Healthcare information security

Ransomware Case Studies: Hollywood Presbyterian & The Ottawa Hospital

Chris Sienko
June 17, 2016 by
Chris Sienko

Ransomware, the holding hostage of computers or data in exchange for money, continues to be a major threat to hospitals and other medical facilities. In order to further educate administrators, let’s take a closer look at two notable recent incidents. The first, Hollywood Presbyterian Medical Center, made international headlines for being taken offline and eventually paying the $17,000 ransom. The second example, The Ottawa Hospital, was able to recover from the incident relatively unscathed.

Case One: Hollywood Presbyterian Medical Center

1

Photo: http://www.healthcareitnews.com

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Background: A general medical and surgical hospital that originally opened in 1924 as Hollywood Hospital. It later became known as Queen of Angels-Hollywood Presbyterian when two hospitals merged in 1998. It was sold to South Korean CHC Medical Group in 2004 and currently has 424 beds and more than 500 doctors who saw 16,175 patients, according to data from the latest year available.

How it Happened: According to Wired Magazine, the computer system was hit by a ransomware virus called Locky, which locks users out and won’t send a decrypting key unless a ransom is paid. Since the President and CEO Allen Stefanek stated that the attack was random and Symantec says Locky is spread usually via a malicious Word document disguised as an invoice, it’s very likely the attack occurred because an employee mistakenly clicked on an email attachment that was actually a phishing scam.

While who sent it, and who opened it wasn’t reported when the email was sent, on February 5, 2016 some members of the staff at Hollywood Presbyterian reported to their supervisors that they were unable to access the network. In order for the hospital to regain access, the ransomware demanded 40 Bitcoin (approximately $17,000).

Immediately, an internal emergency was declared and the computer system taken offline. Some departments, including Radiation Oncology were told not to turn on their computers at all. Doctors told reporters they were unable to access patient’s medical histories and could not share x-rays, CT scans, and other medical tests. Some patients were diverted to nearby hospitals, and staff had to resort to doing patient admissions and other record-keeping by pen and paper.

2

The Locky screen of death

Photo: Palo Alto Networks

NBC4 first reported the breach on February 12, 2016, and stated that both the LAPD and FBI had begun an investigation. However, the LA Times stated in a later report that law enforcement wasn’t notified about the breach until after the hospital had already paid the ransom. According to Hollywood Presbyterian Medical Center’s official statement, all services were restored on February 15, ten days after the attack.

“All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event,” Stefanek said in the statement.

Aftermath: No further breaches of Hollywood Presbyterian Medical Center have been reported and things appear to have gone back to “normal.” IT experts have concluded that Hollywood Presbyterian Medical Center did not have any backup data available and, due to the widespread infection of their system, likely had a very weak security infrastructure. The hospital has kept mum as to its plans for security and education.

Hollywood Presbyterian Medical Center has middling-to-negative reviews on Google and Yelp, although none seem to be related to the ransomware attack. Administrative decisions have got them in trouble before: in 2007, they paid a million dollar fine for admitting to dumping patients on Skid Row.

The successful attack and lucrative payout has likely emboldened the criminals, who have not yet been identified or caught, to continue their terrorism of hospitals. Indeed, Palo Alto Networks observed nearly half a million unique sessions of Locky shortly after the Hollywood Presbyterian attack; Symantec stated it had already destroyed 5 million emails containing the virus by February 17.

Case Two: The Ottawa Hospital

3

Photo: wikimedia.org

Background: A non-profit, public university teaching hospital comprising the former Grace Hospital, Riverside Hospital, Ottawa General Hospital, and Ottawa Civic Hospital. It has 1,117 beds and is one of two trauma centers in the region, serving 1.3 million people. They report a staff of 11,638, 1,377 physicians, 1,025 volunteers, and a network of 9,800 computers.

How It Happened: The hospital reported to the press that over the course of a three-week period beginning in March 2016, four people clicked on a phishing email that disabled/encrypted their devices. They did not disclose what information was on those machines but claimed no patient information was compromised. “The malware locked down the files and the hospital responded by wiping the drives,” The Ottawa Hospital spokeswoman Kate Eggans announced, adding that the culprit was the WinPlock virus, a variation on Cryptolocker that was unable to breach the network and infect other computers. Ms. Eggans stressed the fact that no ransom was paid.

The Ottawa Hospital also said that it was confident it had the appropriate safeguards in place and continues to look for ways to improve security. IT administrators within the hospital cleaned the drives and reimaged the data with recent backups that were available and ready to go.

