The recent malware attack on MedStar Health shows both the scope of the threat the healthcare industry is facing and helps security professionals better understand key steps that are essential to protecting access to data.
The event at MedStar, the largest provider in Maryland and Washington, DC, was believed to involve ransomware. These attacks are not new, but they’re becoming more frequent and are seriously affecting healthcare delivery for organizations that are now dependent on clinical information systems, says Avi Rubin, director of the Health and Medical Security Lab at Johns Hopkins University.
“This is a big wake-up call for the healthcare industry,” Rubin says. “In the past, there was the danger of people stealing medical records and organizations getting a black eye as a result. But ransomware threatens their day-to-day operations as well as patient care.”
Avi Rubin Rubin contends close study of the recent MedStar incident provides some valuable lessons for security professionals. Part of his analysis suggests that MedStar was not fully protected for the attack, a point that is disputed by a MedStar spokesperson.
Rubin believes the MedStar attack involved a computer virus that scans the Internet searching for vulnerable JBoss application servers and then exploits them. He contends that JBoss vulnerabilities have been known for many years but 10-hospital MedStar did not take appropriate action to patch their systems.
However, much of the information that’s circulating on the MedStar incident is incorrect, says Ann Nickels, assistant vice president of public relations and communications at MedStar Health. Regarding the nature of the attack, she said the health system did not have any further comment on the malware incident beyond the statement that it’s posted on its website. “News reports circulating about the malware attack on MedStar Health’s IT system are incorrect,” the statement says. “Our partner Symantec, a global leader in cybersecurity, has been on the ground from the start of the situation and has been conducting a thorough forensic analysis. In reference to the attack at MedStar, Symantec said, ‘The 2007 and 2010 fixes referenced in the article were not contributing factors in this event.’ ”
However, Rubin lauds MedStar for its handling of the incident. “They did a pretty good job responding to it. I applaud them for not paying the ransom and also for shutting down their systems to limit the spread of the infection—that’s pretty much what saved them,” he adds.
He makes the case that ransomware is just another kind of cybersecurity attack, one of a growing arsenal of tools at the disposal of hackers. To get access to healthcare systems and hold their information hostage through encryption, they have to break in first.
Hospitals that don’t have up-to-date back systems for patient information, and then are hit by an attack involving encryption, will find their options are severely limited. To help address these vulnerabilities, Rubin recommends that IT staff at healthcare organizations keep their systems current with the latest software patches, intrusion detection and firewalls, as well as have secure backup files in place for their data. It’s critical, he emphasizes, to protect backups from any efforts to corrupt them, often a tactic employed by cybercriminals.
“Overall, healthcare has been lagging behind other industries in addressing security. However, they’re not going to be able to do that anymore,” adds Rubin, who estimates that 3.5 million medical records have been compromised in just the first three months of 2016. “Hackers were getting their feet wet before, and now they’re more experienced and going after bigger targets.”
Rubin is firmly against the idea of paying ransoms to hackers, although he believes that millions of dollars have been paid quietly “under the table” through the Bitcoin online digital asset and payment system.
“It’s a big mistake to ever pay the ransom,” Rubin concludes. “The industry should unite and agree that no one’s ever going to pay ransom, because the minute people start paying ransom, they’re providing a huge incentive and creating a whole market for this activity. Unfortunately, people are weak and they will pay it.” Further, he warns that there’s no guarantee that healthcare organizations that pay ransoms will ever get their data back.