Ransomware and Academic International Medicine

1. Introduction

Healthcare is among the leading industries targeted by cyber-criminals [1]. Malware, or malicious software, refers to programs designed to infiltrate computers without the users’ consent, and includes threats such as viruses and ransomware. Ransomware, a version of malware, exploits vulnerabilities to hijack target information technology (IT) infrastructures for monetary gain. Health information is an attractive target for cyber-criminals, as research suggests that an individual’s medical information is 20–50 times more valuable than personal financial information [1]. Access to medical information enables cyber-criminals to commit identity theft, medical fraud, and extortion, and illegally obtain controlled substances. The utility, versatility, and centralized storage of medical information, relatively weak IT security systems, and expanding use of healthcare IT (HIT) infrastructure all contribute to an increase in cyber-attacks on healthcare entities [1]. In fact, cyber-attacks targeting medical information are increasing ≥22% annually [1]. Depending on completeness, recency, and accuracy, a single patient’s file may fetch hundreds to thousands of dollars on the Dark Web [2, 3]. In Australia, it has been reported that the medical card number of every citizen is for sale on the Dark Web [3]. Moreover, attack-associated costs are reported to cost $1–3.7 million USD to clean up, with an average downtime cost per attack being $141,000 USD [1, 4, 5, 6]. A study by IBM and the Ponemon Institute reported that cyber breaches in the United States (U.S.) cost up to $6.2 billion per year and that almost 90% of hospitals have reported a data breach [7].

2. Search strategy

A literature search was performed of: China National Knowledge Infrastructure (CHKD-CNKI), Cochrane CENTRAL, CINAHL, Directory of Open Access Journals (DOAJ), Embase, Korean Journal Database (KCI), Latin American and Caribbean Health Sciences Literature (LILACS), IEEE-Xplorer, information/Chinese Scientific Journals database (CSJD-VIP), Google Scholar, Magiran, PsycInfo, PubMed, Scopus, Scientific Electronic Library Online (SciELO), Scientific Information Database (SID), TÜBİTAK ULAKBİM, Research Gate, Russian Science Citation Index (RSCI), and Web of Science (WoS). Relevant bibliographies were also searched. The search terms included the U.S. National Library of Medicine MeSH terms hospitals and computer security, as well as the terms ransomware, cyber security, web security, and healthcare.

3. What is ransomware?

Ransomware utilizes malicious software to infiltrate computer systems or connected devices to encrypt a user’s files in order to carry out an extortion attack [8, 9]. Most commonly, ransomware infects a system when its user opens a compromised e-mail or visits a compromised website (i.e., drive-by downloads) [8]. Once downloaded, servers (i.e., web and e-mail), databases, end-user computers and removable media may become involved, including personal cloud storage services [2, 9]. The intended purpose of encryption is privacy, where someone with access to the encrypted data (“ciphertext”) is unable to discern its contents in a readable form (“plaintext”) [9]. There are two types of encryption, or cryptography: symmetric key and public key. In symmetric key cryptography, the sender and receiver use the same secret key to encrypt and decrypt the data. Public key cryptography uses a pair of keys: a public key (shared between both parties) and a private key (sender and receiver have their own unique private key) [9].

Ransomware uses a hybrid encryption system that combines the two cryptographies to create an asymmetrical cryptosystem in which data are encrypted using a randomly generated symmetric key, which is subsequently encrypted using a public key where one party has the corresponding private key [9]. The cyber-criminal uses the private key to decrypt the symmetric key in order to decrypt the data back into “plaintext” and sends the key back to the victim, who can then use it to regain access to their system [9].

Once encrypted, information becomes indecipherable and inaccessible. The user receives a pop-up notification demanding payment of a ransom (usually in untraceable digital currency such as bitcoin) in exchange for the decryption key [10]. Ransomware often does not destroy data, but rather, locks-up the data until a ransom is paid [11]. Even if the ransomware infection is removed, the data may remain encrypted [11]. But it is important to note, the mere infection of a machine with ransomware is not enough. The ransomware must communicate with a server to get an encryption key and report its results [11]. This requires a server hosted by a company that will ignore the illegal activity and guarantee the attackers anonymity (called Bulletproof Hosting) [11]. These companies are often located in China or Russia [11]. Attackers also use a proxy or virtual private network (VPN) services to further disguise their own internet protocol (IP) addresses [11]. Attack numbers have grown in part because malware authors have adopted an easy-to-use modular design of ransomware distribution [12]. This Ransomware-as-a-Service (RaaS) approach has become increasingly available, assisting technically naive attackers through simplistic distribution with phishing and exploitation kits, while employing a trustworthy business model [12]. RaaS is most easily accessed on the Dark Web [13], where prospective cyber-criminals are provided access to an affiliate console allowing them to walk-through the process of receiving their ransomware exploit kit, configure settings, target selection, and selecting ransom rates [13]. Metrics on malware instillations and success rates are also available [13].

4. Ransomware and healthcare

The targeting of healthcare by ransomware dates to 1989, when the Harvard-trained evolutionary biologist Dr. Joseph L. Popp used malware to prey on scientists and organizations interested in early acquired immunodeficiency syndrome (AIDS) research [1, 11]. Dr. Joseph Popp, a World Health Organization (WHO) consultant and AIDS researcher himself, mailed 20,000 floppy disks containing ransomware to a group of attendees at the WHO’s International AIDS conference [1, 11]. When inserted into the target’s computer, the virus (known as AIDS Program, AIDS Trojan, or PC Cyborg) infected the computer with a virus that lay dormant until the 90th time the system was re-booted, at which point a note would appear on the screen asking for licensing fees to be paid while it encrypted and locked computer files [8, 12]. A $189 USD ransom to be mailed to a physical mailing address was demanded to “renew the software,” or users must forgo further use of their computer [1, 8]. Although authorities apprehended Dr. Popp, his creation resulted in many derivatives that serve as a framework for modern cyber-criminals [1].