Aftermath: Ottawa Hospital is one of the few reported successes in the war against ransomware. The hospital seems to have good morale amongst its employees, which may be a factor in its successful defeat of ransomware, but it receives a C grade in care from the CBC and mixed reviews from patients.

Conclusions: Putting aside any comparisons of Canada vs. U.S. health care, it’s clear that hospitals and medical facilities of any size in any country are vulnerable to a ransomware scam. Both of these ransomware incidents are said to have occurred “randomly,” albeit within the healthcare industry, which is seeing a spike in attacks.

Clearly, Hollywood Presbyterian Medical Center was caught off-guard by the ransomware event, which is currently the largest reported sum paid by anyone to retrieve data (most ransoms are in the hundreds of dollars). The ensuing embarrassing publicity Hollywood Presbyterian received perhaps served as a wake-up call to many healthcare institutions and networks, The Ottawa Hospital included. (Another notable ransomware attack that occurred on March 23 of Chino Valley Medical Hospital and Desert Valley Hospital was thwarted, with no data compromised and no ransom paid.)

However, all these attacks, whether successful or unsuccessful, highlight the urgent need for awareness, training, and vigilance when it comes to dealing with ransomware and phishing. While many of the details of these events have not been made public, it’s clear they all started with the opening of an attachment to an email that was part of a phishing scam.

Because the malware code was relatively new to the scene, it was able to get past any antivirus blacklists or filters installed on these machines. The user or users, thinking what they received in their inbox was a legitimate invoice, clicked the attachment and the infection began.

How SecurityIQ Can Help

While it’s essential that your organization has the necessary safeguards like a backup system and robust IT security, the bottom line is that you and your staff need to be on heightened alert against phishing attacks at all times. But it’s one thing to read a memo or watch a video, it’s quite another to practice these same responsibilities in real life.

That’s why SecurityIQ has developed AwareED and PhishSim, a pair of essential educational products that will not only deliver this important message, but make sure it’s understood and heeded to.

AwareED is a series of courses designed to teach about various aspects of network protection, including anti-phishing tips, password security, and safe browsing. Each learning module consists of videos, as well as exercises that reinforce the material.

Administrators who sign up with AwareED can create an awareness campaign, select learning modules and add employees (called “learners”). From there, AwareED takes over, sending out enrollment reminders and administering the course. You can remotely monitor their progress, and view the results, which are compiled in a report.

Hand-in-hand with education comes practice. That’s why we’ve also created PhishSIM, which is designed to mimic a phishing attack, minus the damage to your network. With PhishSIM, administrators “become” hackers, creating spam emails or using one of our many templates.

There are a variety of different types of phishing attacks, some that use subject matter related to healthcare like: “Missing Patient Info,” while others offer “Free Pizza.” If a learner clicks the embedded link, instead of unleashing malware, they are directed to the SecurityIQ website, where they will watch a short video indicating that they have been “phished.”

5

Sample template from PhishSIM. An email like this could bring down an entire network.

PhishSIM could be used in advance of AwareED or vice versa, but the idea is to catch those employees who are unaware of the threat or have let their guard down. All clicks and the users who clicked on them are recorded in the PhishSIM dashboard.

Because of the variety of phishing methods, administrators are encouraged to create a “battery” of email attacks by choosing different templates. From there, a campaign is created targeting the learners in the database. Once again, everything else is automated, with full reports available on the dashboard.

Another vulnerability besides email links or attachments are rogue websites that pose as banks or other official sites. Users redirected to them often inadvertently type in their username or password, resulting in the theft of their identity and worse. That’s why PhishSIM also has a set of data entry sites, which can be paired with various email campaigns.

4

A Data Entry Website template in PhishSIM that convincingly mimics Outlook.

Again, instead of stealing the learner’s information and using it to hack the system, they are instead shown a video and you are alerted.

Security experts agree that real-world training in the form of drills is essential to combating accidental breaches from ransomware and phishing attacks. With SecurityIQ’s suite of tools, the training and drilling is automatic, increasing security with every test run.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Registering with SecurityIQ is free, which gives you a chance to check out our system and gives you 100 sends, 5 campaigns, and 30 learners.

As we’ve tried to point out in these case studies, any and every hospital or medical facility is a target for a ransomware attack, and all it takes is one click to potentially compromise your system. You can be like Hollywood Presbyterian Medical Center and be offline for a week and end up paying a ransom, or you can follow the path of The Ottawa Hospital and have a trained staff and secure infrastructure.

By choosing to work with SecurityIQ, all your employees will learn to always be on heightened alert and will avoid clicking on any malware.

Chris Sienko
Chris Sienko