Ransomware types and characteristics.
Healthcare is among the leading industries targeted by cyber-criminals. Ransomware exploits vulnerabilities to hijack target information technology (IT) infrastructures for monetary gain. Due to the nature and value of information, access to medical information enables cyber-criminals to commit identity theft, medical fraud, and extortion, and illegally obtain controlled substances. The utility and versatility of medical information, extensive centralized storage of medical information, relatively weak IT security systems, and the expanding use of healthcare IT infrastructure all contribute to an increase in cyber-attacks on healthcare entities. Research suggests that an individual’s medical information is 20–50 times more valuable to cyber-criminals than personal financial information. As such, cyber-attacks targeting medical information are increasing 22% per year. This chapter explores the history of ransomware attacks in healthcare, ransomware types, ransom payment, healthcare vulnerabilities, implications for international health security, and means of institutional protection.
- information technology
Healthcare is among the leading industries targeted by cyber-criminals . Malware, or malicious software, refers to programs designed to infiltrate computers without the users’ consent, and includes threats such as viruses and ransomware. Ransomware, a version of malware, exploits vulnerabilities to hijack target information technology (IT) infrastructures for monetary gain. Health information is an attractive target for cyber-criminals, as research suggests that an individual’s medical information is 20–50 times more valuable than personal financial information . Access to medical information enables cyber-criminals to commit identity theft, medical fraud, and extortion, and illegally obtain controlled substances. The utility, versatility, and centralized storage of medical information, relatively weak IT security systems, and expanding use of healthcare IT (HIT) infrastructure all contribute to an increase in cyber-attacks on healthcare entities . In fact, cyber-attacks targeting medical information are increasing ≥22% annually . Depending on completeness, recency, and accuracy, a single patient’s file may fetch hundreds to thousands of dollars on the Dark Web [2, 3]. In Australia, it has been reported that the medical card number of every citizen is for sale on the Dark Web . Moreover, attack-associated costs are reported to cost $1–3.7 million USD to clean up, with an average downtime cost per attack being $141,000 USD [1, 4, 5, 6]. A study by IBM and the Ponemon Institute reported that cyber breaches in the United States (U.S.) cost up to $6.2 billion per year and that almost 90% of hospitals have reported a data breach .
2. Search strategy
A literature search was performed of: China National Knowledge Infrastructure (CHKD-CNKI), Cochrane CENTRAL, CINAHL, Directory of Open Access Journals (DOAJ), Embase, Korean Journal Database (KCI), Latin American and Caribbean Health Sciences Literature (LILACS), IEEE-Xplorer, information/Chinese Scientific Journals database (CSJD-VIP), Google Scholar, Magiran, PsycInfo, PubMed, Scopus, Scientific Electronic Library Online (SciELO), Scientific Information Database (SID), TÜBİTAK ULAKBİM, Research Gate, Russian Science Citation Index (RSCI), and Web of Science (WoS). Relevant bibliographies were also searched. The search terms included the U.S. National Library of Medicine MeSH terms
3. What is ransomware?
Ransomware utilizes malicious software to infiltrate computer systems or connected devices to encrypt a user’s files in order to carry out an extortion attack [8, 9]. Most commonly, ransomware infects a system when its user opens a compromised e-mail or visits a compromised website (i.e., drive-by downloads) . Once downloaded, servers (i.e., web and e-mail), databases, end-user computers and removable media may become involved, including personal cloud storage services [2, 9]. The intended purpose of encryption is privacy, where someone with access to the encrypted data (“ciphertext”) is unable to discern its contents in a readable form (“plaintext”) . There are two types of encryption, or cryptography: symmetric key and public key. In symmetric key cryptography, the sender and receiver use the same secret key to encrypt and decrypt the data. Public key cryptography uses a pair of keys: a public key (shared between both parties) and a private key (sender and receiver have their own unique private key) .
