An Ounce of Prevention: Protecting Vulnerable Healthcare Data
Like pathogens and cancer cells, the danger of malware lies in persistence and spread.
Computer malware is called a virus for a reason. Like pathogens and cancer cells, the danger of malware lies in persistence and spread. Shut it down, as the WannaCry ransomware program infecting Great Britain's National Health Services (NHS) was in May 2017, and that particular disease is eradicated.
But cancer cells in the body may develop resistance to treatments, and pathogens often develop resistance to antibiotics and antivirals, or learn, in other ways, to overcome immunity. Infections and cancers may be thought of as an arms race between agents or rogue cells and the host. The race against malware is much the same: it's a battle between hackers and security experts — though it's not at all clear who is winning.
The health care sector, considered low-hanging fruit by hackers, is particularly vulnerable to attack.
In May 2017, WannaCry, which seems to have originated in North Korea but used software developed at the United States National Security Agency (NSA) and was sold on the dark web by a group called the Shadow Brokers, had a nearly catastrophic effect on the NHS.1 The ransomware locked computer systems and threatened to delete files unless ransom was paid in bitcoin. The ransomware exploited some older Windows systems that were either no longer supported by Microsoft or never had their security weaknesses patched.
But fixing the technology alone will not address the most basic problem. As Niam Yaraghi, PhD, a fellow at the Brookings Institution Center for Technology Innovation, puts it, “you can fix the technology part, you can encrypt [your data], but how are you going to fix the stupidity? If you use the most advanced technology in the world, if people click on phishing links, [hackers] will still have access to user names and passwords.” Physicians and nurses under stress, says Dr Yaraghi, can easily make such mistakes.
Much of the discussion of health care systems' vulnerability focuses on the potential theft of patient data. But according to Dr Yaraghi, medical information “really isn't all that valuable. I think [the risk of hacking] is very serious but at the same time not very serious. If you're a patient, it's likely you're being hacked, but unlikely you're being affected by the hacking.” It is, relatively speaking, easy for a hacker to steal the identity of one person. But to steal the identity of thousands would require a conspiracy.
Furthermore, says Dr Yaraghi, foreign attackers probably wouldn't be able to make much use of the data, implying that an identity theft conspiracy would have to be based in the United States, where cybercriminals can more easily be caught. This has not yet happened, and it is unlikely to occur in the future. The massive cyberattack launched against the Anthem health insurance company in 2015, in which hackers stole the protected personal information — including names, addresses, birth dates, and Social Security numbers — of 78.8 million members and employees, does not appear to have caused any personal damage. The reason for the breach remains unclear.2
The theft of personal data is not, therefore, the major threat in this age of cyber insecurity. More dangerous are ransomware attacks like WannaCry, which can shut down hospital services and destroy patient records. According to Dr Yaraghi, some hospitals are laying in stocks of bitcoin to pay off attackers in the case of a ransomware attack, implying that encrypting and backing up patient data are understood within the health care community to be insufficient.
Elliott Frantz, founder of the cybersecurity firm, Virtue Security, agrees that ransomware is easier to monetize than the theft of medical records. The WannaCry hackers demanded bitcoin for ransom — but sometimes extortion is not the attack's objective. The so-called Petya or Goldeneye attack, which may have originated in Russia and attacked many nations, including the Ukraine, could have been designed and executed out of malice: the sites designed to receive the ransom payments were not functional.
What was interesting about the Petya attack was the sophisticated way it infected and spread, says Mr Frantz. “The people who were attacked were not necessarily at fault. [Petya] could spread to systems that are fully patched,” unlike the NHS WannaCry breach last May.
Petya “digs very deep into the Windows system internals to extract passwords and uses those passwords to log into other computers,” explains Mr Frantz. “It targets institutions. It's designed to spread laterally. That's one of the key things about this that makes Petya new and interesting. The WannaCry ransomware was primitive by comparison.”
