Security Experts:

General Hack-spital, Episode: "Heart Attack"

Hunkered down in a hospital cafeteria booth, a hoodied ELVIRA, mid-20s, slim, but not athletic, hovers over a laptop, appears agitated as her fingers scurry like mice for cheddar crumbs across the keyboard. Not lifting her eyes from the screen, she reaches for her coffee, knocks it over, shrieks. NURSE NANCY, 55, clad in Elmo-print scrubs and a striking pair of cobalt Danskos rushes to her side.


Are you okay? Did you burn yourself? 

Elvira, who is giving her laptop a frantic once over, snaps it closed. 


No, no, I’m fine. I thought my laptop. It’s okay. I’m fine. I have to go.

Elvira runs out of the cafeteria.


An Italian classical crossover tenor croons from overhead speakers as we pan across the room to see a vital signs monitor, anesthesia equipment. An ANESTHESIOLOGIST monitors a PATIENT on the operating table. DR. CARVER, masked, enters, scans the monitors, and stands next to the table.


Vitals looking good.


Off to the races. Scalpel?

Nurse Nancy appears and hands Dr. Carver the knife. The monitors flicker and go black. The song cuts off mid-chorus, “Time to say good…” A second later, a message flashes.



Ransomware—Like Cream—Rises to the Top

Yikes! That’s some unrequited love gone cybersecurity sideways. And while, sure, that scenario might tend a tad toward the melodramatic, it’s not beyond the realm of possibility.

We read the news. We see that hospital hacks have become almost as frequent as a bad hair day for the Donald. According to the Ponemon Institute’s recently released Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data (PDF), 89 percent of surveyed hospitals said they had been breached in the past two years and cited cybercrime as the top cause. 

Thing is, it kind of makes sense. Hackers are humans, too, and most humans tend to veer toward the path of least resistance. So why wouldn’t they choose an easy—and lucrative—target like a hospital? On the black market, a single patient record can fetch $500. Hundreds of times more than a credit card or Social Security number. And of course there’s the now popular ransomware—still a sale, only a bit of a flip flop where hackers ask hospitals for lump-sum or per-system payoffs to unlock access to their own data. 

As outlined in the IT Threat Evolution in Q1 2016 report, Kaspersky cybersecurity experts found that 2,900 new ransomware malware modifications appeared between January and March 2016 (a 14 percent increase over last year). And you know what that means, don’t you? Move over, advanced persistent threats (APTs)! Ransomware has just replaced you as the most problematic cyber threat du jour.

Keep Bleeding. Keep, Keep Bleeding.

Ever watch Mr. Robot? The main character is a hacker named Elliot who, in one episode, voices an unsympathetic critique of healthcare IT. As he imagines hacking into a hospital, he describes the head of the IT department—who also happens to be the IT department—as a guy using useless virus scans, dated services, and security software running on Windows 98. Elliot’s sole compassionate remark:

The poor guy only gets a budget of about $7,000 a year. And he’s supposed to protect their network from people like me? He never stood a chance.

Is this so far from reality? What about all the real-world, short-staffed, underfinanced healthcare departments? Do they stand a chance?

Historically, healthcare organizations—even after hastening to digitize patient records—have not invested enough in IT, let alone cybersecurity. While all the news coverage of breaches may be helping increase awareness of the growing threat to patient data and care, it’s not enough. Unfortunately, far too many healthcare organizations still don’t have the people or budgetary resources in place to adequately detect, manage, and minimize breaches.

Many a ransomware attack has succeeded using a known security vulnerability. Take, for example, Maryland’s second-largest healthcare provider: MedStar Health. Hackers used the Samsam ransomware to compromise outdated JBoss application servers, encrypt data, and bring down the hospital’s system. And while MedStar may have marketed the disruption as an inconvenience that did not affect quality of care, I beg to differ. How does having to turn away patients and ask them come back another day not reflect negatively on care quality?

