An internet television program that explores the intersection of medicine and the law.

What You Need to Know: Hospital Ransomware Attacks

By Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP) to Risk Management


What You Need to Know: Hospital Ransomware Attacks Our guest on Healthcare Matters is Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP). In this very important and informational series we ask Mr. Andre numerous questions about the recent ransomware attacks against hospitals, how they can be avoided, risk management tips that hospitals can put in place immediately, how they can protect patient data, and much much more. This is the full interview and we have created videos (links below) for every question we asked Mr. Andre, for easier viewing. This information is important in the wake of the numerous hospital attacks occurring all around the country, including the one against Hollywood Presbyterian Medical Center in California. This is only one of the many questions we asked Mr. Andre about cyber security and how healthcare facilities can protect themselves. Check out all of them here:
  1. Explaining the Recent Ransomware Attacks on Hospitals
  2. Top Two Risks a Hospital Faces in a Malware Attack
  3. How Common are Ransomware Attacks on Hospitals?
  4. The Surprising Ways a Hospital can be Infected with Ransomware
  5. Risk Management Tips for Hospitals to Avoid Ransomware Attacks
  6. Should Hospitals Negotiate with Hackers if Hit with Ransomware?
  7. Protecting Patient Data During Hospital Ransomware Attacks
  8. Full Interview with Tom Andre: What You Need to Know: Hospital Ransomware Attacks


Mike Matray: On today’s episode, we’re going to discuss the recent malware attack on Hollywood Presbyterian Hospital’s computer network. Could you give us a brief synopsis of what happened in this instance?

Tom Andre: Sure. Now, I should say that I do not have an insider’s knowledge of what happened there, but this was a Ransomware attack, which is very, very common these days. And I can talk about that, generally, the types of things we should all be worried about with Ransomware and what may have happened with them. Ransomware is a type of computer infection, typically comes into an organization through a social engineering attack, either a phishing attack, email, or clicking on an infected website.

Once a computer is infected with the malware, it begins to encrypt files that are on that computer and also will go out to any network resources that it can find and encrypt those documents as well. Once it’s done its dirty work, then a message will pop up that will say, “Your files have been encrypted. If you want to get them back, here’s how to do it.” Generally, there’s a ransom that needs to be paid to do it, if you have no other way of getting your files back.

Mike Matray: It’s been well documented that stolen electronic medical records sell for ten to twenty times more, on the black market, than stolen credit card numbers.  But the Hollywood Presbyterian Hospital case is different. Rather than selling stolen medical records, the hackers injected malware that restricted the hospital’s access to its computer system, and would only share the decryption key if a ransom of $17,000 was paid. What are the different risks associated when a hospital is blocked from accessing its computer system?

Tom Andre: Well, there’s a handful of risks. One is certainly a reputational risk, which is having to go to the public and say, “Our system has somehow been compromised and we can’t get access to it.” That’s something, I think, any organization is afraid of and is the reason why a lot of times you don’t hear about some of these attacks. But this was something that I think lasted long enough that it got out to the public, and public statements had to be made.

Another is a financial risk. Now $17,000, in the grand scheme of things, may not be a lot to the hospital, but I would look at how much productivity was lost. I believe, from the CEO’s statement on the hospital’s website, they first noticed the infection on Friday, the 5th of February, and their electronic health records systems were back up on the 15th.

So that’s nine to ten days of not being able to access that information. They were relying on paper, they were relying on faxes and phone calls. That would be a productivity hit to the hospital, because all that information that was collected on paper would then have to be back-filled into the hospital system. That’s some of the major risk. And then I think this is kind of a wake up call, in a way, that even though the ransom wasn’t a lot, you have to think about the fact that this is a type of engineered attack that put itself inside the computer network.

Now, all they were after was a ransom for giving the files back, but the same type of mechanism could be used to plant something on to the network and then do what’s called a command and control situation where a remote computer is accessing the internal network with all the same privileges as someone inside, like someone that would have access to medical records. The thing to keep in mind with Ransomware attacks is it is technically a command and control attack, where the malware gets installed on the computer, then it phones home.

