Hackers Up the Ante


Download Our Chapter’s Free AppRVACFES at Google-Play!

When Hollywood Presbyterian Medical Center revealed that it paid 40 bitcoins — roughly $17,000 — in ransom to hackers who essentially held the hospital’s computer system hostage, it marked a dangerous escalation in the high stakes surrounding ransom-ware.

Ransom-ware is exactly what it sounds like — malicious software used by hackers to block access to a computer system until a ransom is paid. It has become more common in recent years. The number of ransom-ware attacks increased from 100,000 in January 2013 to 600,000 by the end of that year, according to a 2014 report by antivirus software maker Symantec. While the threat of ransom-ware isn’t exactly new, high-profile cases like this suggest the severity of an attack’s impact can be crushing, especially as hackers move from targeting individuals to bigger fish such as companies and major institutions like the hospital. “It started out with just individuals, like it would go after your hard drive or family pictures, and the warning would be, ‘These will be lost forever unless you pay me,'” Peter Tran, GM and senior director at the network security company RSA, told CBS News. “However, now the hackers’ demand to use bitcoin, this virtual currency that is unregulated and relatively untraceable — well, you look at it and you think, ‘It’s about time they started doing this.’ We’ve moved beyond leaving a suitcase of money dropped onto a park bench and moving into more sophisticated means of taking people’s information hostage and asking for money.” One of the dangers that comes from hacking into a medical facility like Hollywood Presbyterian is that health data — everything from patient records to information that a surgeon may need in an operating room — is suddenly locked up, unable to be accessed until the money is transferred to the hacker, who then provides a digital key to decrypt it.

The personal danger to patients is obvious, and Tran stressed that this most recent attack specifically signifies that hackers have now “upped the ante” on ransom ware’s magnitude. “Medical devices now use data that traverses over the private cloud. In health care, now it’s all about how my medical device is going to transmit data from my provider to me, telling me how I’m doing, monitoring my health. It can be used in early prevention to tell me how my body is doing. Now, imagine if that information was held or locked up in ransom-ware, think of the disruption to health care systems,” Tran said. Staff at Hollywood Presbyterian first noticed the disruption to their computer system on Feb. 5, the hospital’s CEO Allen Stefanek said. The problem was resolved and the computer system was fully functioning again 10 days later. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” Stefanek said in a statement. “If they decided to pay the ransom, it probably means that they didn’t have very good backups, they weren’t able to recover the data, and that the data would have been lost if they didn’t pay the ransom,” Dave Kennedy, CEO of the information security firm TrustedSec, told the press. According to a source familiar with the investigation, the hospital paid the ransom before contacting law enforcement, CBS News correspondent Carter Evans reported. What kind of precedent does this set?

“It’s kind of like the hackers were saying, ‘OK, you guys are on the alert, you felt the burn, now you won’t know when it really hits,'” Tran said. “Something like this could hit the transportation system or the border control system, just imagine.” Cyber security experts believe the first known ransom-ware incident dates back to 1989, and like this most recent hack, involved people’s health information. Online magazine Medium reports on the early case of how 20,000 software disks that were labeled as AIDS education software were distributed to 90 countries in December 1989. The software –which would be given the moniker “AIDS Trojan” — asked respondents to fill out the survey to determine how at-risk they were of contracting AIDS, and then once they rebooted their computers, they would find all of their files to be encrypted. Straight out of a spy movie, the ransom came in the form of a note — users were told to turn on their printer, which shot out a demand for $189 to be sent to a P.O. Box in Panama. Once the money was paid, the user would receive decryption software to retrieve their data. Though today’s hackers may demand bitcoins rather than money via snail mail, the basic method of this kind of hack has stayed the same. So, what can institutions do to safeguard against these kinds of attacks?

“Well, users will have to up the ante, as well, on the type of authentication systems they use to allow anyone to use their systems,” Tran stressed. “We are moving more towards risk-based profile authentication, layering authentication — not just multi-factor authentication.” Such systems may flag when someone unknown is trying to access data — more secure profile authentication is not going to allow someone to enter an area of the network that they wouldn’t normally be able to access.