Over 15 years passed before the next instance of ransomware (GPCoder), which was delivered via e-mail [15]. Among the first major medical centers attacked was Hollywood Presbyterian Medical Center (2016), a 400-bed hospital in Los Angeles, California [1, 10, 11]. Rather than pay the initial $3.7 million USD ransom, the hospital reverted to paper records until they were able to negotiate the decryption key ransom payment down to 40 bitcoins (about $17,000 USD) [1, 10, 11]. However, this does not account for 10 days of lost revenue while the hospital’s systems were inaccessible, nor does it account for a damaged reputation in patient data security. Subsequent U.S. attacks have included academic, government, and private healthcare systems including: Alaska Department of Health Office of Children’s Services (Anchorage, Alaska); Appalachian Regional Hospitals (Lexington, Kentucky); Berkshire Health Systems (Pittsfield, Massachusetts); Emory Healthcare (Atlanta, Georgia); Hancock Regional Hospital (Greenfield, Indiana); Heritage Valley Health System (Pennsylvania); Medstar (Baltimore, Maryland); Kansas Heart Hospital (Wichita, Kansas); Keck Medicine of the University of Southern California (Los Angeles, California); Los Angeles Health Department (Los Angeles, California); Methodist Hospital (Henderson, Kentucky); National Capital Poison Center (Washington, D.C.); Princeton Community Hospital (Princeton, West Virginia); J.W. Ruby Memorial Hospital of West Virginia University (Morgantwown, West Virgina); University of Buffalo and State University of New York (Buffalo, New York); and Verity Medical Foundation (San Jose, California) [9, 10, 12, 20, 21]. Additionally, health insurance companies have also been targeted [7]. The Anthem Blue Cross insurance company (USA) had over 78 million medical records stolen in 2015 [7].

This problem, however, is far from constrained to U.S. entities; it is global. On May 12, 2017, a ransomware (WannaCry) that utilized a stolen National Security Agency (NSA) tool that highlighted a vulnerability of the Windows OS (MS17-010) infected more than 300,000 computers in at least 150 countries [12]. Sixty trusts within the United Kingdom’s National Health Service (NHS) experienced system-wide lockouts forcing at least 16 hospital closures, ambulance diversions, inability to access patient records, patient care delays (canceled appointments and elective surgeries), and function loss in connected devices such as MRI scanners and blood storage refrigerators [3, 21, 22, 23]. Five hospitals, including Barts Health (Royal London Hospital), one of the main trauma centers in London, had to close their emergency departments [7]. Similarly, the Singapore Health System experienced a breach of over 1 million patient records, including those of the Prime Minister [7].

5. Protecting your institution

As with most HIT issues, preventing a ransomware attack is a complex socio-technical problem. Richard Schaeffer (2009), the U.S. National Security Agency (NSA) Information Assurance Director, testified to the U.S. Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security that 80% of all ransomware attacks could be prevented by adhering to security measures already in place [36]. In addition to a sophisticated encryption algorithm, ransomware attacks often rely on some form of “social engineering,” or the psychological manipulation of people to gain their trust and lead them to divulge confidential information [15]. Solving these problems is a shared task between HIT users and those responsible for configuring, maintaining, and operating the HIT infrastructure. While preventing all ransomware attacks is not possible, there are several steps that healthcare organizations can take to reduce risk and mitigate harm (Table 2). Additionally, the U.S. Department Health and Human Services (HHS) offer guidelines on the best policies on how to properly secure electronic PHI. The need to maintain software updates and patches cannot be understated. For example, Microsoft Inc. had released a patch for the vulnerability exploited by WannaCry and NotPeyta 8 weeks before the attack [8]. If systems had remained up to date, the impact of both malwares would likely have been significantly diminished.

Another approach to recover from a ransomware attack without needing to pay a ransom is by copying a file when it is being modified, storing one copy in a protected area, and allowing any changes to be made to the other [14]. ShieldFS© (NECSTLab, Milan, Italy) approaches this by creating a protected (i.e., read-only) copy of files when a process requests to modify or delete it [14]. If ShieldFS© determines that a process is malicious, the offending process is suspended and the copies can be restored, replacing the modified (encrypted) versions [14]. Conversely, Redemption uses a similar approach, but its technique creates a copy of each of the files targeted by the ransomware and then uses the Windows Kernel Development framework to redirect (or “reflect”) the write requests or filesystem operations (invoked by the ransomware to encrypt the target files) from the target files to the dummy copies in a transparent data buffer, hence leaving the original files intact [14].

Lastly, any ransomware attack should immediately be reported to the appropriate authorities [37]. In the U.S., federal law dictates that any breach undergo a thorough and properly documented analysis to determine if any unsecured PHI was compromised [38, 39, 40]. For anything other than a low probability of PHI compromise, one must inform the U.S. Department of HHS as soon as possible, and no later than 60-days post-breach (when over 500 person’s PHI is affected) [10, 37, 41].

6. Conclusions

As HIT infrastructure struggles with new technology and security protocols, the industry is a prime target for medical information theft. Even worse, the healthcare industry is lagging behind other leading industries in securing vital data. Healthcare organizations must adapt to the ever-changing cyber-security trends and threats, such as ransomware, where critical infrastructure is exploited, and valuable patient data are extracted. It is imperative that time and funding are invested in maintaining and ensuring the protection of healthcare technology and the confidentially of patient information from unauthorized access.

Conflict of interest

The authors have no conflict of interests to disclose.