[BreachExchange] Hospital computer hacks, like at ARH, becoming more common

[Audrey McNeil]

http://www.wvgazettemail.com/news-health/20160830/hospital-computer-hacks-like-at-arh-becoming-more-common

 A regional health care system that operates hospitals in West Virginia and
Kentucky is in the midst of a cyberattack that has crippled its electronic
systems, but officials aren’t yet saying how or why the system was targeted.

Appalachian Regional Healthcare, which operates two hospitals in West
Virginia and nine in Kentucky, reported over the weekend that its hospital
system had been the target of a cyberattack that has left employees unable
to access electronic patient records, email and other automated systems.

“ARH continues to work with authorities and computer experts to address the
problems and restore our systems to operational capacity as quickly as
possible,” ARH spokeswoman Melissa Cornett said.

She emphasized that ARH doesn’t have any reason to believe that patient
information, medical or financial, has been stolen, and said ARH would
“take prompt action” to notify patients and employees if that did happen.

Since Saturday, ARH employees had been tracking patients and performing
their jobs without access to any of the hospitals’ computerized systems,
Cornett said Tuesday afternoon.

The ARH attack bears similarities to other cyberattacks perpetrated against
hospitals in recent months — at Hollywood Presbyterian Medical Center in
California in February, Kansas Heart Hospital in May, and more than a dozen
others, as hospitals become increasingly targeted in a hack that is growing
in popularity — “ransomware.”

Ransomware is a type of software installed covertly on a computer that
spreads through internet and intranet systems, encrypting information so
that it no longer is accessible to users. The people behind the ransomware
then demand to be paid before they restore access.

According to James Foley, manager of training and curriculum development at
the National White Collar Crime Center, ransomware attacks have become
increasingly sophisticated, and many hospitals, unable to break the
malware’s encryption, have been forced to pay up.

Hollywood Presbyterian paid $17,000 in the digital currency bitcoin to have
its system unlocked, and Kansas Heart paid an initial ransom, only to have
hackers demand a second ransom to break the encryption.

“The way most ransomware works is that it encrypts all of the files with an
extremely difficult encryption to crack, and what you’re really paying for
is the key to that encryption, and if you don’t pay, you don’t get your
files back,” Foley said. “With the degree of encryptions some ransomware is
able to do, there’s really not a lot of chance of getting them back. There
are a few versions that people have figured out how to overcome, but those
are not spreading as fast as new versions that are coming out.”

Asked if the hack at ARH was a ransomware attack, Cornett said the hospital
system is “not at liberty to provide further information,” citing the
investigation with federal authorities.

Ransomware attacks have quadrupled in the past year, averaging nearly 4,000
attacks per day, according to the U.S. Justice Department. Many hacks
target individuals, but businesses, universities and hospitals have
increasingly become targets.

Jeremy Taylor, director of information technology at Saint Francis
Hospital, in Charleston, said one common method hackers use to infect
computers with ransomware is to infect the “payload” of a website and
providing a link to the website in an email. When the link is opened, the
malware infects the computer.

“I don’t believe anyone is immune to the cyberattacks, just as I don’t
believe anyone’s home is immune to a break-in,” Taylor said. “What you have
to do is your due diligence, as far as security goes, and, hopefully,
they’ll move on to an easier target.”

Foley said one of the best ways to safeguard against a ransomware attack is
to backup entire information systems on a server that is unconnected to the
entity’s main system. For Taylor, education is key to ensuring that
doctors, nurses and support staff within the hospital know how to recognize
and avoid malware in emails and online — a task that grows more difficult
as cyberattacks become more sophisticated.

“Our weakest link is the employee that opens an email or an attachment they
shouldn’t have, or goes to a website and clicks on a link they shouldn’t,”
he said. “The No. 1 thing we have to educate our users on is email use,
strong passwords, and cybersecurity in general.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160830/e0feb262/attachment.html>