Corban Technology Solutions Journal
New Ransomware Threats
It's back. Your clinic needs to be ready.
Posted on July 15th 2019
By Stan Shaw, Founder, CTS
Stan was the Regional Lead for Vancouver at the Physician Information Technology Office (PITO), established through Doctors of BC. PITO assisted physicians in private practice by providing funding for family doctors and specialists, and deploying teams across British Columbia to help clinics successfully adopt and improve the use of electronic medical records (EMRs) .Note: This is a long article for a blog, but there is a considerable amount of important information presented here. If you find it helpful, please forward this along to others who need to be aware.
There was a time last year when people were asking whether Ransomware is really as much of a problem as it was a few years ago.
No longer.
Consider the following.
April 14th: the city of Stratford, Ontario was hit was ransomware, joining two other Ontario municipalities that had been victims of a similar attack the previous year. Stratford's municipal email systems and on-line forms were shut down, phone systems were temporarily disrupted, and a number of municipal employees were locked out.
May 7th: The entire city of Baltimore, a municipality with 10,000 employees, lost access to most of their city government systems. The attack that cost the city over $18 million US in lost or delayed revenue and direct costs to restore systems. It took over a month for the city to recover.
May 29th: The city of Riviera Beach, a resort town in Florida, paid $600,000 US after ransomware extortionists paralyzed city government systems.
June 19th: Five US healthcare providers in Colorado, Boston, New Orleans, New York and California reported ransomware attacks over a period of seven days. The previous week, a healthcare provider in Ohio, NEW Urology paid $75,000 US to recover from a ransomware attack that infected all of their systems.
June 21st: Marin Community Clinics, located in California were hit by ransomware extortionists, shutting down clinic systems for over three days. The clinics recovered only after they paid extortionists an undisclosed amount.
June 26th: A second city in Florida, Lake City paid $500,000 US to recover from a ransomware attack, after being crippled for two weeks. The same week, Key Biscayne, a third Florida city was attacked and eventually paid extortionists $460,000 US.
June 30th: The Nation Municipality, Ontario, a small town located about 70 km east of Ottawa, was hit by ransomware that shut down the city's email and other systems. As of July 8th, their computer systems are still not fully restored.
July 15th: La Porte, a county in Indiana, paid $130,000 US to ransomware extortionists in order to regain access to the county government's email systems and website.
These are not isolated cases. A report published in May 2019 by a worldwide insurance firm reported that the number of ransomware attacks reported by its clients have increased 105% in Q1 2019, compared to the same period last year.
Another report published in June cites that ransomware infections have increased from 9% to 24% from Q4 2018 to Q1 2019 compared with other malware. That's a whopping increase of 167%, in one quarter.
The current state of ransomware in healthcare
Ransomware is a type of maliciously designed software, called malware, which effectively holds a user's computer hostage by locking it down until a "ransom" fee is paid. It often infects a PC or server in a manner that takes advantage of open security vulnerabilities. In recent years, many types of ransomware have been designed to act as worms, spreading rapidly from computer to computer across an entire connected network. The impact, described in the cases cited above, can be extremely widespread and potentially catastrophic.
In March, the insurance firm mentioned above reported that the healthcare industry was the most heavily targeted industry in 2018. With respect to ransomware, healthcare organizations were the victim of over double the number attacks last year, 34%, compared with the next most frequent sectors, financial institutions and professional services, each at 12%. Given that entire city governments have recently been held for ransom, the picture may be changing this year. But it is clear that healthcare is still a major target. While ransomware is the subject we are focusing on in this journal post, another targeted attack in healthcare is the theft of employee credentials, giving hackers access to healthcare personal information. In one US-based healthcare organization, employees were hacked three times within a matter of months, the latest resulting in a privacy breach that involved over 14,000 patients.
In April, a two-doctor clinic in Michigan became the first health care provider in the country to permanently close its business due to a ransomware attack. In this case, the physicians decided not to pay the extortionist's ransom, indicating that there was no guarantee the decryption password would work, or that it would not strike again. The report also cited four other health care provider attacks in Minnesota during the first quarter of 2019, including a ransomware attack affecting 40,000 patients.
Many of the above attacks were launched through email containing dangerous links or email attachments. The nature of these phishing attacks are becoming increasingly sophisticated. Carefully crafted messages are being sent to potential victims, which, as we observed recently, are extremely difficult to detect. In June, at least four hospitals in Romania were hit by cyber-attacks using infected email attachments disguised as invoices and plane tickets.
