J003-Content-Holding-Healthcare-Hostage_SQOne of the biggest stories in the IT security world in February was that of the ransomware attack on a Los Angeles hospital that reportedly had doctors and other healthcare personnel locked out of patients’ records and unable to even communicate via email for over a week. This incident highlights a growing – and scary – trend in the escalation of cybercriminals’ money-motivated attacks that formerly targeted individual computer users but is now aiming higher, at businesses and institutions whose records are so vital they may be compelled to pay whatever the attackers demand for their release.

The practice of seizing someone or something and demanding that those who want the person or item back pay for it is an age-old type of extortion. The payment is known as ransom, which comes from the old French word rançon and means “buying back.”

Hostage-taking for ransom has a long and colorful history. Julius Caesar was said to have been kidnapped and held for ransom by pirates at the age of twenty-five. True to form, when he found out the pirates were asking for 20 talents of silver to release him, he declared himself worth more and had them up the ransom to 50 talents. John Paul Getty’s sixteen-year-old grandson was held for ransom by an Italian gang in 1973 and his ear cut off and mailed to the press. He was released after payment of $3 million. The 20-month-old baby of Charles Lindbergh was kidnapped in 1932. Despite 13 ransom notes and the payment of ransom, the baby’s body was found a few miles from the family’s home and a long-running FBI investigation resulted in the arrest, trial and execution of Bruno Richard Hauptmann.

Kidnapping humans is a difficult undertaking. In our digital age, there’s an easier way for criminals to extort money from individuals and companies: they can take our precious data hostage or hold our entire networks hostage. They do this by means of malicious software known as ransomware, and some very smart people are falling victim to it.

As the “computer experts” and unofficial tech support for almost everyone we know, my husband and I have had multiple friends and family members contact us with the frantic news that all their data has been rendered inaccessible and they’re getting messages telling them they have to pay to unlock it. Some of these are highly educated folks whom you wouldn’t expect to fall for a con job – yet they’ve paid the ransom, only to discover that as with the Lindbergh kidnapper, criminals often don’t keep their end of the bargain.

Ransomware has been around for at least a quarter of a century and started to proliferate around 2005-2006. Some of the first variants were simple “scareware” but the attackers haven’t gotten more serious, and today’s CryptoWall and CryptoLocker are a good deal more sophisticated – and harder to crack – than the early attempts. Modern ransomware comes in a variety of types but the common factor is that they all prevent you from doing what you want to do on your computer unless you do what the malware demands (which may be sending money – usually in the form of bitcoins – or can be as innocuous as filling out surveys).

One thing that makes ransomware so prevalent is that it can sneak up on a system in many different ways: some infestations are accomplished via botnets, and many utilize the good old tried-and-true methods of email links and attachments and social engineering tactics. Ransomware can be spread through messenger/chat programs or even via infected USB thumb drives and other removable media. An especially popular method for modern attackers is to distribute the payload through “drive-by” downloads and “malvertising” (malicious advertising). While safe surfing habits are always advised, even those who are diligent may still get caught in the ransomware net since any website that accepts user-uploaded content can be compromised and used to pass along the malware, including legitimate popular sites.  Think you’re safe because you use a Mac? Think again.

Some ransomware programs will just encrypt your data. If you have backups of the data (that haven’t been overwritten with encrypted copies), you might luck out. Other types of ransomware will lock up your computer and prevent you from accessing the operating system and/or your applications.  The more sophisticated ransomware can hide itself from anti-malware software to avoid detection.

It’s bad enough when Aunt Mary finds that all 8,250 photos of the grandkids she had stored on her hard drive are no longer accessible (and of course those were the only copies). It’s worse when your best friend calls you in desperation because all his tax files have been encrypted and when he restored his backup, that external drive got infected, too. But none of that compares to the havoc that ransomware can wreak when it attacks an organization that relies on its computer systems and data for life-and-death decision-making, such as those in the healthcare industry.

