Hospitals are accustomed to fending off viruses and infections in patients, but now, sophisticated computer-based bugs are plaguing healthcare targets across the globe – and in many cases winning the fight. Considered a key part of a country's national critical infrastructure, hospitals have the unfortunate mix of sensitive data and legacy storage systems that make them a prime target for hackers and cybercriminals – and the problem appears to be getting worse.
On 17 February, the Hollywood Presbyterian Medical Centre, located in the heart of Los Angeles, paid a hefty $17,000 bitcoin ransom to hackers who had infected its systems with a highly evolved form of malware, which effectively locked down its computer networks that held patient data, x-ray scans and crucial lab work. It was a quick fix, but now the precedent has been set – paying works.
The tool used in the attack – called ransomware – is frequently deployed by criminals to extort money from internet users by remotely encrypting sensitive data or computer files with the aim of getting a quick paycheck. In many cases, against the advice of security experts, people hand over the cash. Most recently, a new form of this tool emerged called 'Locky' that, despite being new, is already becoming notorious for its effectiveness.
Locky is responsible for the latest hospital attack, which hit the Whanganui District Health Board (WDHB) in New Zealand. This is first example of this malware strain being used in a large-scale attack. Confirmed on 23 February by Barry Morris, the spokesperson for the health board, he said the hospital had not yet paid a ransom. "The WDHB runs up-to-date operating systems with antivirus and malware protection," he stressed. "We are reviewing security procedures to strengthen existing controls."
According to Palo Alto Networks, the security firm that first outlined the Locky malware, the ransomware takes hold via phishing campaigns and comes attached to Microsoft Word documents – the perfect trap for an unsuspecting and busy doctor or nurse.
In a separate incident, a hospital in Maine, US, was targeted by cybercriminals on 22 February. They were able to infiltrate the computer network and steal sensitive personal information about a spate of employees.
Jody Merrill, director of marketing for the hospital, said that employee names, addresses, social security numbers and wage information for the past 12 months were compromised, but no bank information. Following the attack, York Hospital said it will work with the Boston office of the FBI to learn the identity of those responsible for the crime "so that they can be prosecuted to the fullest extent of the law".
Hospital president Jud Knox added: "I am very sorry that we have been victimised by these predatory thieves. My deepest apologies to all for the anxiety, disruption, and inconvenience this crime creates for everyone."
"Always been this way"
However this begs the question: are cyberattacks becoming more prevalent in a post-Hollywood ransomware world – or has it always been this way?
According to Sean Sullivan, malware expert with Helsinki-based security firm F-Secure, hospitals have always been a lucrative target yet are now facing increased scrutiny because of the media attention after the LA cyberattack. "Hospitals are considered to be critical infrastructure but don't have the same reporting requirements as power plants, for example," he told IBTimes UK. "Now that some hospitals have made the news, others are being more transparent in order to avoid future trouble regarding failure to disclose.
"That said, many hospitals are easy targets. I used to work for a university hospital with more than 20 thousand nodes on its network. There was a profit side, and an academic side. For tax reasons, the back-end systems needed to be separate. For doctor/patient reasons, all the data needed to be available client-side regardless of the clinics back-end. The hospital had merged and acquired lots of other medical groups over the years. In short, it was an extremely complex network. And as such, even as well run as it was, there were plenty of gaps."
According to Mark James, security specialist at ESET, the healthcare industry will always be a viable target because of the sheer amount of data it stores. "Sadly any private data is valuable and even more so if it can be used for financial leverage or to grab the target at their most vulnerable, after all that's the most likely time they will pay if money is involved," he told IBTimes UK.
"Because of the systems used in healthcare it's also a good chance their architecture will be outdated, or at the very least not up-to-date. Targeting older systems is one of the easier ways to get malware onto a network, tie that in with lots of possibly insecure terminals with so many people needing fast easy access in a hectic environment and you have the perfect scenario for cybercriminals to harvest."
James added that he believes the Hollywood hospital ransomware precedent has played a leading factor in the apparent rise in healthcare attacks of late. "I fully appreciate it represents a danger for hospital patients but where do we stop? If correct backups were in place and good IT procedures adhered too there would have been an alternative," he said. "Paying the cybercriminals only encourages them to do it bigger and better next time and it will only get worse."
So, are these attacks likely to continue? The answer, according to the experts, is a resounding yes. "It's a very solid and often successful means for malware to make money [and] it continues to grow due to its continuing success," he warned.