Ransomware Attacks On Hospitals Are Our New Normal—And A Sign Of Progress
Healthcare, long the fax machine’s great patron, is finally going digital
Screenshot of TheDarkOverlord’s ransom request via deepdotweb.com
Over on the dark net, a hacker named TheDarkOverlord is in for a big payday. This week, the hacker announced that he’d breached at least four healthcare databases in a reputation-making move, and he’s putting the stolen data up for sale: Roughly 10 million patient records, many with social security, phone, insurance, and credit card numbers in addition to full medical histories. The asking price adds up to over a million dollars for exclusive rights to the files from all four datasets, and there isn’t even a question of if TheDarkOverload will get paid. It’s how fast.
Nearly 100 million health records were stolen in 2015, and yours may have already been hijacked. According to a survey by KPMG, an astonishing 80 percent of executives at healthcare providers and payers admitted their information had been compromised, and they’re shelling out around $6 billion annually in ransom pay to get their systems and data back. They need those records to return to work and would rather pay up than have their databases frozen or erased––not to mention their patients’ information sold on black markets. (Yes, there’s more than one.)
[quote position="right" is_quote="true"]Healthcare, long the fax machine industry’s great patron, is still adapting to digital systems—and security breaches are its version of growing pains.[/quote]
When it comes to medical records, identity theft and hospital ransoms are byproducts of progress. Healthcare, long the fax machine industry’s great patron, is still adapting to digital systems—and security breaches are its version of growing pains. John D. Halamka, chief information officer and dean for technology at Harvard Medical School, told me we’re still in the “biplane” era of online records. “The jet engine hasn’t been invented yet,” he said. “But a paper record can only be read by one person at a time in a single location. Digital records can be shared, secured, audited, easily read, and viewed anywhere by those with a need to know.”
Simply put: medical information is worth more than financial data like credit card numbers, which have a finite lifespan and are so plentiful on black markets they often sell for close to nothing. But a single updated medical record often goes for $10 a pop. Criminals use stolen information to obtain prescriptions, make insurance claims, or—in extreme cases—enroll for new coverage with no intention of paying the resulting bills.
Victims of medical fraud are usually in for a prolonged headache. If someone uses your identity to get treatment, who pays the bill? For one man in Colorado, a fraudulent surgery ended with a $44,000 hit. If someone maxes out a prescription you need, it can take months to clear your record. And a false diagnosis to get controlled substances could surface in a job interview. In a 2015 study by the Poneman Institute, 65 percent of the medical fraud victims they interviewed had to pay to resolve fraud cases or settle outstanding bills. The average amount? $13,500.
[quote position="left" is_quote="true"]The security of our personal data, as well as the accessibility of health records, is routinely compromised because employees click the wrong links.[/quote]
The overwhelming majority of healthcare breaches come from ransomware, a malicious software that blocks access to a computer system until a bounty is paid, usually in Bitcoin (because these attacks are all anonymous and heavily encrypted, the payment will always be in crypto-currency). I asked Engin Kirda, a professor at the College of Computer and Information Science at Northeastern University, how these attacks take place. “If there is a vulnerability on the system, malware may exploit it and install itself,” he told me. “In a lot of the cases, though, there is a social engineering aspect to the attack. The victim is tricked to click on a link that she shouldn't click on or download something she shouldn't download.”
So the security of our personal data, as well as the accessibility of health records, is routinely compromised because employees click the wrong links. The bright side for patients is that hospitals and doctors value their information even more than a random buyer on the dark web. “Data, personal information, passwords to accounts, these are assets of value,” said Lee Tien, senior staff attorney and Adams Chair of Internet Rights at the Electronic Frontier Foundation. “In the exfiltration context, you might just sell them, but in the ransomware context, you extract value from someone who values them a lot more than a buyer on the black market. A hospital might not be able to treat its patients or operate at all without access to its systems.”
If a malware attack doesn’t result in a total organizational shutdown, it often means taking systems offline and temporarily moving back to paper records. That’s what happened at Hollywood Presbyterian Hospital this past February when, for ten days, it mulled over whether to pay hackers their demand of 40 bitcoin, equivalent to roughly $17,000. They eventually ponied up, and the widely-reported figure has served as an inspiration to online criminals. The FBI, while warning organizations about the rise in ransomware attacks, doesn’t recommend paying off hackers. But most organizations are left with no choice.
Rob Bathurst, managing director for healthcare and embedded systems at the leading cybersecurity firm Cylance, told me the only way to stop ransomware attacks is to be proactive about security rather than reacting to a crisis. ”If you don’t have the technology to prevent these types of occurrences, the only recourse in most cases is to pay,” he said. “In the vast majority of cases, what we see is the institution pays the ransom and then tries to address the problem of preventing it from occurring again in the future.”
[quote position="right" is_quote="true"]If an attack doesn’t result in a total organizational shutdown, it often means taking systems offline and temporarily moving back to paper records.[/quote]
Prevention, though, is largely out of the patient’s hands. Make a doctor’s appointment or visit a hospital, and you have to provide data. You have no control over who exactly has access to your record or what happens if it gets held hostage. The medical field has lagged behind finance and government (two industries with their fair share of security breaches) when it comes to adopting online networks and providing the proper security to protect them. According to a recent survey by HIMSS Analytics and Symantec, more than 80 percent of healthcare organizations spend less than 6 percent of their IT budgets on security.
“What we have here is a classic example of an industry sector that is trying to modernize and use IT effectively, but is not paying enough attention to the problems of data security,” Tien told me. “A big part of why is that security is hard and often gets in the way of making the data available to those you want to share it with. People have been talking about electronic health records for years, but EFF and Patient Privacy Rights and other groups have been saying ‘slow down’ and make sure crypto [technology] is being used. If you build a nice house with lots of valuable stuff in it, but don’t have locks on the doors, you’re asking for trouble.”
The good news? There’s plenty of room to catch up—though things will likely get worse before they get better. Experts like Bathurst recommend a three-pronged approach: Investing more in technologies to prevent ransomware from happening in the first place, improving worker awareness so there’s an easy path to notify IT people of security concerns, and, finally, training these employees to get better at spotting malicious emails. As a patient, the best move you can make is to be proactive about tracking fraud on your financial and other accounts, along with paying attention if your pharmacist says you’re maxed out on your prescription when you know you aren’t.