Ransomware attacks against providers likely to soar

Taking data hostage offers the quickest financial return, says Anthony James.


Hospitals, skilled nursing facilities, ambulatory surgical centers, MRI/CT scan facilities, diagnostic laboratories, urology centers, physical therapists and physician practices all had one thing in common this past year. They were hit by cyberattacks.

Market forces won’t be changing any time soon, meaning they’ll continue to face a growing number of challenges, particularly ransomware attacks. No one is safe, according to TrapX, a vendor of software to disrupt cyberattacks, in a new report.

“Two key trends have emerged with absolute clarity in 2016; the continual discovery and evolution of medical device hijack (MEDJACK AND MEDJACK.2) and the escalation of ransomware across a broad mix of targets,” according to the firm.

Also See: California health center ransomware attack affects 65,000

Most providers at least install anti-virus software and a firewall, so the majority of their infrastructure is secured, says Anthony James, chief marketing officer at TrapX. But MEDJACK was created to attack medical devices, which often operate on old versions of Microsoft Windows, so applicable patches may not be available.

Consequently, medical devices have become a major open door to MEDJACK attacks, and vulnerable devices include infusion pumps, heart-lung machines, ventilators, extracorporeal membrane oxygenation machines, dialysis machines, blood gas analyzers, CT scanners, PACS, portable c-arm X-ray machines and other devices. When TrapX representatives visit a hospital, they almost always find MEDJACK or other malware on specialized medical equipment.

“Attackers target devices because they are a vulnerable target to use to launch data theft or ransomware,” James explains. “They are just using the device as a starting point.”

Most of the attacks can be stopped by a second-generation perimeter and second-generation endpoint defenses, but most hospitals don’t have this technology, he adds.

Throughout 2015, TrapX found MEDJACK almost everywhere. “Many hospitals do not appear to be able to detect MEDJACK or remediate it,” according to the report. “The great majority of cyber defense suites are not able to detect attackers moving laterally from these hidden locations. Even when they are detected, trying to remediate an attack in one medical device is often frustrating (and futile) as other attacks propagate again almost immediately and undetected through various medical devices within the hospital, which also go undetected.”

To date, healthcare cyber and ransomware attacks are up 63 percent in 2016, compared with last year, James says. There are so many health records being offered for sale that the price for stolen data has plummeted. A single comprehensive health record fetches about $10; TrapX was offered a set of 3,000 records for $2,000—80 percent of its content was medical data, while the rest of the data was Social Security, credit card and W-2 information.

So with prices no longer optimal, many hackers have moved to using ransomware, which enables them to get high returns much quicker. While law enforcement agencies and attorneys urge providers not to pay ransom, reasoning that a hacker will just demand payment of subsequent ransoms, high numbers of victims are paying up to get their data back, James explains.

The math is simple. If a hospital is attacked and does not pay ransom, the organization may have to divert patients while it regains its data. A hospital client told TrapX that the financial loss could be $1 million a day for each day down in immediate revenue and future business if patients have to go elsewhere for treatment.

“That’s why people are paying,” James says. The TrapX report is available here.

More for you

Loading data for hdm_tax_topic #care-team-experience...