Ransomware uses a hybrid encryption system that combines the two cryptographies to create an asymmetrical cryptosystem in which data are encrypted using a randomly generated symmetric key, which is subsequently encrypted using a public key where one party has the corresponding private key . The cyber-criminal uses the private key to decrypt the symmetric key in order to decrypt the data back into “plaintext” and sends the key back to the victim, who can then use it to regain access to their system .
Once encrypted, information becomes indecipherable and inaccessible. The user receives a pop-up notification demanding payment of a ransom (usually in untraceable digital currency such as bitcoin) in exchange for the decryption key . Ransomware often does not destroy data, but rather, locks-up the data until a ransom is paid . Even if the ransomware infection is removed, the data may remain encrypted . But it is important to note, the mere infection of a machine with ransomware is not enough. The ransomware must communicate with a server to get an encryption key and report its results . This requires a server hosted by a company that will ignore the illegal activity and guarantee the attackers anonymity (called Bulletproof Hosting) . These companies are often located in China or Russia . Attackers also use a proxy or virtual private network (VPN) services to further disguise their own internet protocol (IP) addresses . Attack numbers have grown in part because malware authors have adopted an easy-to-use modular design of ransomware distribution . This Ransomware-as-a-Service (RaaS) approach has become increasingly available, assisting technically naive attackers through simplistic distribution with phishing and exploitation kits, while employing a trustworthy business model . RaaS is most easily accessed on the Dark Web , where prospective cyber-criminals are provided access to an affiliate console allowing them to walk-through the process of receiving their ransomware exploit kit, configure settings, target selection, and selecting ransom rates . Metrics on malware instillations and success rates are also available .
3.1 Ransomware types
Ransomware can be divided into three basic types: crypto-, locker-, and wipe-ransomware (Table 1). Although crypto- and locker-ransomware represent the two main categories, current variants often incorporate traits from both . Crypto-ransomware (most common) encrypts both files and data . Thus, infected files remain inaccessible if transferred to another device . Critical system files are typically spared, enabling the device to continue functioning, as it may be needed to pay the ransom . Additionally, crypto-ransomware prefers bitcoin due to the increased privacy of cryptocurrency. However, owing to worries over law enforcement, bitcoin anonymizers and laundering services have emerged.
|Ransomware Type||Examples||Characteristics||Data recoverable by moving files to another device?|
|Encrypts files and data. Typically, does not target critical system files, thereby allowing the device to function as it may be needed to pay the ransom||No|
|Locker-||Reveton||Creates a digital locker around the computer system to block user’s access. The data on the device are typically untouched||Possibly|
|Wipe-||PetrWrap||Encrypts files and data. Does not unlock files or device after ransom payment||No|
Conversely, locker-ransomware (a less effective extortion tool) locks the device by creating a digital “locker” around the computer system to block access [8, 11]. However, unlike crypto-ransomware, the data stored on the device are typically untouched and can often be recovered by moving it to another functioning computer for access . Moreover, users may be able to remove the locker-ransomware remotely and avoid paying the ransom . However, if remote malware removal is unsuccessful, ransom payments are typically made through payment voucher systems or cryptocurrency . For example, online betting services may accept the voucher codes as payment, subsequently transferring the money to prepaid debit cards . Money mules are then used to withdraw the cash.
Wipe-ransomware first appeared in 2017 with the PetrWrap attack that encrypted the target’s master file table (MFT) forcing the operating system (OS) to reboot . Unlike crypto- and locker-ransomware, the files encrypted by wipe-ransomware do not unlock it after payment, effectively resulting in data loss .
3.2 Ransom payment
Before 2005, online payment methods were less readily available. Victims were instructed to pay ransoms by sending checks to offshore accounts, SMS text messages, prepaid cards, or even premium rate telephone numbers that earned money for the attacker [11, 15]. However, these methods were risky since they were traceable. In 2008, the largely anonymous cryptocurrency bitcoin came into use, facilitating expansion of ransomware attacks . The use of third-party holdings companies such as PayPal has provided additional payment avenues .