“They’ll say, ‘Why is he accessing the network in the U.K. when he’s based in New York? Something doesn’t make sense,'” Tran explained. It can sometimes sound farcical to think of data — a series of number strung together — being held hostage. But the risk is real, and victims may feel like they have little option but to give in.

“With a person being held hostage, normally the negotiators are going to say ‘Don’t pay the ransom, don’t ever pay, wait for what they want and wear them down,'” Tran said. “With this kind of hack, you don’t have that kind of time. The complete footprint of your entire life is being held for ransom. All of your information.”

Cyber security experts worry that the $17,000 a Los Angeles hospital paid hackers to regain control of its computers could signal a troubling escalation of the growing “ransom-ware” threat.

Though patient care was not “compromised in any way,” Hollywood Presbyterian Medical Center paid the bounty “in the best interest of restoring normal operations,” President Allen Stefanek said in a written statement. A typical attack starts when a person opens an emailed link or attachment. Malicious code locks the computer — or, worse, an entire network. Victims pay hackers for a “key” to unlock their machines — and may be desperate to do so if they have not diligently backed up their data and networks. Many ransom-ware victims pay quietly, or abandon infected machines. It was unusual that Hollywood Presbyterian, which has more than 400 beds and is owned by CHA Medical Center of South Korea, both revealed the attack publicly and disclosed its cost. Computer security experts said hospitals are particularly vulnerable because some medical equipment runs on old operating systems that cannot easily be safeguarded. If an employee opens an infected file from a computer that also connects with a patient monitoring station or insulin pump, those devices also could be locked.

Hospitals have not been as diligent in combating cyber threats such as ransom-ware as other sectors, according to several experts, despite the life-and-death nature of their operations, their tight control over patient information and mandates that they move toward electronic record keeping. Hospitals are “about 10 to 15 years behind the banking industry” in combating cyber threats, said Lysa Myers, a researcher with the computer security firm ESET. The math behind whether to pay a ransom demand can be simple. Paying thousands of dollars to resolve a serious attack that has penetrated a multimillion dollar business such as a large hospital would be “a no brainer,” said James Carder, chief information security officer of LogRhythm, a security intelligence and analytics firm. Several companies have told Carder that the FBI suggested they pay ransom, he said. Jason Haddix, the director of technical operations at the information security firm Bugcrowd, said companies also have told him the same. “If you’re at a point where you can’t do anything,” said Haddix, “sometimes the only option is to pay.”

“Ransom-ware has been around for several years, but there’s been a definite uptick lately in its use by cyber criminals,” the FBI wrote in a 2015 post on its website. The agency said that it is “targeting these offenders and their scams.” Hollywood Presbyterian paid 40 bitcoins, a digital currency of floating value that on Thursday was worth about $420 each. The problem was first noticed Feb. 5, hospital president Stefanek said, and its system was fully functioning 10 days later. One reason hackers are attracted to ransom-ware is that it can be created with relative ease — do-it-yourself ransom-ware kits are available — and the return on investment can be strong. To launch a ransom-ware campaign that lasts one month might cost $5,900, and generate about $90,000 in revenue, according to projections by the cyber security firm Trustwave. A report from Intel Corp.’s McAfee Labs released in November said the number of ransom-ware attacks is expected to grow in 2016 because of increased sophistication in the software used to do it. The company estimates that on average, 3 percent of users with infected machines pay a ransom. While a hacker may get several hundred dollars to unlock many individual computers, getting $17,000 is a decent payday. Based on the public confirmation of that figure, hackers are “going to begin to test the price,” said Jack Danahy, chief technology officer at cyber security firm Barkly. The best defense against a ransom-ware attack is not to click on unknown links and attachments. Intrusion detection systems and firewalls can help if a person does click — but once the ransom-ware is entrenched, if the system does not have good system backup practices, the choices boil down to paying or never regaining control.