A Ransomware attack has caused a Methodist Hospital in Kentucky to declare an ‘internal state of emergency.’ The unknown cyber attackers are demanding 4 Bitcoins ($1600) for the restoration of the hospital’s computer systems. Significantly, this is the second attack of its kind to occur recently in a US hospital (the fourth if you take into account two in Germany last month).
Jamie Reid (information systems director at the hospital) has stated that the attack was orchestrated with ransomware called ‘Locky’. A type of malware that takes root inside a system – causing chaos – until a key is received to decrypt the system. The wicked ransomware is promulgated via a malicious Word document, which according to security analyst Brian Krebs infected the hospital via an email.
At the moment it remains unclear whether the hospital has regained full control of its systems, although it is claiming that the 5-day attack has now been neutralized. David Park, the hospital’s attorney, confirmed yesterday that it is working closely with the FBI in an attempt to resolve the issue. ‘I think it’s our position that we’re not going to pay it [the ransom] unless we absolutely have to,’ Mr. Park commented.
Last month, a hospital in Los Angeles was the victim of a similar stick-up at the hands of ransomware. On that occasion, attackers demanded the bloodcurdling equivalent of $17,000 (40 Bitcoins) from the Hollywood Presbyterian Medical Center. To the horror of onlookers everywhere, the Hollywood medical center decided to pay the heartless hackers (after being locked out of its systems for ten days).
Risk of Ransomware Escalating
Lyser Myers from cybersecurity firm ESET, went on the record after hearing about LA hospital hack, to issue the dire warning that poor cybersecurity in other health care institutions could open them up to similar attacks. In fact, Myers was quick to point out that despite the life and death risks involved, the health sector had fallen alarmingly behind on information security, with hospitals ‘about 10 to 15 years behind the banking industry.’
Initially ransomware attacks had focused on individuals and smaller organizations, with malware like CryptoLocker. last year; however, cyber criminals graduated to holding up corporate targets. Due to the shift, cybersecurity experts at IBM warned that larger sums may begin to be requested. Now, true to those warnings more and more corporations are being held up; for escalating amounts.
The nature of the life-saving work that hospitals carry out means that there is mounting concern throughout the sector. With security experts now terrified that should infusion pumps that deliver chemotherapy drugs (or other critical equipment) become infected – hospitals may need to rush to pay the bounty – or else face the crushing reality of a loss-of-life at the hand of hackers.
Bob Shaker of Symantec Corp has admitted that he knows of around 20 similar attacks that happened in the health sector last year. He says that those were kept from the public – to avoid the public relations fallout – and in an attempt not to foment copycat attacks. ‘Our number one fear is that this now pretty much opens the door for other people to pay,’ commented Shaker after last month’s attack.
In the UK, where NHS hospitals are vastly underfunded, experts are sounding the alarm. In 2014, whistleblowers informed the UK’s watchdog that 20 NHS trusts suffered serious data breaches. With such a troubling recent track record – it seems almost inevitable – that greedy cyber criminals may set their eyes on the poorly shored-up systems of the UK’s medical infrastructure.
To its credit, in January, the UK government launched a new service called careCERT (Care Computing Emergency Response Team). A utility aimed at enhancing ‘cyber resilience across the health and social care system.’ Sadly, despite the positive undertones of careCERT, the service’s goals appear to concentrate on incident response rather than staff education and prevention.
Unfortunately, these days cyber attacks often focus on social hacking techniques such as Phishing (as is the case in Kentucky). For that reason – like with Asthma – the threat of hacking is best controlled and prevented, rather than dealt with during an attack.
For now, it remains to be seen whether more European or UK hospitals are subjected to the same ill fate as those in the US. With recompenses huge, however, and Britain’s hospital’s such easy pickings: one imagines that it is only a matter of time before the NHS gets its first taste of this scary modern phenomenon.