Hospital Ransomware on the Loose? More Healthcare Providers Affected by Ransomware

hospital-ransomwareIt appears attackers are zeroing in on medical institutions—banking on the critical nature of data that could render facilities helpless when denied access to.  Recent reports show one healthcare network after another getting shut down by crypto-ransomware attacks.

On Monday, the ten hospitals and over 250 outpatient centers run by Maryland-based healthcare giant MedStar Health shut down their computers and email servers after malware paralyzed their online systems. In a statement, a MedStar spokesperson shared in a Facebook, “MedStar Health's IT system was affected by a virus that prevents certain users from logging in to our system. MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization. We are working with our IT and Cyber-security partners to fully assess and address the situation.”

Initially, officials of the $5 billion healthcare provider did not refer to the incident as a ransomware infection but an employee at the MedStar Southern Maryland Hospital Center divulged an image of a ransom note demanding 45 bitcoins (worth around $19,000) for a decrypt key for the encrypted files. Further, the note warned, “You just have 10 days to send us the Bitcoin, after 10 days we will remove your private key and it’s impossible to recover your files.”

[Read: How ransomware works]

On Tuesday evening, it was reported that the records found in MedStar’s central database could already be accessed and read but could not be updated or modified. A recent update on the cyber intrusion now confirmed that the attack involves SAMSAM--a server-side ransomware family that does not rely on malvertising or social engineering hooks to arrive into a target's system.

[Read: SAMSAM Hits Healthcare Industry]

Officials highlighted that given treatment delays and other operational challenges caused by the attack, they had “acted quickly” to address the situation, and no evidence was found to say that information was stolen of compromised. MedStar’s chief medical officer, Stephen R.T. Evans supports this, saying, “The quality and safety of our patients remains our highest priority, which has not waned throughout this experience.”

In California, the operations of two hospitals run by Prime Healthcare, Inc. were disrupted by a similar ransomware attack that caused them to shutdown shared systems. Prime Healthcare operates 42 acute care centers scattered in 14 states, and in mid-March, 126-bed community hospital Chino Valley Medical Center in Chino and 148-bed facility Desert Valley Hospital in Victorville were subjected to an attack that is now part of an ongoing probe of the FBI.

The infection was discovered on March 18th, involving malware belonging to the Locky crypto-ransomware strain. The ransomware is believed to have been delivered through a malicious email. This is similar to the ransomware family that took over the network of Kentucky-based Methodist Hospital, causing the hospital to operate in an “internal state of emergency.” At the tail-end of February, Locky was discovered being delivered through malicious macros in a Word document sent by email.

[Read: New crypto-ransomware Locky discovered]

Prime Healthcare spokesman Fred Ortega confirmed the said attack but stood firm that no ransom has been paid and that no employee or patient information was stolen or compromised. In a separate statement, he said, “Our expert, in-house IT team was able to immediately implement protocols and procedures to contain and mitigate the disruptions. The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised. As of (Thursday, March 24) most systems have been brought online.”

Different methods, similar impact

The rise of malware-related incidents targeting medical data has been a cause for concern among authorities, given the kind of valuable information stored by hospitals and healthcare providers.  Data breaches and phishing attacks figured in recent years as common attack tactics used to access and steal valuable data off medical records. When stolen, these are the kinds of data that cannot be easily (or not at all) replaced, unlike banking and credit card credentials—making these databases a goldmine for cybercriminals.

In the Trend Micro 2015 security roundup, healthcare was found to be the most affected industry based on the year's recorded data breach incidents. In early 2016, cancer treatment center 21st Century Oncology Holdings was victimized by a breach that exposed over 2 million patient records. Research and treatment facility City of Hope was also targeted by a phishing attack that successfully disclosed protected health information to unauthorized parties. The number of incidents involving the theft of medical data shows that these types of data aren’t as secure, making it an even more ideal target.

[Read: Why medical data is a prime cybercriminal target]

While ransomware is not designed to steal data, attackers may have painted medical facilities as easy and lucrative targets. The networks of medical facilities may not be as well-defended, staff may not be aware of popular social engineering tactics, and the data and systems are so critical to operations that locking them down with ransomware results in victims that are more likely to pay the ransom.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.