Four North American hospitals — The Ottawa Hospital, Kentucky Methodist Hospital, Chino Valley Medical Center and Desert Valley Hospital — were recently infected with ransomware, though none of them paid the ransom demanded, according to reports.
During the infection, Kentucky Methodist Hospital placed a streaming banner at the top of its home page stating, “Methodist Hospital is currently working in an internal state of emergency due to a computer virus that has limited our use of electronic Web-based services. We are currently working to resolve this issue, until then we will have limited access to Web-based services and electronic communications.”
“It did cause significant disruptions of our IT systems,” Fred Ortega, spokesman for Prime Healthcare Services, which operates Chino Valley Medical Center and Desert Valley hospital, told BBC News. “However, most of the systems and the critical infrastructure has been brought back online.”
Jamie Reid, Kentucky Methodist’s information systems director, told Krebs on Security that the malware used was the Locky ransomware, which was delivered by email and spread from the initial infected computer to others on the network, prompting the hospital to shut down all desktops until each one could be scanned for malware.
“We have a pretty robust emergency response system that we developed quite a few years ago, and it struck us that as everyone’s talking about the computer problem at the hospital maybe we ought to just treat this like a tornado hit, because we essentially shut our system down and reopened on a computer-by-computer basis,” David Park, an attorney for Kentucky Methodist, told Krebs.
Park told Krebs that the attackers demanded four bitcoins (approximately $1,600) to decrypt the files. Following a similar attack last month, Hollywood Presbyterian Medical Center paid 40 bitcoins (approximately $17,000) to regain access to their files.
Canada’s Ottawa Hospital said four of its 9,800 computers were infected with ransomware. “The malware locked down the files and the hospital responded by wiping the drives,” hospital spokeswoman Kate Eggins told the National Post. “We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security.”
Proficio president Tim McElwee told eSecurity Planet by email that it’s safe to assume ransomware will continue to present a threat in the coming years. “There are steps any organization can take to harden their network against it,” he said. “Backing up data and systems enables IT to wipe machines clean, and user training is key — a well-trained user is the best protection against phishing attacks.”
“Constant monitoring for indicators of ransomware is equally crucial, and can be internally done or through a managed security services provider for the industrial strength security that healthcare demands,” McElwee added.
And Protegrity CEO Suni Munshani said by email that the threats faced by hospitals and other medical facilities are growing exponentially. “We’re in a situation now where it’s not just about the value of the data itself, but rather the value of holding it hostage that’s the most lucrative payoff for criminals,” he said. “The job of adequately protecting patient information, medical records, and other sensitive healthcare data is difficult and highly complex at best.”
“These latest threats should be a major wake-up call for medical facilities to take a hard look at the systems, equipment and processes used to protect sensitive information, and modernize if there are any doubts about their effectiveness in today’s digital age,” Munshani added.
According to the results of a recent Tripwire survey of 200 security professionals attending the 2016 RSA Conference, only 38 percent of respondents said they feel confident they could recover from a ransomware infection without losing critical data.
Fifty-eight percent of respondents said their company has seen an increase in spear phishing over the past year, and 52 percent said they aren’t confident their executives could spot a phishing scam.
“Since most ransomware samples we have seen have a time limit to pay, it’s important to have confidence you can restore data the majority of data on short notice,” Tripwire senior security researcher Travis Smith said in a statement. “Organizations should focus on improving backup and restoration procedures to reduce the cost of restoring data and services after a potential breach.”