Since one’s ability to pay may vary greatly by geography and local economy, ransomware uses dynamic geographical pricing. Once a computer or system is infected, the ransomware establishes contact with its command-and-control (C&C) server, reports the infected device’s IP address, and the C&C server returns a price for the country associated with that IP address based on a pre-populated database . Additionally, criminals more frequently target businesses than individual users owing to greater potential for ransom extraction. It has been reported that about $10,000 USD may be the optimal business ransom as it is both low enough to pay, and low enough to generate reluctance on the part of law enforcement to investigate .
The decision whether to pay the ransom is critical. The U.S. Federal Bureau of Investigation (FBI) does not recommend paying ransoms, as only 50% of victims ultimately regain access to uncorrupted usable data. Further, ransom payment incentivizes attackers to continue exploiting healthcare targets . Even so, an estimated 40% of organizations choose to pay the ransom in hopes of recovering data accessibility and mitigating further losses . This may be more likely to occur if the hospital has a questionable backup and no business continuity .
Choosing not to pay, however, comes with the added costs of extended downtime and recovery, which may approach 23 times the ransom cost [6, 18]. Smaller organizations have been forced to close after not paying the ransom . The FBI estimated that in 2016 alone, ransomware-associated monetary losses exceeded $1 billion USD, with an average downtime cost per attack of $141,000 [4, 5, 6]. Ultimately, the decision of whether to pay the ransom is an individual one and depends on the unique circumstances and stakes of every incident.
4. Ransomware and healthcare
The targeting of healthcare by ransomware dates to 1989, when the Harvard-trained evolutionary biologist Dr. Joseph L. Popp used malware to prey on scientists and organizations interested in early acquired immunodeficiency syndrome (AIDS) research [1, 11]. Dr. Joseph Popp, a World Health Organization (WHO) consultant and AIDS researcher himself, mailed 20,000 floppy disks containing ransomware to a group of attendees at the WHO’s International AIDS conference [1, 11]. When inserted into the target’s computer, the virus (known as
Over 15 years passed before the next instance of ransomware (GPCoder), which was delivered via e-mail . Among the first major medical centers attacked was Hollywood Presbyterian Medical Center (2016), a 400-bed hospital in Los Angeles, California [1, 10, 11]. Rather than pay the initial $3.7 million USD ransom, the hospital reverted to paper records until they were able to negotiate the decryption key ransom payment down to 40 bitcoins (about $17,000 USD) [1, 10, 11]. However, this does not account for 10 days of lost revenue while the hospital’s systems were inaccessible, nor does it account for a damaged reputation in patient data security. Subsequent U.S. attacks have included academic, government, and private healthcare systems including: Alaska Department of Health Office of Children’s Services (Anchorage, Alaska); Appalachian Regional Hospitals (Lexington, Kentucky); Berkshire Health Systems (Pittsfield, Massachusetts); Emory Healthcare (Atlanta, Georgia); Hancock Regional Hospital (Greenfield, Indiana); Heritage Valley Health System (Pennsylvania); Medstar (Baltimore, Maryland); Kansas Heart Hospital (Wichita, Kansas); Keck Medicine of the University of Southern California (Los Angeles, California); Los Angeles Health Department (Los Angeles, California); Methodist Hospital (Henderson, Kentucky); National Capital Poison Center (Washington, D.C.); Princeton Community Hospital (Princeton, West Virginia); J.W. Ruby Memorial Hospital of West Virginia University (Morgantwown, West Virgina); University of Buffalo and State University of New York (Buffalo, New York); and Verity Medical Foundation (San Jose, California) [9, 10, 12, 20, 21]. Additionally, health insurance companies have also been targeted . The Anthem Blue Cross insurance company (USA) had over 78 million medical records stolen in 2015 .
