Why hospitals have become prime targets for ransomware attacks

Since hospitals store sensitive patient information, and often rely on outdated software and legacy computer systems, experts say they are especially susceptible to a wave of cyberattacks that encrypt data until victims pay ransoms.

Last fall, employees at UMass Memorial Medical Center clicked on an e-mail that looked just like any one of the hundreds of messages that flood their inboxes daily.

But this particular e-mail contained a hidden danger. When employees opened the message, they provided a gateway for malicious code to find its way onto several computers at the Worcester, Mass., facility – locking up dozens of files.

Soon thereafter, hospital workers saw a warning message flash across their screens telling them to pay what hospital officials characterized as a "hefty" bounty if they wanted to see their data again.

Criminal hackers hit the UMass Medical Center with malware that has targeted a string of US and Canadian hospitals over the past year. So-called "ransomware" locks users out of their files with an encryption algorithm, giving bad guys the chance to take entire computer systems hostage and demand bounties to unlock their data.

Reported ransomware attacks recently struck Methodist Hospital in Henderson, Ky., Ottawa Hospital, King’s Daughters Health in Indiana, and Hollywood Presbyterian Medical Center, Chino Valley and Desert Valley Hospitals in Southern California. Last year, the FBI said 2,453 ransomware thefts resulted in $24 million in losses.

The spate of ransomware is certainly raising alarms about the threat of cybercrime at hospitals as well as many other types of organizations. And, experts say, these incidents offer stark warnings when it comes to computer security basics: Businesses that don't adhere to simple cybersecurity precautions – such as backing up files or updating vulnerable or dated software – can give criminals an opening to hijack their most valuable information.

"It's truly become an epidemic," said Dmitri Alperovitch, cofounder and chief technology officer at the cybersecurity firm Crowdstrike. "[Businesses] all feel like this is the No. 1 threat they're facing right now."

In light of the recent wave of attacks, many cybersecurity firms and independent security researchers have increased their focus on how to stop ransomware from crippling businesses.

In April, for instance, a security researcher known as "Leo Stone" released a tool that helps users infected with "Petya" ransomware – that encrypts files and hard drives – discover a decryption key by putting the infected drive on another computer and extracting the data.

Hospitals, in particular, are also increasing security measures to prevent ransomware attacks. Bruce Forman, the security chief at UMass Memorial Medical Center, plans on implementing "advanced persistent threat" software that can act as a virtual firewall or identify malware based on how it behaves and controls that evaluate file integrity.

UMass is also training its employees not to open suspicious e-mails, and often sends them phony messages that are similar to ones that typically deliver the ransomware payload.

"We’ve all opened a link and clicked on an attachment that we shouldn’t have opened. There’s no silver bullet" to stop it, Mr. Forman said.

The 2015 attack didn't do any lasting damage to UMass's computer systems. Forman and his team successfully removed the encrypted files and restored lost information from backups – ignoring ransom demands.

Security experts first spotted ransomware attacks coming from Russia more than a decade ago. But attacks boomed by 48.3 percent in 2015, according to security firm Kaspersky Labs, since strains that encrypt files are tougher for investigators to root out.

But even if their systems are up to date, network defenders also have to contend with new strains of ransomware code that hide in peer-to-peer file sharing tools, YouTube ads, and JavaScript applications. Hackers deploying ransomware have also gotten more sophisticated. In the second quarter of 2015 alone, McAfee Labs found more than 1.2 million new ransomware samples.

Law enforcement agencies have also had some success combating ransomware.

In June 2014, FBI agents managed to capture command-and-control servers for CryptoLocker – one of the first ransomware viruses to encrypt files – after the malicious software had infected 500,000 machines in just six months. That allowed security firm FireEye to create software to help unlock computers that the virus had taken over.

But the FBI's success in that case might be the exception to the norm.

The easiest way to deal with the problem in the short term, experts say, might be more straightforward: Educating the workforce. "You're still as vulnerable as your most gullible employee," John Halamka, Chief Information Officer and Dean for Technology at Harvard Medical School told Passcode in an e-mail.

Still, don't expect hackers to stop attacking hospitals – which possess valuable personal information.

"A full record of somebody’s personal history is something that they can leverage for multiple attacks," said Ed Cabrera, an executive at the cybersecurity firm Trend Micro. "As soon as you start paying, it becomes a great return on investment for [hackers]."