Ransomware: A New Crime for a New Century
The fourth part of RealClearPolitics’ series on security issues in the 2016 campaign focuses on digital vulnerabilities. Part 1 was a national overview, Part 2 addressed the economy, and Part 3 dealt with energy and the environment.
The kidnapping of Charles Lindbergh Jr., the payment of ransom, and the child’s subsequent murder so gripped the nation in 1932 that the episode was labeled the “crime of the century.” We’re well into a new century now, and criminals are once again demanding ransom from their victims. This time, though, it’s our computers, not our children that are being targeted.
We know that our personal data is vulnerable to attacks by computer hackers. According to federal officials, the personnel records of 22 million federal employees and job applicants were stolen last year by hackers suspected to be working for the Chinese government. Health insurer Anthem’s systems were also breached last year, exposing the personal data of about 80 million current and former policyholders. Attacks on retailers’ computer systems have compromised millions of credit card numbers – 40 million were stolen from Target during the 2013 holiday shopping season alone. And the 2015 attack on the online “cheating” website AshleyMadison.com showed that even unfaithful spouses aren’t safe from cybercrime.
Cyberthieves aren't just stealing personal data anymore, though. They can now take your computer hostage and demand money from you. And it's not just your wallet that's at risk: Hospitals have proven particularly vulnerable to the attacks, and that could put your health in danger.
How Ransomware Works
This cyberthreat is called “ransomware,” and the computer pathogens that make it possible have been circulating for several years. Here’s what happens if you’re the victim of one of these attacks: Your computer becomes infected by a virus. But instead of using your email to send spam or attempting to steal your passwords, this virus encrypts the data on your computer, locking you out until you supply the key to decode the encryption. And you can only obtain that key by paying ransom to your attacker.
In a bit of irony, this crime is made possible by the same strong encryption that is used to protect personal information when we shop online or when we lock the screen on an iPhone. Data encryption is effective at keeping intruders out because the “key” needed to decode the data is such a large number that it would take years of guessing to stumble onto the right value. That’s why even the FBI needed help finding a work-around to get past the encryption on the iPhone of San Bernardino attacker Syed Farook.
Ransomware criminals take the benefits of strong encryption and turn them on their head. Instead of keeping your data safe from intruders, it treats you as the intruder and keeps you out of your own computer. Once infected, you have two choices: Erase everything on your computer – including the virus – and lose all your data. Or pay the ransom, hoping that the criminals receiving it keep their word and that your computer’s data doesn’t meet the same fate as young Charles Lindbergh Jr.
On Feb. 5, that was the choice facing officials at Hollywood Presbyterian Medical Center in Los Angeles. After considering their options, they decided to pay their attackers $17,000 to restore their computer systems.
Since then, there has been a wave of similar ransomware attacks. Hospital computers have been infected in Chino, Victorville, and San Diego, Calif., in Madison, Ind., in Henderson, Ky., and in Ontario, Canada. In the largest attack so far, computers at all 10 hospitals in the MedStar Health system in Maryland and Washington, D.C., were infected by a virus in March. Officials there did not specify the type of malware that compromised their systems, but documents obtained by the Baltimore Sun indicate the hackers demanded a ransom.
So far, Hollywood Presbyterian is the only hospital that has publicly acknowledged paying ransom. The others seem to have chosen the slow, expensive alternative of erasing the data on their computers and restoring from backups.
Why Hospitals? Why Now?
There are two major factors that make the health care industry especially vulnerable to cybercrime in 2016.
First, health care has historically lagged behind other industries in adopting computerized records systems. It has been decades since banks kept account records on paper, but as recently as 2008, less than 10 percent of U.S. hospitals had even a basic electronic health records system.
The second factor is a strong push by the federal government in recent years to hasten the adoption of EHRs. The 2009 stimulus bill deployed a carrot-and-stick approach to speed the conversion to digital records. Funds were set aside to help finance the purchase of EHR systems, and in return, providers were required to meet minimum standards and to demonstrate “meaningful use” of these systems to improve the efficiency and quality of care.
The rush to adopt this technology caused serious growing pains, and the rollout of these systems is often an ordeal. For example, a New York City official last month compared the new system for the city’s hospitals to the 1986 Challenger disaster. A 2013 RAND Corp. study of U.S. physicians found that “the current state of EHR technology appeared to significantly worsen professional satisfaction in multiple ways,” and in many hospitals, the focus has been on just getting the systems functioning at the most basic level.
Some foresaw that rapid adoption of the new technology would cause problems. As early as two years ago, the FBI circulated a warning to the health care industry to expect a rash of cyberintrusions “due to mandatory transition from paper to electronic health records (EHR), lax cybersecurity standards, and a higher financial payout for medical records in the black market.”
Ultimately, hospitals lacking experience with electronic health records also are proving to lack experience protecting these systems from intrusion.
Lee Kim, the director of privacy and security at the health IT industry group HIMSS says many health care systems "do not know where their valuable information is and what their own weaknesses are in terms of information security." This leaves their computer security systems untested until "hackers come knocking at the door."
To keep criminals out, it’s important to stay on top of software updates on all systems. It's not enough just to protect computers in the data center, since attacks often begin on an employee's desktop computer. Cybersecurity journalist Brian Krebs calls ransomware infections "largely opportunistic attacks" that often take advantage of outdated Web browsers and plug-ins.
Perhaps these attacks are the inevitable growing pains of an industry rushing to catch up to the digital age. The good news for hospital patients is that ransomware hackers don’t seem interested in personal data. For most patients at targeted hospitals, the attacks have meant some canceled appointments and medical care that is forced to revert to the pen-and-paper procedures that EHR systems were designed to make obsolete.
However, as health care providers inevitably become more dependent on digital technology, it will only be more important for hospitals to get cybersecurity right. HIMSS's Kim says she's not aware of any public reports of patients being harmed by a cyberattack. "There is, however, that risk," she warns.