This problem, however, is far from constrained to U.S. entities; it is global. On May 12, 2017, a ransomware (WannaCry) that utilized a stolen National Security Agency (NSA) tool that highlighted a vulnerability of the Windows OS (MS17-010) infected more than 300,000 computers in at least 150 countries . Sixty trusts within the United Kingdom’s National Health Service (NHS) experienced system-wide lockouts forcing at least 16 hospital closures, ambulance diversions, inability to access patient records, patient care delays (canceled appointments and elective surgeries), and function loss in connected devices such as MRI scanners and blood storage refrigerators [3, 21, 22, 23]. Five hospitals, including Barts Health (Royal London Hospital), one of the main trauma centers in London, had to close their emergency departments . Similarly, the Singapore Health System experienced a breach of over 1 million patient records, including those of the Prime Minister .
4.1 Why is healthcare vulnerable?
The rise in healthcare attacks in the U.S. may be linked to the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 . This identified healthcare organizations as potential cash cows for cyber-criminals. Prior to 2008, only 9.4% of hospitals had adopted a basic electronic health records (EHR) system . By 2014, 75.5% of hospitals had adopted basic EHRs , and now approximately 95% use them . Additionally, HIT including glucose meters, infusion pumps, and implanted medical devices are also connected to, and dependent on, the hospital’s network . Moreover, healthcare systems are twice as likely to have Flash (Adobe Inc., San Jose, USA) installed and three times as likely to have Java (Sun Microsystems, Santa Clara, USA) installed, two plugins that can be exploited by hackers . Healthcare organizations have been focused on healthcare, not cyber security, thus several issues have increased their vulnerability over time. While aiming to improve care efficiency, increasingly connected technology allowing for multiple ways to connect to easily accessible medical devices increases the likelihood of a breach . Also, the interface between HIT systems and mobile general-purpose consumer devices (e.g., smart phones) increases the challenge to protect PHI. Moreover, no U.S. federal or state law requires encryption for PHI. Though encryption is encouraged, and often incentivized, nothing requires covered entities to utilize even the minimum standard of encryption . Lastly, cyber-security funding is lacking, contributing to time lags between breech occurrence and detection .
Importantly, not all ransomware- and malware-generated traffic patterns are distinguishable from the normal traffic patterns generated by medical devices and systems with networking capabilities . In this sense, both a malware encrypting a shared folder and an application compressing the same files have similar traffic patterns. Moreover, normal changes in the clinical environment may be misinterpreted as attacks if detection mechanisms adapt improperly . Furthermore, malware developers are increasingly using encrypted traffic to avoid payload inspection . Thus, achieving an acceptable balance between detection and false alarm rates remains challenging. A high false alarm rate may frustrate administrators and users, whereas a low detection rate may herald inefficacy.
Despite the growth of new technologies, many healthcare organizations persist in using legacy systems. For example, the use of Window XP (not supported since 2014) by some facilities allowed WannaCry to avoid detection . Additionally, the proprietary nature of medical device software may prevent HIT teams from accessing internal device software, resulting in reliance on manufacturers to design and maintain effective device security . Facilities in low- and middle-income countries (LMIC) may be at added risk owing to their use of open-source EMRs whose security may not be rigorously maintained.
Lastly, outsourcing may play a role in healthcare organization vulnerability. Health insurance niche software and service vendors are offering outsourcing as a remedy for organizational cost controls . However, offshore outsourcing companies are mostly self-regulated . There is currently no standard as to how a healthcare provider may ensure that offshore business associates are adequately protecting the electronic PHI of their patients.
4.2 Implications of international health security
With the dominance of ransomware as a leading cyber-security threat, it is important to consider its impact on International Health Security (IHS) . Many countries lack the legal infrastructure to prosecute such crimes. Globally, cyber-attacks may result in substantial loss of resources, money, and life . Although many security threats have emerged from LMIRs, many of these regions lag behind higher income regions in implementation of automated technologies and EMRs in the medical sector. That said, the IHS community is actively endeavoring to increase the availability and use of these technologies in LMIRs . Thus, with falling costs and rising availability and implementation, HIT security will have an increasingly important role in IHS in upcoming years.
