Ransomware still evolving, but paying hackers is still the wrong idea

The week-long Allscripts outage and hospitals shut down by ransomware provide valuable lessons for organizations hoping to avoid a similar fate.
By Jessica Davis
11:03 AM
Share
ransomware attacks in healthcare

Ransomware is already pummeling the healthcare industry just one month into 2018, growing in sophistication and aiming for vulnerable targets. EHR-giant Allscripts was just the latest to fall victim this month, joining a few hospitals and other businesses to see service disruptions.

[Also: Allscripts clients back online, but issues plague some cloud-based providers]

But the disruptive malware, file-less attacks and other methods will remain a problem this year. And as providers have already sued Allscripts for service outages and Hancock Health announced it paid the ransom to hackers, it’s time for a reminder on how to keep patient data safe and operations up when a likely attack occurs.

Don’t pay the hackers

The U.S. Department of Health and Human Services, FBI and a vast majority of security leaders all say the same thing: Don’t pay ransoms. And there are many reasons why that makes a lot of sense.

First, there’s no guarantee the hackers will return the files.

While Hancock officials said hackers returned access shortly after they paid, Kansas Heart Hospital wasn’t so lucky. The Wichita provider paid the hackers shortly after it was hit by ransomware in May 2016, but the hackers kept the organization out after they paid -- and then demanded another payment.

[Also: Hancock Health pays $47,000 ransom to unlock patient data]

“Ransomware is a classic technique for attackers to get a persistent hold on a system: Why would they just simply allow you to go Scott-free?” said HIMSS North America Director of Privacy and Security Lee Kim. “You’ve given them what they wanted. And they think… maybe I can come back to you later to attack you guys again.”

And even if the hackers do return access, organizations that pay are added to dark web lists of businesses that pay-up and will likely face another attack down the line. CynergisTek CEO Mac McMillan reminded organizations that criminals talk to each other and will spread the word about paid ransoms.

Lastly, organizations that pay are fueling the criminal system. Organizations keep getting hit because they keep paying to release files.

Burden of proof

Prior to the summer of 2016, HHS Office of Civil Rights was tasked with determining whether a provider’s data was breached during a ransomware attack. However, after the onslaught of attacks early in 2016, the agency adopted those rules to put the full burden of proof onto the provider.

This means that providers struck by ransomware can’t just assume its data wasn’t seen or exfiltrated by a hacker. In fact, ransomware victims should go in with the presumption the hackers breached data.

“OCR guidance is very clear on what the HIPAA Breach Notification Rule requires in the event of a ransomware attack,” said Steven Gravely, a partner with Troutman Sanders. “I don’t think that there is any ambiguity in the OCR guidance.”

“By definition, the ransomware attacker has obtained unauthorized access to the PHI by the act of encrypting it,” he added. “In many instances, the attacker retains the data and sells it on the black market even if the ransom is paid and access to the target system is restored. These are the reasons why OCR guidance advises that any ransomware attack is presumed to be a reportable breach.”

Organizations must prove with all certainty through a thorough investigation that data was segmented from the hackers in an attack -- and that’s an incredibly difficult task.

Incident response and downtime procedures

While the providers impacted by the massive Allscripts’ incident this month haven’t shared explicit details into how well they prepared for such an attack, that the outage crippled those smaller organizations demonstrates the need for a solid incident response and downtime procedure plans.

“Organizations are failing to have incident responses,” said CynergisTek Executive Vice President of Strategic Innovation David Finn. “We rehearse chemical spills, terrorist attacks… But ransomware is the most likely attack vector.”

Finn said that when he was a CIO, he couldn’t “get the organization to address cyberattacks, and it’s more likely to happen than other things.”

And as demonstrated with the Allscripts outage, ransomware impacts patient care, said Finn.

“It’s not just IT or security issue. The whole organization has to be on board,” he said.

A prime example of the benefits of preparing for an outage was seen when West Virginia’s Princeton Community Hospital went down with the global Petya attack last summer.

Shortly after officials discovered ransomware notices on its network and that everything was encrypted, the organization implemented its incident response and disaster management model and staff was assigned to specific roles and responsibilities for the crisis.

During the entire event, the Princeton Community was able to stay open by leaning on those procedures and the cloud. The hospital uses Cloudwave, which backs-up data every six hours.

And those procedures must be tested regularly so that security professionals can focus on the threat itself after the breach -- not be bogged down with administrative issues.

Julia Hesse, a partner at law firm Choate, Hall and Stewart explained that breaches are nearly inevitable at this point, and security teams should drill staff and test emergency procedures -- down to the phone tree of who to call when a breach is detected.

Future-proofing security

Why cybersecurity is top of mind for forward-looking healthcare orgs.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com