Colorado Allergy Clinic Hit by Ransomware

healthcare-targetAn undisclosed ransomware strain has reportedly hit a Colorado-based allergy clinic Tuesday last week. Allergy, Asthma & Immunology of the Rockies, P.C. (AAIR) divulged details of what appears to be a ransomware infection that may have directly affected systems containing electronic protected health information (ePHI) of almost 7,000 patients, including patients’ names, medical test results and Social Security numbers.

Following reports of difficulty in accessing computer files and documents, the establishment’s IT department shut down servers fearing a virus attack on their network—which led to the discovery of evidence of ransomware on its systems on May 16, 2016.

AAIR representative Kari Hershey notes that while no further details of the infection has been uncovered by the clinic’s IT staff and the third party cybersecurity partner tapped to stage forensics analysis of the clinic’s network, what was seen was a draft of the ransom note. As such, Hershey shares in a statement, “The way it was explained to me is that it essentially looked like the hackers were still testing out the ransomware.”

While analysts are still uncertain of the specific ransomware family involved, it was stated that the infection does not involve Locky or SAMSAM, which were among the ransomware strains that have targeted healthcare organizations of late. How the malware entered their system also remains unknown. Hershey notes that what is clear is that the infection managed to “pass through a password protected firewall”. According to analysts, this could be a drive-by download that took place after an employee was lured into visiting a poisoned website.

Typical ransomware infections begin with a victim unwittingly visiting malicious or compromised websites. It can also arrive as a payload that is dropped or downloaded by other malware. There are numerous cases of ransomware infections that come from the download of malicious attachments delivered to a target via spammed emails. In other cases, ransomware can be downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems.

[Related: Dissecting ransomware arrival tactics, old and new]

Further, since the ransomware was described to be “in its early stages” of development, it was said that there were no indication that the attackers were able to mine and use any of the stored ePHI for nefarious activities. Hershey notes that at this point of the investigation, signs of harvested data would have already been determined. But this does not preclude the idea of setting up precautions aimed at safeguarding patient records.

 “Having said that, there was a breach of the system. Just out of an abundance of caution, we do want people to sign up for an identity theft protection program. That way if they do have a problem they can get help,” Hershey added. That said, as of this writing, AAIR has offered year-long identity protection services to its client-base, including credit monitoring, insurance, medicate data theft protection, and customer support via a dedicated service team. Patients have also been urged to be vigilant of their financial records and to closely monitor account activities to immediately spot irregularities.

The Glenwood Springs Police Department and the Office of Civil Rights in the U.S. Department of Health and Human Services have already tapped the aid of the FBI in conducting additional investigations, considering initial investigations have unearthed links of an attacker’s IP address that seemingly led to Russia, which is beyond the department’s jurisdiction. AAIR has since heeded the advice of IT professionals of replacing its actual hard drives. It was also noted that the AAIR systems have already been rebuilt and duly backed up even before the infection was discovered. Password credentials have all been replaced and the firewall was said to have been modified.

Attackers zeroing in on healthcare data

AAIR joins the list of healthcare institutions that have been attacked by ransomware. In 2016, a number of cases have been disclosed to the public involving hospitals whose operations have been derailed by a file-encrypting malware.

In February, the Hollywood Presbyterian Medical Center (HPMC) suffered from a crippling ransomware infection that brought network and computer-related functions, including CT scans, lab work, pharmaceutical, and documentation needs of the 430-bed Los Angeles hospital inaccessible. A few days after the incident was reported, Allen Stefanek, President and CEO of HPMC divulged paying the demanded ransom of 40 bitcoins, amounting to approximately US$17,000. Paying the ransom was deemed by the administrators to be the “quickest and the most efficient way” to restore essential hospital functions.

Barely a month after, before the end of March, a widely-distributed ransomware strain, Locky, has caused the Kentucky-based Methodist Hospital to operate under an “internal state of emergency” after a ransom pegged at $1,600 was demanded by the attackers. Not long after, two new cases of ransomware infection surfaced involving the ten hospitals and 250 outpatient centers run by Maryland-based healthcare giant MedStar Health, and the two hospitals operated by Prime Healthcare, Inc. in separate incidents of data-kidnapping.

In May, Kansas Heart Hospital shared details of a ransomware attack that attempted to extort the institution twice. Following the payment of a relatively small ransom, President Greg Duick reported that the attackers did not give full access to the encrypted files, instead, demanded for a second ransom, which the hospital did not pay.

In the past, it was a hotly debated topic whether ransomware attacks and infections involving the healthcare industry should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as data breaches under the Health Insurance Portability and Accountability Act (HIPAA). Incidents like the ones mentioned were not usually reported, but in the case of the AAIR, clinic officials decided to divulge this information to the OCR as a data breach given the amount of patient data that were “potentially compromised”—illustrating the institution’s high regard on the vulnerability of exposed data to unauthorized party.

The recent attack on the AAIR demonstrates the continuing interest of cybercriminals in healthcare data as a viable target to rake in profit and this is not limited to the ransomware epidemic that has surfaced of late.

[Read more: Healthcare as a prime cybercriminal target]

In the past, security researchers have determined that the healthcare industry is “behind other industries when it comes to security.” This propelled the FBI to issue a necessary warning about the industry’s “lax cybersecurity systems,” painting healthcare information as prime targets for attack given the kind of information stored in the systems of healthcare facilities.

Cybercriminals consider healthcare facilities as goldmines for personally identifiable information (PII) that could easily translate to profit.  Such information could be traded in the underground marketplaces or could be used to stage further attacks, from fraud, identity and intellectual theft, espionage, and even extortion.

Now, healthcare organizations put a premium on online platforms not just as a repository of collected data, but also as a crucial component that is used to provide services and perform mission-critical functions. This knowledge gives cybercriminals the motivation to find and exploit gaps in their security to steal and profit from, which can adversely impact the organization’s business operations, and ultimately lead to degraded health services.

While attacks on healthcare institutions have evolved from theft or loss of unencrypted devices to the rise of more sophisticated schemes like carefully-planned data breaches to the spread of ransomware, one thing remains constant: the healthcare sector is vulnerable to attacks, and it can easily be exploited.

Healthcare providers and facilities should be responsive to minimize damages caused by such attacks.  Setting up integrated, preventive measures is essential for preserving the safety of data and maintaining business operations. This involves covering all bases of cybersecurity from guarding patient portals, gearing up against potential data loss, detecting breaches, auditing for compliance, safeguarding medical devices, securing legacy systems, and watching out for all possible endpoints that may be attacked. With sophisticated schemes now in play, organizations need to invest in measures and solutions built to keep up with the threats coming their way.

Trend Micro’s suite of products for healthcare organizations can help improve security while meeting compliance needs. Trend Micro’s Network Defense and Deep Discovery solutions help uncover targeted and socially engineered attacks, prevent exploits on medical devices and legacy platforms, as well as identify advanced malware and suspicious network activity. Trend Micro’s Integrated Data Loss Prevention (DLP) can quickly and easily manage sensitive information and prevent data loss via endpoints, SaaS applications, messaging, cloud storage and web gateways. Trend Micro also provides security solutions for Office 365, hybrid cloud environments, mobile devices and other data endpoints.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.