Traditional charting and management methodologies are steadily being replaced with digital ones. Technologies including digital algorithms and artificial intelligence are increasingly being used to monitor and coordinate threat responses [28, 29]. The IHS community has come to increasingly rely upon digital global surveillance networks such as the ProMED-mail (PMM) Network and the World Health Organizations (WHO) Global Outbreak Alert & Response Network (GOARN); systems that help organizations improve coordination speed and response time to temper the impact of international infectious disease outbreaks [30, 31, 32]. These systems are often used by IHS networks and volunteers in the field and, if compromised, could become a portal of entry for cyber-attack . The attacks on the United Kingdom’s NHS demonstrate that even large state-sponsored institutions are not immune to cyber-attack .
Laboratory security is another important aspect for IHS, as the use and storage of sensitive pathogens make them attractive targets for attacks . For this reason, the Global Health Security Agenda (GHSA) was created to help increase investment in global health security. GHSA is a 67-nation effort that hopes to increase the availability of laboratory systems for IHS use [34, 35].
5. Protecting your institution
As with most HIT issues, preventing a ransomware attack is a complex socio-technical problem. Richard Schaeffer (2009), the U.S. National Security Agency (NSA) Information Assurance Director, testified to the U.S. Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security that 80% of all ransomware attacks could be prevented by adhering to security measures already in place . In addition to a sophisticated encryption algorithm, ransomware attacks often rely on some form of “social engineering,” or the psychological manipulation of people to gain their trust and lead them to divulge confidential information . Solving these problems is a shared task between HIT users and those responsible for configuring, maintaining, and operating the HIT infrastructure. While preventing all ransomware attacks is not possible, there are several steps that healthcare organizations can take to reduce risk and mitigate harm (Table 2). Additionally, the U.S. Department Health and Human Services (HHS) offer guidelines on the best policies on how to properly secure electronic PHI. The need to maintain software updates and patches cannot be understated. For example, Microsoft Inc. had released a patch for the vulnerability exploited by WannaCry and NotPeyta 8 weeks before the attack . If systems had remained up to date, the impact of both malwares would likely have been significantly diminished.
|Physical safeguards||Prevention and preparation|
|Hardware and software||Prevention and preparation|
|Clinical content||Intrusion detection|
|Prevention and preparation|
|Identity and access management|
|Workflow and communication||Intrusion detection|
|Identity and access|
|Internal policies, procedures and environment|
|External rules and regulations||Preparation|
|Measurement and monitoring|
Another approach to recover from a ransomware attack without needing to pay a ransom is by copying a file when it is being modified, storing one copy in a protected area, and allowing any changes to be made to the other . ShieldFS© (NECSTLab, Milan, Italy) approaches this by creating a protected (i.e., read-only) copy of files when a process requests to modify or delete it . If ShieldFS© determines that a process is malicious, the offending process is suspended and the copies can be restored, replacing the modified (encrypted) versions . Conversely, Redemption uses a similar approach, but its technique creates a copy of each of the files targeted by the ransomware and then uses the Windows Kernel Development framework to redirect (or “reflect”) the write requests or filesystem operations (invoked by the ransomware to encrypt the target files) from the target files to the dummy copies in a transparent data buffer, hence leaving the original files intact .
Lastly, any ransomware attack should immediately be reported to the appropriate authorities . In the U.S., federal law dictates that any breach undergo a thorough and properly documented analysis to determine if any unsecured PHI was compromised [38, 39, 40]. For anything other than a low probability of PHI compromise, one must inform the U.S. Department of HHS as soon as possible, and no later than 60-days post-breach (when over 500 person’s PHI is affected) [10, 37, 41].
As HIT infrastructure struggles with new technology and security protocols, the industry is a prime target for medical information theft. Even worse, the healthcare industry is lagging behind other leading industries in securing vital data. Healthcare organizations must adapt to the ever-changing cyber-security trends and threats, such as ransomware, where critical infrastructure is exploited, and valuable patient data are extracted. It is imperative that time and funding are invested in maintaining and ensuring the protection of healthcare technology and the confidentially of patient information from unauthorized access.
Conflict of interest
The authors have no conflict of interests to disclose.