Life Imitating Art? A Hospital Held to Ransom

A couple of weeks ago, I blogged about a recent CSI:Cyber episode in which a hospital is attacked by a hacker via a vulnerable Smart TV connected to the hospital’s Wi-Fi.  It’s now been reported that the Hollywood Presbyterian Medical Center is being held to ransom for $3.6 million following a ransomware attack, with systems critical to CT scans, laboratory, and pharmacy work forced offline and patients having to drive for up to an hour just to collect lab tests.

Life, it seems, is imitating art.

At the time of writing, the hospital’s network had been offline for over a week while law enforcers attempt to identify the attackers.  Staff are grappling with the loss of email, and are having to revert to pen and paper for handling patient records.

The incident highlights the vulnerability of organizations of all types to ransomware attacks, which can bring day-to-day operations to a standstill.

As my colleague, Erik Barnett recently blogged, ransomware attacks are on the rise, and are carried out when a malicious piece of malware gets into a network and encrypts all the files.  It leaves behind only an HTML message demanding payment in return for decryption of the information.  In many cases, there is little that can be done other than pay the ransom and hope the criminals will fulfill their end of the deal.

However, there are some straightforward principles that all organizations, large or small, public or private sector, can put in place to help mitigate the risk of a damaging ransomware attack:

• Network segmentation, which can contain the ransomware and prevent it from proliferating across the network and accessing networks which handle sensitive data.
• Access management, which ensures that only essential personnel have access to different areas of the network, and works with segmentation to silo off and protect different areas.
• Awareness of insider threats – whether intentionally as part of a malicious strategy or accidentally as the result of a spear phishing attack, employees are often responsible for allowing ransomware into a network. Mitigating this involves training staff to recognize social engineering tactics, and keeping a close eye out for dissatisfied staff.
• Take data offline when not constantly used, to reduce the targets available.
• Install security applications such as anti-malware/virus tools and host intrusion prevention. Such applications are not watertight – antivirus software, for example, can only protect against a bank of known malware – but they can protect against many of the most likely attackers. Whitelisting is also an option.

A successful ransomware attack can be hugely disruptive, costly and time-consuming to respond to, not to mention enormously damaging to reputation and the business bottom line. Getting these basic principles in place could be a life-saving move.

–> Update 2/18. Last night hospital officials paid the $17,000 ransom in order to get back control of their network. While clearly no-where near the $3.4M asking price, I guess this proves that crime pays. Lets hope the attackers get caught soon.