As Washington-area MedStar Health continued to restore its systems this week, Internet security experts and hospital officials said the cyberattack on the massive health care provider is a foreboding sign that an industry racing to digitize patient records and services faces a new kind of security threat that it is ill-prepared to handle.
For years, hospitals and the health care industry broadly have been focused on protecting patient data from falling into the hands of bad guys. But the recent attack at MedStar and other hospitals across the country highlight an even more frightening downside of data breaches: As hospitals have become dependent on electronic systems to coordinate care, communicate critical health data and avoid medication errors, patients’ well-being may also be at stake when hackers strike.
Electronic systems are in place to help avoid errors, and many of those safeguards go out the window when doctors are writing prescriptions with pen on pad. With the computer systems, pharmacists can’t easily review a patient’s lab results, look up what other medications the patients are on or what allergies they might have. Nurses administering drugs can’t scan the medicine and the patient’s wristband as a last check they’re giving the correct treatment. When lab results exist only on a piece of paper in a patient’s file, it’s possible they could be accidentally removed by a busy doctor or nurse — and critical information could simply disappear.
“One thing I think is becoming clear, especially over the last few weeks or months, is that health care is rapidly becoming a target for this,” said Daniel Nigrin, chief information officer of Boston Children’s Hospital, whose network came under attack by the hacker collective Anonymous in April 2014. “What struck us at that point was, you know what: these attacks can do a lot more than get your data; they can really disrupt the day-to-day operations of your facilities.”
The attack on Medstar shows the attackers’ boldness and sophistication — the chain is one of biggest employers in the Baltimore-Washington region and runs ten hospitals as well as 250 clinics and other sites. Medstar spokeswoman Ann Nickels declined to elaborate on what sort of software attack the hospital suffered, but several employees have said they saw a pop-up message suggesting it was “ransomware” — a kind of software that can lock people out of systems until they make a bitcoin payment. According to a photo of that message provided by a MedStar Southern Maryland Hospital Center employee, the hackers were demanding 45 bitcoins — equivalent to about $19,000 — to regain access to MedStar’s system.
“You just have 10 days to send us the Bitcoin,” the note read. “After 10 days we will remove your private key and it’s impossible to recover your files.”
Nickels said Medstar was unable to access some data due to the malware, but that there is “no indication that data has left our system.” Shutting down all the computer systems on Monday, she said, was a precaution, to prevent further corruption. Computers and systems have slowly been coming back online as the system is restored, but she did not know when it would be back to normal.
“We’re making progress by the hour and getting better every day,” Nickels said.
Ransomware is not new, but cyber security experts and FBI data say it is on the rise. Hospitals, of course, are not the only institutions facing such attacks. In a nine-month period in 2014, the FBI received 1,838 complaints about ransomware, and it estimates that victims lost more than $23.7 million. The next year, the bureau received 2,453 complaints, and victims lost $24.1 million. The FBI does not condone paying ransom, but its agents acknowledge that businesses are often left with a tough choice.
Justin Harvey, the chief security officer of Fidelis Cybersecurity, said the hackers’ success will likely embolden them, and he worries about critical infrastructure in the U.S.
“I can’t comment on whether the FAA and all the power grids are up to snuff,” he said. “If they’re not, it can create a big problem.”
Craig Williams, security outreach manager at Talos, the cybersecurity research group of Cisco, said that the use of ransomware has exploded because it has good profit margins. He estimated it as a $100 million a year business.
“The malware industry is making giant steps toward ransomware, and really the reason behind this is ransomware’s profit margin simply exceeds that of other types of criminal activity,” Williams said.
And hospitals, in particular, are vulnerable. In the weeks before MedStar, hackers hit Hollywood Presbyterian Medical Center in Los Angeles, extorting $17,000 in bitcoin out of the leadership, and Kentucky-based Methodist Hospital, which declared a state of emergency after an attack. Two southern California hospitals, part of Prime Healthcare Services, were attacked this month.
