The recent ransomware case at Hollywood Presbyterian Medical Center in Los Angeles garnered widespread attention when the hospital paid roughly US $17,000 to cybercriminals for a decryption key to put its information systems back online.
But it was not simply that the facility was located in the movie capital of the United States, or that the hospital building is featured in the opening sequence of a long-running soap opera television program. What made this story so compelling was that a ransomware attack on a hospital put lives in danger. The other key point here: this ransomware extortion was actually made public. Most cases of ransomware go unreported because the criminals are paid quickly and quietly because the organization does not want the notoriety associated with their reputation.
Once the facility received word of the ransomware attack, they locked their network down and had to figure out how to do their jobs without technology. It basically forced them to revert their processes back to the non-digital 1960s or ’70s. Everything had to be written on paper. Communications had to be faxed instead of emailed. No patient records were involved in the incident, they said, but it still caused a chaotic situation within the hospital. A similar event occurred at a hospital in Ohio several years ago, with similar results. Not long after the Hollywood case two German hospitals were also reportedly hit by ransomware attacks.
In most known ransomware cases the ransom has not been exorbitant because the bad guys or girls want quick and easy payment. As far as we know, they also have provided the decryption keys without fail, probably because they realize that if victims do not believe paying ransom will solve the problem then they might not pay. And in the vast majority of these cases, at least thus far, payment is the point of ransomware.
It is the life and death factor that puts the health care and other critical industries, particularly electricity/power generation, in very difficult positions. If, for example, the US power grid went down for six months in a cyber attack, some estimate the resulting death rate would around 30 percent due to the total breakdown of society as a lack of electricity, water and lights would bring violence and anarchy. Of course, that is a worst-case scenario. Still, with cybercriminals and terrorists seeking financial gain or to wreak havoc, the issue cannot be taken lightly.
So, what to do? The solution is very simple, as cybersecurity folks know, but vexingly difficult to address: Know what you are clicking on. I tell this to every group I speak to. In the case of the Hollywood hospital, the most likely threat vector was a poison attachment (PDF, et al) in an email. Someone clicked on it, and instantly the hospital was in trouble.
Workers in a hospital environment are particularly vulnerable because they are extremely busy, stressed, and trying to save lives and heal patients. Consequently, they are not necessarily thinking of cybersecurity. While the technical ability to scan email and strip attachments by type exists, those same attachments are critical for business, which makes that option unacceptable for many.
Ransomware is often hidden in the exploitation of trusted business relationships. Maybe it is an email that appears to be from FedEx or UPS, or a supervisor. Those sorts of email are easily forgeable and people are often expecting them. So it is simply a matter of the cybercriminal flooding an organization with phishing email and performing a little social engineering to spearphish a dedicated target.
What is clear is, if an organization does not have a good anti-phishing education policy, it could easily be just one click away from disaster. Everyone in an organization must learn to think before they click. Most of the time it is not an emergency situation. They need to learn that they should not fall into the trap of thinking that they must click on a link or an excepted attachment. They should step back and know what they are doing before they do it. It is primarily an educational issue, not a technical one.
However, patch management is also critical in preventing ransomware attacks. Make sure all updates are done. Cybercriminals will exploit any vulnerability they can find, but they cannot exploit a hole that has been fixed.
(About the author: Daniel Libby is Director and Chief Examiner at Digital Forensics Inc. and a member of the ISACA. This post originally appeared on his ISACA blog, which can be viewed here).
Register or login for access to this item and much more
All Information Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access