to be implemented in organizations across the country. Using these different methods, leading institutions are seeing the time to detect and resolve these cases drastically decrease,” he added.

Health and Human Services’ Office of Civil Rights (HHS OCR), which oversees this area of healthcare, requires healthcare organizations to report a health data breach of 500 records or more within 60 days of discovery.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Healthcare records for sale on Dark Web