A Strong Immune System Can Protect Hospitals from Hackers

 

There are almost 140 million visits to hospital emergency departments each year. When patients rush to an ER, they expect competent and timely care. This was not the case at the Hollywood Presbyterian Medical Center in February 2016.

Ransomware is a computer virus that infects computers, encrypts their data, and makes their files inaccessible unless a ransom is paid.

A 434-bed hospital in Los Angeles' Los Feliz neighborhood, Hollywood Presbyterian fell victim to a sophisticated ransomware attack. First noticed Feb. 5, the ransomware affected everything from emails to patient records to test results. Nurses and doctors resorted to handwritten notes and faxes, while patients experienced delays and inconveniences in care.

With its computer systems down for almost a week, the hospital elected to pay a ransom of 40 bitcoins (roughly $17,000) to regain access to its own files. According to Hollywood Presbyterian CEO Allen Stefanek, patient care was not affected and no patient data was compromised.

"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," said Stefanek. "In the best interest of restoring normal operations, we did this."

Bitcoin is an Internet currency that is unregulated and very difficult to trace. Ransomware hackers prefer it because of the anonymity it provides.

The crippling nature of the hack and the real and potential costs it posed made paying the ransom a simple business decision for the hospital, according to Chris Williams, an enterprise cybersecurity architect at Leidos.

"Without functioning computer systems, the hospital’s operational costs, patient service, and risk of medical mistakes would be severely affected," Williams said. "When you add in the cost to rebuild systems and recover data, the cost to strengthen their cybersecurity to prevent a repeat, and the potential for fines, lawsuits, or penalties, the $17,000 ransom is a bargain."

In paying the ransom, Hollywood Presbyterian also likely considered the reputational impact of the breach and its effect on future business. The hospital's cybersecurity and legal teams have a long road ahead.

"Paying the ransom is not the end of the problem at all, but it is perhaps the beginning of the end of the immediate crisis," said Williams.

To understand how to move forward, the hospital must understand how the ransomware attacked its systems and how the hack could have been prevented. Conventional anti-virus software relies on recognizing patterns in malicious software, called signatures, which are pointed out to it by human analysts. This means that anti-virus software cannot recognize new malicious software until someone identifies the software as malicious and creates a signature for it. Williams suspects that the strain of ransomware released on the hospital is a new and previously unknown strain for which signatures had not yet been created.

"Just as the body's immune system responds best to germs that it has seen before, anti-virus software needs signatures to be able to do its job," said Williams. "By the time signatures could be created for Hollywood Presbyterian, the damage was already done."

Chris Williams

Chris Williams is an enterprise cybersecurity architect at Leidos.

The ransomware presumably infected the hospital's systems either through spam email containing links to malicious websites or attachments hiding malicious software or through a vulnerability on one of the hospital’s Internet-facing web or email servers. From there, it likely spread from machine to machine by exploiting operating system and application vulnerabilities. In an enterprise environment — such as a hospital — ransomware can move quickly from computer to computer, rapidly bringing an entire operation to its knees.

"Skilled intervention is often still the best solution to the majority of cybersecurity risks that pop up," said Jon Scholl, president of the Health and Engineering Business Unit at Leidos. "Automated cyber defenses help spot vulnerabilities, but you need human intervention to confirm, mitigate, and solve the problems."

Scholl knows the importance of a strong cybersecurity staff. At Leidos, he leads almost 7,000 employees, many of whom are experts in areas such as healthcare IT, electronic health records, and advanced data analytics.

"In healthcare, people are safer and healthier because of what Leidos does — the capabilities and expertise we bring," Scholl said.

Cybersecurity in an Evolving Landscape

Chris Williams conducted a healthcare cybersecurity briefing at HIMSS16 in Las Vegas.

Chris Williams conducted a healthcare cybersecurity briefing at HIMSS16 in Las Vegas.