According to Beth Israel Deaconess CIO John Halamko, his hospital is routinely attacked (i.e., every 7 seconds, 24 hours a day) and yet, cybersecurity has not been made a budgetary priority. Said Halamko, “In healthcare, we spent about 2 percent [of the budget] on IT, and security might be 10 percent of that.”

As PWC sees it, 2016 is the year that healthcare organizations should be considering supersizing their IT and cybersecurity budgets. Whether from ransomware, malware, or denial-of-service (DOS) attacks, healthcare organizations have got to stop the bleeding of sensitive and confidential information. They need a new strategy that not only involves implementing new security tools, but facilitates network traffic monitoring and triage that can improve the efficacy of those tools, too.

Think of it this way. Preventative security costs an average of $8 per patient record for risk assessment and management, security controls, monitoring and detection, and forensics. That’s a whole lot less than the post-breach alternative, which averages out to about $200 per patient record to cover HIPAA fines, legal fees, lost business from reputational damage, and customer restitution and credit monitoring services.

Clean up Your Act, Folks!

In the mid-19th century, a physician named Semmelweis attempted to persuade the medical community to adopt a radical practice: hand washing to help prevent infection. Sadly, he was shunned and committed to a psychiatric asylum where he died of sepsis. Oh, the cruel irony.

We’re no longer living in the Victorian era. We should know better about what can cause and prevent infections, shouldn’t we? Unfortunately, according to Verizon’s 2016 Data Breach Investigations Report (DBIR), 30 percent of phishing emails were opened and, of those, 12 percent had malicious attachments or nefarious links that folks clicked on. In the healthcare profession, this type of ignorance isn’t bliss; it’s a downright health hazard.

While hospitals might excel at patching up patients, they don’t seem as adept at doing the same for known system vulnerabilities. Nor are they taking necessary precautionary measures such as properly managing user-access privileges or educating employees about, for example, what ransomware is and what they can do to protect against a gushing loss of sensitive patient data or worse. Much worse. (Don’t forget Elvira, my heart’s on fire, Elvira. Oom Poppa Oom Poppa mow mow!)

Back It Up!

As ransomware threats evolve, cyber criminals might begin to leverage open source tools to encrypt data at rest on file systems and near line storage or use worm-like ransomware that infects removable drives.

In these cases, hospitals have a few ransomware antidote options. They could implement network monitoring capabilities that feed into security tools for faster detection and mitigation. They could institute a business continuity and disaster recovery plan that includes a mature incident response team and the ability to quickly replace desktop and laptop assets. They could also have a local backup of data, with the traditional offsite/off-network backups, or the ability to leverage backups and data storage in the cloud. Or, all of the above.

The key is to have the technology, process, and procedures in place for a speedy recovery that denies hackers gains and minimizes business (and health) impact.

I like a little drama in my life. I’ll admit that. It’s why I tune into shows like Mr. Robot. But when it comes to my own personal healthcare, the less drama the better. I want my records secure, my appointments on time, and for the lights to stay on should I ever wind up on Dr. Carver’s table.

view counter
Erin O’Malley is an incident response delivery support manager at Accenture Security, FusionX, Cyber Investigation and Forensics Response (CIFR), where she teams with incident responders and threat hunters to document and catalog incident report findings and highlight the value of taking an adversary-based approach to minimize the risk, exposure, and damage of cybersecurity incidents. Prior to joining Accenture, Erin was a security solutions marketing manager at Gigamon. Other past roles have included product marketing for virtualization and cloud security solutions at Juniper Networks and customer marketing at VMware. She has written and edited for GE Digital, WSGR, Business Objects, and the TDA Group, and holds a B.A. in French from Penn State University and an M.A. in French from Middlebury College. The opinions and statements in this column are solely those of the individual author, and do not constitute professional or legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. No representations or warranties are provided, and the reader is responsible for determining whether or not to follow any of the suggestions or recommendations, entirely at their own discretion.