A cyber-attack that left computer screens at Hancock Regional Hospital in Greenfield, Indiana, USA, with a ransom message for bitcoin has caused the entire network at the hospital to go offline to stop damage to the data of the patients.
After the computers in the hospital started to slow down on the night of Thursday the 11th January, as confirmed by senior vice president Rob Matt to The Republic, the staff knew something was wrong, then a short time later, a message flashed on the screens, letting the staff know that the hacker was holding them to ransom for bitcoin, a virtual currency used for anonymous transactions that is nearly impossible to trace.
Friday afternoon, CEO Steve Long confirmed the ransomware attack was started by a hacker who “attempted to shut down (Hancock Health’s) operations.”
The hospital leaders don’t believe that any personal information has been compromised. Long declined to share the details of the attack, including how much the attacker wanted as a ransom from the hospital in total. According to Long “this was not a 15-year-old kid sitting in his mother’s basement” it was a described as a sophisticated attack that the FBI are familiar with.
Until the network can be put back up again, pen and paper is being used by all staff at the hospital to update medical records, and no surgeries have been cancelled due to the network that Long knows of, the only cancellations have been due to weather.
Gary Cox, technology director for Western Europe at Infoblox commented by email to SC Media UK: “The healthcare industry has become a prime target for cyber-criminals. Not only is the sensitive information held by healthcare organisations immensely valuable on the dark web, fuelling healthcare fraud in the US, but cyber-criminals are increasingly seeing the value of the ransom over resale e-crime model, due to the immense pressure that hospitals are under to avoid any disruption.
“As ransomware attacks on hospitals become more common, it is unsurprising that 85 percent of UK healthcare IT professionals and 68 percent of US healthcare IT professionals have a plan in place for this situation. However, as all good healthcare professionals know, prevention is better than treatment. All organisations must ensure that their security measures are up to scratch: from having all software patched and up to date and making sure users observe best practice, to deploying DNS effectively as an enforcement point to block ransomware.”
Raj Samani, chief scientist and Fellow at McAfee commented to SC Media UK: “Cyber-criminals are increasingly looking to cause as much public disruption as possible, and as part of this the global health industry has become a prime target. As the healthcare industry races to become more efficient and digitise processes where possible, the industry has become extremely vulnerable to attack.
“To combat this trend, and reduce the growing numbers of attacks on public services, the cyber-security industry needs to make threat intelligence sharing an absolute priority. Traditionally many companies see their intelligence as a way of gaining a competitive advantage, however as the amount of disruption continues to increase, 2018 needs to be the year where intelligence sharing after a successful attack becomes the norm.”
Joseph Carson, chief security scientist at Thycotic adds in an email to SC Media UK: “Sometimes a simple click on a harmless looking email could bring critical systems to a standstill and doctors staring at blank screens.
“Hospitals are exposed to ransomware and need to seriously consider the consequences of not prioritising cyber-security effectively. Hospital’s face the challenge of deciding whether to upgrade systems to the latest version of the patched software or more doctors and nurses, this is the crucial decision that the leaders must decide. When ransomware hits the hospital, it could mean that the doctors and nurses become restricted to what they can actually do as a result from their access to sensitive information not being available.
“Hospitals now face the challenge again with recent vulnerabilities like Spectre and Meltdown on whether to patch and expose systems to poor performance or keep the systems operational through exposed to cyber-threats.
“Ransom is typically demanded in bitcoin with a 72-hour window to pay before the key is deleted and data is irreversibly lost. The impact this can have on an organisation is: temporary loss of systems and access to sensitive information; downtime of operations; financial impact or loss, and incalculable reputation damage. The most recent variants of ransomware have gone into stealth mode. This means they avoid detection by hiding under the radar from traditional anti-malware software that scans the hard drive for malicious software.
“The destructive nature of Ransomware and the impact it’s had on individuals and organisations globally has prompted the US Department of Homeland Security, US-CERT and the FBI to release alerts encouraging organisations to take this threat seriously before it’s too late.”