Given the circumstances Hollywood Presbyterian faced, could the hospital have done more to prevent or minimize the breach? The Managed Security Services (MSS) team at Leidos may have already answered that question. At the exact same time as the Hollywood Presbyterian breach, Leidos faced a similar ransomware attack on one of its customers. The Leidos Security Operations Center (SOC) helped identify the ransomware in the customer's network and allowed the customer to track and contain it in real time. The SOC also worked with the customer’s anti-virus vendor to rapidly create signatures to shield the customer's network from the malicious software.

While the attack did cause some damage to the customer's IT environment, the Leidos MSS team helped its customer limit the damage so a quick recovery was possible. Comparing this outcome to what happened at Hollywood Presbyterian, Williams identified seven practices that the hospital could have followed to help mitigate this attack:

  1. Use a boundary defense that can identify malware based on its behavior and not just use signatures of known threats.
  2. Lock down personal computers and other devices so they are not vulnerable to exploits from ransomware.
  3. Lock down IT infrastructure so that ransomware cannot get into critical systems.
  4. Segment the hospital’s network so that ransomware can be detected when it attempts to move.
  5. Use sensors across the network to capture logs that provide visibility inside the enterprise’s network, including capturing network traffic so it can be analyzed for intrusions.
  6. Invest in robust recovery capabilities to allow for rebuilding despite ransomware.
  7. Focus resources on the ability to detect and respond quickly when attacked, with an active defense that detects infections and contains them before completion.

However, it is important to recognize that there is malicious software capable of overcoming any of these defensive measures on their own. There are also a variety of ways in which these practices can be misused or misconfigured, thus rendering them ineffective. It is no longer practical to count on prevention alone and expect defenses to work perfectly all of the time.

"You can only achieve true security by employing combinations of multiple defenses, working together," said Williams. "But attacks like Hollywood Presbyterian mark the beginning of what we call 'fourth-generation' cyberattacks. Against advanced attacks, standard correlation of known events is great, but the ability to detect anomalous activity and behaviors is also needed. Leidos Managed Security Services can deliver all of these capabilities."

Williams describes "fourth-generation" cyberattacks as those using advanced malicious software that is designed to evade conventional defenses and spread faster than defenders can respond. Enterprises with conventional cybersecurity will be completely overwhelmed by these attacks when they occur. According to Seculert, a prominent cyberattack detection firm, "leading" web gateways allowed more than 40 percent of attempted malicious communications to succeed. A 2014 report by anti-virus software maker Symantec found that the monthly number of ransomware attacks increased from 100,000 in January 2013 to 600,000 by December 2013. This number is expected to increase in 2016 as hackers continue developing more sophisticated malicious software.

Will you be Prepared?

"Pretty much every enterprise is already infected, by something, somewhere," Williams said. "There is no such thing as a 'secure' enterprise."

Faced with this harsh reality, the healthcare industry must be ever-vigilant in protecting patients and securing medical data. While it remains to be seen exactly how the theft of medical information will be used, the possibilities are endless: wholesale medical fraud, blackmail, device hacking, and much more. Unfortunately, healthcare organizations are playing catch-up against the current generation of cyberattacks.

Quote by Chris Williams

"In healthcare, professional criminals are the ones who keep me up at night. They have the time to figure out what your organization is doing wrong and then exploit those vulnerabilities for profit," said Williams. "Unfortunately, I think it may get a little worse before it gets better. The challenge is to adapt knowledge from other industries — government, defense, financial — so that healthcare can reach those same levels of cyber defense."

Williams and his colleagues are meeting this challenge head-on for their healthcare customers. By combining Leidos' track record of cybersecurity in the defense sector with the company's rich history in serving healthcare, they're able to provide cost-effective, proven, and robust solutions.

"We are committed to helping healthcare organizations achieve their clinical and business goals while ensuring that patient care and data are protected," Williams said. "Leidos is focused on solutions, not just technology."