A growing number of hospitals have not been having a good start to spring. Kentucky’s Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital, both in California, and now San Diego’s Alvarado Hospital Medical Center and King’s Daughters Health in Indiana are just a few of the institutions that have been hit by ransomware — software that freezes computer systems until money is paid to infiltrators.
All of the hospitals experienced some form of temporary network disruption. Some, like Hollywood Presbyterian Medical Center, even paid the ransom.
The malware intrusions will keep mounting until hospitals — the target du jour for crime circles — re-evaluate how they build their cyberdefenses, said Chris Ensey, COO of Dunbar Security Solutions.
“I do believe that we are on the cusp of a larger spread of this type of activity,” Ensey said.
Financial health for hackers
But why hospitals? And why now? Simple, Ensey said. It’s a quest for more revenue.
“What we’re seeing is the macroevolution of ransomware and the tactics that are being used by organized crime to continue to expand the revenue generated from ransomware,” Ensey said. “The most productive way to do that is by targeted campaigns.”
Hackers started, he said, by sending the malicious software to “a big list of email addresses” in an effort to hook as many people as possible. The hope was they’d get into a few computers, hijack the data on them and make money off each catch.
That evolved into spear phishing — similar phony-email schemes but customized for specific organizations. Hospitals use technologies that help them meet requirements set by the healthcare privacy law HIPAA and other mandates, and those are usually fine, Ensey said. Antivirus software and packet filtering as part of firewall protection “catch the common stuff.” But cybercriminals have gotten good at finding ways to burrow into systems. Hospitals in turn, have to get better at keeping them out, he said.
Guarding against malware intrusions
You may recognize the name Dunbar from the armored cars that banks and other businesses hire to transport large sums of cash. It also sells managed security services, so of course, Ensey stands by those. His pitch: Hospitals can focus on their healthcare infrastructure while Dunbar constantly monitors for attacks. His general-purpose advice for hospitals is to keep pace with the technologies used to hack them.
A “very, very comprehensive backup strategy for their data” is a good start. Using automated backups is a solid strategy; so is the more expensive measure of highly secured colocation facilities to which hospitals can send their data over encrypted channels and replicate it.
Hospitals should also take another look at how they set up employee work stations with access to the Internet, since those can serve as portals for ransomware that can hold healthcare data hostage, Ensey said. Email can be a conduit for malware intrusions, and so can malvertisements — online ads that proliferate malicious software.
And healthcare institutions not only need a CISO in charge of cybersecurity, Ensey said — that executive needs to have “a seat at the table” — the business strategy table, that is. The CISO should have close ties to the CIO, the chief medical officer and the risk management team.
“Being part of those conversations is absolutely paramount to every decision that they make,” he said.