“This is commercial grade ransomware, and if you look at all of the targets that these criminals could choose from, they’re choosing one of the best ones they can,” said Harvey.
Medical institutions are prime targets, Harvey and others said, for both technical and financial reasons. Doctors and nurses perform time sensitive, life-saving work, giving them a “high sense of urgency to get back online,” Harvey said. They also have generally less sophisticated or well-funded computer security apparatuses, than, say, financial institutions — both because their budgets are tighter and because their employees are resistant to complicated login methods that might slow them down, he said.
For example, John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston, said that a financial services firm might spend a third of its budget on information technology; hospitals spend only about 2 to 3 percent.
“If you’re a hacker … would you go to Fidelity or an underfunded hospital? You’re going to go where the money is, and the safe is easiest to open,” Halamka said.
Although the attack at Children’s Hospital Boston was not ransomware and never penetrated the hospital’s internal medical record systems, it demonstrated to executives there how such breaches could go beyond patient privacy concerns to threaten the basic functioning of the hospital and the delivery of patient care. During that attack, the hospital proactively shut down many of its websites as a precaution, including Internet portals that were used by referring physicians and patients. Despite the fact that the hackers never got into medical records systems, it took about a week to bring everything online again, partially because they had to do it slowly, making sure each website — even the philanthropic one where they accept donations — was secure.
“We took down everything, basically, we iteratively went through every one of those sites, to make sure there was no opportunity for an attacker to compromise those sites, there were no back doors placed within those websites where an attacker could get in. We did penetration testing on each and everything,” Nigrin said.
Chris Ensey, the chief operating officer of Dunbar Security Solutions, said there are a finite number of back office, health care management applications, and hackers seem to have found a way to effectively bring them down. They are also creating ransomware with unique signatures that anti-virus software and other preventative mechanisms cannot catch.
“It’s not just your normal run-of-the-mill ransomware. It’s a much more custom, boutique that’s leveraging exploitable vulnerabilities that are found in the healthcare industry,” Ensey said.
The way hackers get into a system is generally through a phishing attack — convincing an unsuspecting employee to click on a link or an attachment in an email — or by finding a network vulnerability.
That leaves hospitals with two problems: designing systems that can resist attack and training employees.
On the network side, Williams said that health care companies — or any companies — that do not have full-time security specialists may not be keeping up to date on the latest problems and patches. He noted that one strain of ransomware exploits a well-known vulnerability in networks, and when his team did a scan of the Internet this week, they found 2.1 million servers that would be susceptible to such an attack.
The cultural problem may be even harder to solve.
“You’re as vulnerable as your most gullible employee,” Halamka said.
At Beth Israel, the hospital has printed up stickers that appear on salads and cookies in the cafeteria, so that people are reminded, even when eating lunch, not to click on links in emails they didn’t expect to receive. The hospital has also conducted its own internal phishing campaigns — fake emails that they send to their employees to see whether they need to do extra training and assess where the risks exist.
Experts said the current attacks seem to be based in eastern Europe, though it is hard to tell if one group is responsible. The hacks have similarities, to be sure, but hackers trade tools and information. They might have started as a group, but now, diffuse hackers are working to make a buck with ransomware, experts said. One concern is that as the attacks gain more press coverage, they will spark more copycats who use the same technique to target other vulnerable networks.
“This thing is an industry, the black market that does this type of activity,” Ensey said.
The details about MedStar’s particular case — including what particular version of ransomware was used and how it got into the system — remain murky. An FBI spokesman on Thursday refused to provide any details — including the type of ransomware — other than to say the bureau was “aware of the incident and is looking into the nature and scope of the matter.”
Cybersecurity experts said, based on the publicly available information about the case, said the hospital is likely dealing with a sophisticated strain — perhaps MSIL/Samas or Locky. They said because of the hackers’ sophistication, hospitals would be well served to spend their resources on detection of ransomware — rather than preventing infections in the first place — and configuring systems in such a way that ransomware cannot easily spread.