Defusing a hostage situation: The fight against ransomware in healthcare

When organization-wide chaos arrives, it does so with the quiet ping of an email notification. A hospital administrator opens the message on her lunch hour, giving it a quick once-over between bites of her sandwich. The email seems innocuous enough, just a newsletter with a neatly-embedded link at the bottom. She clicks it; the blue text takes her to a blank page. She closes out the page. The link must be broken.

Although the administrator isn't aware of it, her single, absent-minded click opens the door to disaster. Within minutes, doctors and nurses alike find themselves locked out of their records, fruitlessly tapping at their keyboards in the ever-diminishing hopes of regaining access. Someone calls IT; the struggling technicians pale when a ransom note appears on the screen.

Hackers have deployed a ransomware attack on the hospital and will only release their hold on its data if executives pay out thousands of dollars in bitcoin.

ADVERTISEMENT

The afternoon passes in a flurry of panic as doctors and administrators resort to paper registrations and records. Communication slows; without access to critical medical information, doctors turn their emergency patients away in droves. Organization leaders sit in helpless panic. Is nonpayment even an option, given the circumstances — when lives quite literally hang in the balance?

Ransomware attacks have skyrocketed over the last few years. Research conducted by the cybersecurity service Malwarebytes found that the number of detected malware attacks saw an incredible 90 percent increase from 2016 to 2017. Specific ransomware campaigns like Wanna Cry and Locky have leaped in popularity since being successfully deployed by hackers in well-publicized cyber heists. Hacks on healthcare constituted over a third of all ransomware attacks in 2017 — and the danger hasn't diminished since.

When cybercriminals attack a consulting firm or small business, they threaten the organization's ability to function, its financial stability, and the security of its relationships with its clients. Unlike a typical office, however, a hospital can't shutter its doors for few days while the techs and executives hammer out a solution; they need to continue serving patients.

This imperative forces health care workers and leaders to revert to outdated and clunky communication methods such as faxes, handwritten memos, paper patient files. Without the ability to consult medical records to find out more about an incoming patient's medical history, allergies, pre-existing conditions, and current medications, doctors and nurses cannot safely treat incoming patients.

As morally repulsive as it is, hackers see health centers as easy targets. If the situation is left unresolved, patients may get hurt — or at the very minimum, receive lower-quality care. Health leaders are aware of this and can see the fallout firsthand. It can be tempting to start pulling funds together and pay, if only to end the uncertainty.

There are no guarantees in hostage negotiations

Consider the case of the Hollywood Presbyterian Medical Center hack in 2016. In February of that year, hackers encrypted and held the center's data hostage, thus wreaking havoc on the hospital's operations and communications. The chaos lasted for ten days while organization executives negotiated with the criminals and paid over $17,000 in bitcoin. The data was restored; operations resumed.

As unbelievable as it seems, that smooth exchange was the best possible outcome the hospital could hope for once negotiations started. Despite the high price tag, some executives might take the HPMC case study as proof that payoffs do, indeed, pay off. However, extortion doesn't come with a warranty, and dealing with the hacker can be more dangerous than even the most pessimistic executives imagine.

If the software used in the attack had been malware, rather than ransomware, the hospital might have paid the hackers in good faith and found their data irrevocably damaged anyway. Or, instead of holding the data hostage, the pirates could have sold the patient information they broke into on the black market. According to TrendMicro, a full database of Electronic Health Records (EHR) goes for roughly $500,000 on illegal sites. The personal information and social security numbers contained in these files could potentially allow a cybercriminal to create false identities, obtain drugs under pretenses, or even falsify medical insurance.

We need to stop feeding into abusive ‘businesses’

Think of ransomware hackers as morally-bankrupt entrepreneurs, and extortion attacks as a business model. The majority of these criminals format their ask to appeal to their victimized "consumers'" desire to solve the problem quickly and move on; typically, the ransom is a matter of hundreds of dollars, not thousands.

However, by paying off their attackers, hospitals and practices effectively "buy into" the ransomware model and reassure the hackers that they can continue to make money by holding data hostage. Thus, while successful exchanges like the one at HPMC solve the problem in the short term, they only encourage more hackers with fewer morals to try their hands at extortion in the long view.

Healthcare leaders must create safer solutions

As tempting as it might be, a quick payoff can't be a healthcare organization's go-to option, regardless of whether the price tag is a few hundred or a few thousand dollars. By taking a reactive approach, leaders continue feeding into the ransomware machine, rather than genuinely subverting the power hackers hold over their organizations.

ADVERTISEMENT

The best protection is preparation. According to a recent survey from Infoblox, only 68 percent of surveyed U.S. healthcare IT professionals have a plan in place for warding off a cyberattack; a third do not know whether their organizations would be willing to pay a ransom to attackers. This lack of planning places organization in an incredibly vulnerable position, leaving them flailing and unsure in the event of an attack.

Security in healthcare tech needs to be bolstered on two fronts: education and planning. IT technicians can build better security measures, but all of the tinkerings in the world won't stop an employee who doesn't recognize a spam email from allowing a hacker into the system. Leaders, for their part, cannot give in to their panic and pay off the offender for quick relief. Instead, they should follow a rehearsed anti-hack protocol and check to see if a decryption key for the offending ransomware is available online through anti-hacker resources such as the No More Ransom Project before they entertain the idea of paying.

Hospitals can't stop hackers from attacking. However, they can put a damper on the chaos by following a well-laid emergency plan and refusing to pay into an extortionate business model. Once cybercriminals realize that holding patients' data hostage is financially unprofitable, they will move on to their next get-rich-quick scheme — and leave patients safely behind.

Matthew Doyle is Chief Operating Officer at Chicago Pacific Founders, an investment advisor that manages private funds, focusing exclusively on healthcare services. He previously co-founded Van Buren Securities and was a senior portfolio manager for the Greenwich Options Fund.