Hollywood Presbyterian Medical Center was the victim of such an attack last month, and the digital hostage-takers shut down access to the hospital’s computer systems and then wanted $3.6 million to let it go. The institution ended up paying, although reportedly much less than the original demand. There were also reports that some patients in the hospital’s emergency room were sent to other hospitals because HPMC was unable to register them or access their medical records.

This case ended up getting a great deal of publicity, but some experts speculate that it was by no means an isolated incident. Obviously no organization – whether a public entity, private company or non-profit – wants it splashed all over the Internet that they have been victimized in this way. It’s embarrassing, it can cause customers to lose confidence in them, and it could subject them to scrutiny regarding whether they did all they could have to prevent it, especially in a regulated industry such as those that fall under HIPAA laws. In the U.S., HIPAA violations are a very big deal that can result in both civil and criminal penalties.

Ransomware is just one of the many times of breaches that can impact hospitals, doctors’ offices, labs and other healthcare-related businesses. According to Travis Greene writing in SecurityWeek last summer, from 2014 to 2015 security breaches in the healthcare arena increased by 60 percent and the cost of a healthcare industry breach went up by a whopping 282 percent. The Ponemon Institute’s data showed that as of last October, criminal attacks in healthcare had become the leading cause of data breaches.

Technological innovations have been responsible for “medical miracles” and new cutting-edge tech such as artificial intelligence (AI) and 3D printing are revolutionizing healthcare. The computerization of medical records can cut costs for storing huge amounts of information and make it orders of magnitude easier for physicians to have patients’ medical histories, medication information and other relevant data at their fingertips in order to more quickly formulate a better treatment plan. However, when those records are stored on a networked computer or NAS or SAN, it also exposes this very personal information to the risk of unauthorized access or worse, tampering that could put lives in danger.

In addition to making medical records inaccessible and thus possibly delaying life-saving treatment, attackers could make changes to prescription dosages, erase or change patient histories to omit or add information that causes an incorrect diagnosis or prognosis, make a person’s illnesses public in order to cause embarrassment (such as in the case of sexually transmitted diseases) or affect the person’s career (such as a revelation of past psychiatric treatment of a person running for political office). Cybercriminals can also sell stolen medical records, which the FBI warned a couple of years ago are even more valuable than credit card information on the black market.

That’s why cybersecurity should be a top priority for all IT departments and data centers that serve the healthcare field. Strong encryption and multi-factor authentication, along with strict audit trails, should be standard in the healthcare IT world. But a convergence of technological trends and innovations makes securing healthcare data more complicated than that.

When we think of the Internet of Things (IoT) and the security issues it brings, many of us just think of household appliances and perhaps smart watches, IP cameras, Internet-enabled TVs and connected cars. However, there are a myriad of specialized medical devices that now connect to the Internet and thus are vulnerable to remote access and hack attacks, or, as the Washington Post put it, The Internet of Things that Can Kill You. These range from pacemakers inside heart patients’ chests to infusion pumps that deliver insulin or narcotics to robotic arms that can be used to perform surgery remotely.

Not only could these devices be hacked to directly harm the patients who are using them, but because they’re often connected to hospital networks, they could be used as a back door to gain access to the entire network if there are vulnerabilities in the software and/or they’re not configured properly – and as we’ve discussed before, many of the “things” that are becoming Internet-capable are made by vendors whose expertise lies in the primary purpose of the device and not in cybersecurity. Many embedded devices aren’t updated regularly so vulnerabilities don’t get patched, and the fierce competition (and big profits to be made) in this space may lead manufacturers to rush to get their devices on the market before they’ve been thoroughly secured.

No wonder some security experts declared that 2015 was the “year of the healthcare hack,” with studies showing that healthcare and pharmaceutical companies have the worst cybersecurity record among the S&P 500. But in 2015, healthcare hackers (and hostage-takers) were just getting started. If the industry doesn’t make a concerted effort to focus on security now, 2016 could be even worse.