Cybersecurity, Hospitals and Ransomware
Sturdy Memorial Hospital-Not so much
by Charles Parker
Hospitals continue to be targeted at an inappropriate rate over the last five years. Other industries have just as valuable data as the medical field, however, hospitals are in the news at a higher rate. One aspect of this driving the attacks is the criticality of the services. The hospitals require access to the data (e.g., patient charts) and networks to perform the operations, both planned and emergency, procedures, and simply to see patients. The high-level data flow for this is quite simple. In the alternative, the system may be breached, and patient data exfiltrated. The ransom may be demanded as a promise to not distribute or sell this data to other unauthorized parties.
Therefore ransomware, in this circumstance is so potent. Also, the patient data is very important to both parties, the hospital and patient. The hospital must report the breach in most instances. The patient, depending on the data itself, may have the pleasure of monitoring their accounts and credit report for decades.
With the exfiltrated data, the hospital generally has two options. They may or may not pay the ransom to keep the data from being sold to other unauthorized parties. Paying the ransom usually is not recommended. The thought, in this case, after the money is received, they would release it anyway. While this has occurred a limited number of times over the last few years, this is a detriment to the business model and the malware industry. If the organization is reasonably certain the data will be published anyway, there is absolutely no reason to pay a penny. In this instance Sturdy Memorial Hospital did pay the ransom or fee. The amount was not disclosed. As a result of the breach, the hospital mailed letters to the affected parties. As part of the response, the incident was reported to the FBI.
While the attack vector was not noted, the incident is representative of the reach ransomware has. Depending on the malware strain, all it can take is one person clicking the wrong link. We still need additional training to limit the potential for this to happen elsewhere.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.