One effective way to prevent such attacks, whether their aim is ransom or disruption, is to practice what security experts call “hygiene,” or safe and secure computer habits that prevent the virus from entering a system. Yet computer hygiene is only as strong as its weakest link: Mr Frantz points out that “there's always going to be someone who falls for the age-old trick of opening attachments.” Phishing emails are designed to appear as if they came from a known person. And if one person clicks on the link, the malware burns like pandemic influenza through an entire system. “Hackers go to significant lengths to learn about their victims,” he added.
What then? According to Jon Neiditz, a partner in the Atlanta-based law firm Kilpatrick, Townsend & Stockton and an expert in privacy and health security law, “you can't rule out needing bitcoin at some point,” though he acknowledges that the FBI in 2016 advised institutions never to pay ransom.3 He points out, however, that in 2015 an FBI expert admitted that sometimes bitcoin is the only recourse.4 In one instance, Mr Neiditz says, a company paid a ransom fee that the hackers promised would keep them safe for a year. Six months later, the hackers came back for more. The company objected that they had been promised a full year. The hackers agreed, apologized, and disappeared again for another 6 months. “Honor among thieves,” says Mr Neiditz. “In the information security world, no one would ever say ‘I'll never need bitcoin.'”
But relying on bitcoin — and acceding to blackmail — is hardly a long-term solution to the threat of ransomware. Willingness to pay perpetuates a corrupt and dangerous system. In Mr Frantz's opinion, the key to fending off ransomware is, instead, building in many layers of protection for each system. Hospitals must ensure adequate employee training, which starts with teaching the entire staff to recognize and avoid phishing attacks. But even a highly trained team is never going to be impenetrable.
So, of necessity, there are a number of second-line defenses every hospital or medical system should employ. Antimalware — some level of protection against ransomware using antivirus software — is important. So is the use of more complex passwords.
General security testing provides another level of protection. “Penetration testing — hiring people to try to break into the system — shows how ransomware can spread easily [through a particular system] and [identifies] where to close loopholes,” says Mr Frantz. Network monitoring represents yet another level of protection. This involves developing ways to block attacks from spreading laterally within a system. With network monitoring, hospitals can learn quickly if there is a systems breach. “You'll never be able to stop all attacks. But you need enough insight and enough capability to respond in a timely manner,” says Mr Frantz.
In the event of a ransomware attack on a medical institution or office, regularly scheduled back-up and remote storage of medical records can help to mitigate damage. Even if a hospital is temporarily shut down, records that document recent patient care and hospital scheduling can help quickly restart the system. Mr Neiditz warns that as back-up systems have to connect to a network, they also can be contaminated. Mr Frantz notes, however, that such a scenario is unlikely to occur if the back-ups are kept offline and stored in a safe remote location.
No strategies are perfect for completely protecting hospital systems from ransomware attacks, says Mr Frantz. “There's no magic solution against this line of attack. But if you do your due diligence, follow best practices, and don't be negligent, you'll be in a lot better shape.”
- Burgess M. Hacking the hackers: everything you need to know about Shadow Brokers' attack on the NSA. Wired website. http://www.wired.co.uk/article/nsa-hacking-tools-stolen-hackers. Published April 18, 2017. Accessed July 2017.
- Herman B. Details of Anthem's massive cyberattack remain in the dark a year later. Modern Healthcare website. http://www.modernhealthcare.com/article/20160330/NEWS/160339997. Published March 30, 2016. Accessed July 2017.
- Incidents of ransomware on the rise: protect yourself and your organization [news release]. Washington, DC: Federal Bureau of Investigation; April 29, 2016. https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise. Accessed July 2017.
- Paul. FBI's advice on ransomware? Just pay the ransom. The Security Ledger website. https://securityledger.com/2015/10/fbis-advice-on-cryptolocker-just-pay-the-ransom. Published October 22, 2015. Accessed July 2017.