It says, “Okay, I’m inside. Now I wanna start encrypting files. Give me an encryption key so I can start doing that.” And they have to do that because they want to use unique encryption keys. Because if they use the same one over and over again for every organization they attack, it would soon be known what the decryption key was, and their “business model” would no longer work.

Mike Matray: How common is this ransom type of hack in the healthcare industry, and is it as common as the theft of electronic health records?

Tom Andre: Well, as I said, most people don’t disclose a lot about the types of attacks that they get. I can tell you that there’s a recently appearing version of Ransomware called Locky, which comes through an infected Word document. It has been reported that within the first few days, it was infecting computers at a rate of 90,000 per day.

Mike Matray: Wow.

Tom Andre: We’ve all gotten those emails from the attorney in Nigeria that has money, just ready to give to us. You think, “Who would fall for that?” But someone does. And they only need a small percentage to fall for it to keep doing business that way. And if you think if even 10,000 of those 90,000 computers that were infected resulted in a payoff, then the average ransom is about $500, is what I hear, that’s a half a million dollars in a day, if you’ve got 10,000 computers.

Mike Matray: What are the most common ways that these malware attacks get into a hospital system?

Tom Andre: This particular type of malware usually comes in through a phishing attack. Phishing is sending an email that looks like it’s from someone else, someone legitimate. Or even maybe doesn’t really appear to be legitimate, but people have a tendency to be trusting and they click on things.

So if you click on a link that goes to an infected website, it will cause an installation of some malware. If you open a Word document and you run macros in a Word document, that can infect your computer. In some cases, there have been websites that have had their own links infected.

There’s a common website production tool called WordPress that, a few weeks ago, it was noted that some of those WordPress sites were compromised and someone had injected bad links into them. Those are pretty common ways. There’s another type of social engineering attack, which is pretty costly for some organizations.

It has nothing to do with malware, but it’s called the CEO fraud. That also comes in through a social engineering technique, where someone is sending an email that looks like it’s coming from the CEO of the organization. They’ll send it to the accounting/finance folks and say, “Can you approve a wire transfer?”

There’s no links in it, but if they don’t have good internal controls, they may actually process the wire transfer. And there was a company in San Jose that got taken for about $46 million in that way. So, there’s some big money in that.

Another form of the CEO fraud is to send an email to the HR people. It looks like it’s from the CEO. They’ve done some reconnaissance to figure out who the HR people are and said, “Please send me a list of all of your W-2 information for all of our employees.” You know, salaries and social security number. And if you take a look at the LA Times this morning, the company that many of us who have teenagers know about, Snapchat, Snapchat got taken in the same way.

So, you really need to have your staff and employees really aware of the types of attacks that could come in in this way, and take a couple of seconds to evaluate everything before they respond or click.

Mike Matray: Okay. What are the risk management steps that a hospital or a large physician group should take to avoid this type of an attack, and how expensive is ongoing data security in the healthcare arena?

Tom Andre: Well, it’s not cheap for anybody. Some of the important things to do, you can’t really rely on cyber security on any one thing. The perpetrators, the criminals that are behind these attacks, for every piece of security software and equipment that you have, they probably have one that they’re working on and trying to defeat it.

So, it’s good to have what’s called a layered defense. In the case of phishing and social engineering, you should have a good email filtering product, span filtering product. That’s gonna catch some things. You want good anti-virus. That’s going to catch things, some things if people click on them.

There’s also a technology called endpoint protection which really controls what can be installed and will look for anomalous behavior on a computer. Most anti-virus software vendors have endpoint protection as an add-on product or some included with their products. That’s also good.

There’s also a technique called Application White Listing. Which, essentially, if you’re in an organization, you really know, for the most part, which computer applications people are supposed to be running. They should be running your EMR system, they should be running your reconing [SP] software. They don’t need to be running iTunes.

