Modern field guide to security and privacy

Why hospitals have become prime targets for ransomware attacks

Since hospitals store sensitive patient information, and often rely on outdated software and legacy computer systems, experts say they are especially susceptible to a wave of cyberattacks that encrypt data until victims pay ransoms.

REUTERS/Mario Anzuoni
The Hollywood Presbyterian Medical Center in Los Angeles, California In February, a cyber attack that has crippled the electronic database at Hollywood Presbyterian Medical Center for days, forcing doctors at the Los Angeles hospital to rely on telephones and fax machines to relay patient information.

Last fall, employees at UMass Memorial Medical Center clicked on an e-mail that looked just like any one of the hundreds of messages that flood their inboxes daily.

But this particular e-mail contained a hidden danger. When employees opened the message, they provided a gateway for malicious code to find its way onto several computers at the Worcester, Mass., facility – locking up dozens of files.

Soon thereafter, hospital workers saw a warning message flash across their screens telling them to pay what hospital officials characterized as a "hefty" bounty if they wanted to see their data again.

Criminal hackers hit the UMass Medical Center with malware that has targeted a string of US and Canadian hospitals over the past year. So-called "ransomware" locks users out of their files with an encryption algorithm, giving bad guys the chance to take entire computer systems hostage and demand bounties to unlock their data.

Reported ransomware attacks recently struck Methodist Hospital in Henderson, Ky., Ottawa Hospital, King’s Daughters Health in Indiana, and Hollywood Presbyterian Medical Center, Chino Valley and Desert Valley Hospitals in Southern California. Last year, the FBI said 2,453 ransomware thefts resulted in $24 million in losses.

The spate of ransomware is certainly raising alarms about the threat of cybercrime at hospitals as well as many other types of organizations. And, experts say, these incidents offer stark warnings when it comes to computer security basics: Businesses that don't adhere to simple cybersecurity precautions – such as backing up files or updating vulnerable or dated software – can give criminals an opening to hijack their most valuable information.

"It's truly become an epidemic," said Dmitri Alperovitch, cofounder and chief technology officer at the cybersecurity firm Crowdstrike. "[Businesses] all feel like this is the No. 1 threat they're facing right now."

In light of the recent wave of attacks, many cybersecurity firms and independent security researchers have increased their focus on how to stop ransomware from crippling businesses.

In April, for instance, a security researcher known as "Leo Stone" released a tool that helps users infected with "Petya" ransomware – that encrypts files and hard drives – discover a decryption key by putting the infected drive on another computer and extracting the data.

Hospitals, in particular, are also increasing security measures to prevent ransomware attacks. Bruce Forman, the security chief at UMass Memorial Medical Center, plans on implementing "advanced persistent threat" software that can act as a virtual firewall or identify malware based on how it behaves and controls that evaluate file integrity.

UMass is also training its employees not to open suspicious e-mails, and often sends them phony messages that are similar to ones that typically deliver the ransomware payload.

"We’ve all opened a link and clicked on an attachment that we shouldn’t have opened. There’s no silver bullet" to stop it, Mr. Forman said.

The 2015 attack didn't do any lasting damage to UMass's computer systems. Forman and his team successfully removed the encrypted files and restored lost information from backups – ignoring ransom demands.

Security experts first spotted ransomware attacks coming from Russia more than a decade ago. But attacks boomed by 48.3 percent in 2015, according to security firm Kaspersky Labs, since strains that encrypt files are tougher for investigators to root out.

But even if their systems are up to date, network defenders also have to contend with new strains of ransomware code that hide in peer-to-peer file sharing tools, YouTube ads, and JavaScript applications. Hackers deploying ransomware have also gotten more sophisticated. In the second quarter of 2015 alone, McAfee Labs found more than 1.2 million new ransomware samples.

Law enforcement agencies have also had some success combating ransomware.

In June 2014, FBI agents managed to capture command-and-control servers for CryptoLocker – one of the first ransomware viruses to encrypt files – after the malicious software had infected 500,000 machines in just six months. That allowed security firm FireEye to create software to help unlock computers that the virus had taken over.

But the FBI's success in that case might be the exception to the norm.

The easiest way to deal with the problem in the short term, experts say, might be more straightforward: Educating the workforce. "You're still as vulnerable as your most gullible employee," John Halamka, Chief Information Officer and Dean for Technology at Harvard Medical School told Passcode in an e-mail.

Still, don't expect hackers to stop attacking hospitals – which possess valuable personal information.

"A full record of somebody’s personal history is something that they can leverage for multiple attacks," said Ed Cabrera, an executive at the cybersecurity firm Trend Micro. "As soon as you start paying, it becomes a great return on investment for [hackers]."


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Why hospitals have become prime targets for ransomware attacks
Read this article in
QR Code to Subscription page
Start your subscription today