However, phishing is not the only method now being used to deliver ransomware. Recently, an extortionist group breached three commercial managed service providers (MSPs), which use remote software tools to provide IT support for clients around the world. By using the MSP's own remote management software , extortionists delivered ransomware into the MSP's client internal networks. The potential for third party privacy and security breaches by external IT support and EMR service providers is a vulnerability that is frequently overlooked. But is something that medical clinics should be aware of.
Many factors contribute to healthcare being a major ransomware target.
Frequently cited are
- a chronic lack of funding for information security.
- the value of medical data and potential for a privacy breach. Some ransomware variants not only lock up files, but can also threaten to leak personal information to the Internet.
- the impact on quality of patient care if the problem is not rapidly resolved.
- an immediate, lucrative, and difficult to trace financial reward for extortionists if a ransom is paid.
The threat of ransomware in healthcare in Britain is now so serious that on July 2nd, the Institute of Global Health Innovation in London England issued an urgent warning in a white paper submitted to the House of Lords. The National Health Service (NHS), it indicated, is vulnerable to cyber-attack and must take steps "to defend against threats which could risk the safety of patients".
The report cited the impact the WannaCry ransomware attack had on the NHS , which occurred two years ago. In a matter of hours, it forced the cancellation of thousands of appointments, prevented access to patient data and critical services across Britain, and cost the NHS over $150M Cdn to recover. However, the British team observed WannaCry was relatively crude compared to ones that are taking place now. Recent cyber attacks, they indicated, are becoming more sophisticated and focused on the health sector. The authors also noted that these attacks are not specific to just the NHS. Healthcare organizations around the world may be vulnerable. The full text of the white paper can be found here.
British Columbia is not immune to these issues. In British Columbia, the Health Authorities and the Ministry of Health are taking the ransomware threat seriously. Significant efforts have been underway over the past several years to ensure appropriate IT safeguards are in place. This includes raising staff awareness to protect themselves from phishing and social engineering through training and periodic updates.
Ransomware is a serious risk not only in hospitals, but in private medical clinics as well.
Where can BC physicians in clinics turn to for help?
Every working day, over 5000 physicians, at least 3000 of whom are family doctors, use electronic medical records (EMRs) in medical clinics throughout British Columbia. This does not include clinic support staff and other health care professionals who are also accessing these systems. However, unlike Health Authorities, many GP and specialist private clinics lack IT security expertise and staff training needed to mitigate the risk of a ransomware attack. Ransomware is not a random event. It is an increasingly sophisticated, targeted attack, directed by extortionists at vulnerable organizations.
This presents both a challenge and an opportunity for healthcare IT leadership. Expert support and training is needed in order to reduce the risk of private clinics being breached and locked out of their data, the majority of which keep thousands of medical files on servers inside their clinics, or on remote systems they routinely access.
When the city of Stratford was hit by ransomware, the mayor called for a national strategy for municipalities to improve cyber-security. A similar, province-wide healthcare information strategy to improve-cyber security, would almost certainly be the most effective approach. Similar to thousands of small municipalities across the country, many medical clinics in British Columbia need expert resources to access risks, create effective safeguards, and provide cyber-awareness training to staff in order to defend themselves.
A provincial healthcare information security strategy designed to reduce the exposure that GP's, specialists and their patients currently have to the current ransomware threat and other cyber-attacks, would have important long-term benefits. Clinics maintaining healthcare information in a secure, trusted environment would make possible greater integration with BC repositories such as CareConnect and Pharmanet. And it would make it easier for physicians and healthcare professional staff to participate in innovative collaborations designed to enhance patient care through the patient medical home and the community-based primary care network. Adopting a provincial healthcare security strategy will, however, take time.
In the meantime, leadership begins with you. Ransomware will not wait to deliver a payload. The time to make sure that your staff are trained, and have basic security measures in place, is now.
Your efforts can make a difference. An example is how Maffi Clinics, a group of plastic surgery clinics in the US that was hit with ransomware in March. Unlike many similar cases, they recovered within hours, thanks to strong security response procedures that were already in place.
Here's some suggestions on how you can get started.
- Implement at least some of our 10 ways to help protect your clinic from ransomware. Doing so will dramatically reduce your risk of becoming a victim. Had the NHS simply done #4 on the list, the WannaCry ransomware attack would likely have been thwarted. And while you are at it, please make sure to read our article on Breach Notification. It's something that you should always consider doing in the event a ransomware attack does takes place.
- The RCMP has additional advice for personal and business owners.
- Take advantage of the resources at Doctors Technology Office, at Doctors of BC. They have some excellent on-line publications, and can provide additional support through their technical centre website, including:
- You may also want to read what the CMPA has to say about ransomware preparedness.
- The BC Government Information Security Awareness website has additional information about phishing and ransomware.
We can help review your current state of readiness, train your staff through virtual or in-person workshops, and provide additional privacy and security resources.