So, what you can do with Application White Listing is create lists of what is acceptable to run, and it doesn’t allow anything else to run. So that if somebody clicks on something and it tries to install a software, the malware, it can stop it right in its tracks.

Mike Matray: The United States government doesn’t pay ransoms to terrorists because they believe it will increase future hostage taking. Do you believe that since Hollywood Presbyterian paid to regain access to its computer system, we can expect an increase in this type of a ransom attack in the future?

Tom Andre: Well, it’s hard to get inside the criminal mind, but I think after 9-11 when the intelligence agencies were accused of having a failure of imagination, I think we all have to use our imagination of what could possibly happen. You know, they may be looking to up their game in some ways. They may see that, “Okay, Hollywood Presbyterian, here’s a hospital, they paid $17,000.

You know, maybe we can get more than the usual $500 if we do a focused attack on specific organizations.” But in this case, it has all the hallmarks of a random attack, that it doesn’t look like they were specifically targeted. The end result is they were still down for several days and they had to pay a ransom to get their information back.

From what I’ve been reading about the Ransomware attacks, they’re becoming more sophisticated. It used to be they would go after what’s called a mapped network drive, like a D Drive, an E Drive. And now some of the strains can penetrate even further into the network to other types of network shares. So, I’m sure they’re going to be upping their game as time goes on, looking for higher value targets. We just have to be prepared for that possibility and do what we can to stay aware of it and protect against them.

Mike Matray: Okay. What are the chances that these cyber criminals are going to be caught?

Tom Andre: I would say it’s probably unlikely. I think a lot of them are operating offshore. They mask themselves fairly well. The ransoms are paid in bitcoin, which is difficult to trace. When you contact them, it’s not like you go to their website and you put your credit card in and it’s a published website. They use a special type of browser called Tor, T-O-R, which one of its purposes is to maintain anonymity on the network.

So, chances are, they won’t be caught. At best, it’s possible, in some Ransomware cases, they’ve recognized which internet addresses some of these attacks were coming from and where the payments were getting made from. They’ve been able to shut those servers down. If it’s offshore, if it’s in a country that’s not necessarily one of our best friends, chances are, the best they can do is maybe shut down access.

Mike Matray:  In the healthcare arena, there’s HIPAA, which protects the patient’s personal medical records, and there’s quite a substantial fine if that is compromised. How does HIPAA come into play here? Did the malware that was injected into Hollywood Presbyterian actually compromise the patient data, or will they be able to just move along as if nothing had happened and we just paid this ransom and everything’s good now?

Tom Andre: There’s nothing that I’ve seen publicly that indicates that anything was compromised in terms of patient data. It doesn’t sound like it. Most Ransomware seems to be just opportunistic. They want to get a ransom and they’ll give you your files back. They don’t seem to be trying to ex-filtrate data at this time.

I think, if I were looking at this from the perspective on any hospital administrator, I would wonder about…and I don’t know what happened specifically at Hollywood Presbyterian, but a couple of things that the HIPAA HITECH requires is, first of all, that you have a disaster recovery plan. And I think it sounds like the disaster recovery plan at the hospital was invoked, and they went to paper and phone and fax.

The other thing is to have adequate backups, and you have to ask yourself, as an administrator, if this were to hit me, would I have sufficient backup so that I wouldn’t necessarily have to pay the ransom? Maybe I could just say, “I’m just going to go back to my last backup. I’m gonna isolate the computers that have been infected, and then I will restore from backup.”

What’s adequate backup? HIPAA HITECH is not really specific on that. I’m sure there’s a continuum where if your last backup was two months ago, no one would say that was adequate. But whether it’s 12 hours ago or 24 hours or four hours ago, I don’t know that that’s really been defined. I think that’s the one area where someone could possibly have CMS look at what they’re doing and didn’t think they were adequate backups. I don’t know that that would be the case. I don’t know if there’s even something that they concentrate on right now.

Mike Matray: Well, fantastic. It’s been a wonderful conversation with you. As more events come up in healthcare data security, I’d love to have you come back on the show.

Tom Andre: I’d be happy to do that.