With Hospital Ransomware Infections, the Patients Are at Risk
Ransomware that locks up patient data in hospitals is disrupting medical care, and the problem is set to get worse.
Police departments, government offices, corporations, and countless individuals have been victims of malicious software that encrypts data and demands payment for its return. But a spate of recent ransomware infections at hospitals has some experts worried that patient care could suffer.
“The big difference with health care is that the consequences are greater,” says Kevin Fu, an associate professor at the University of Michigan who studies computer security issues in hospitals. “You can lose your e-mail and that’s annoying, but patient records are needed in order to treat patients.”
After ransomware struck Hollywood Presbyterian Hospital in Los Angeles in February, the hospital's central medical records system was largely unusable for 10 days, and some patients had to be transported to other hospitals. A hospital in Germany that had medical records locked up by ransomware canceled some high-risk surgeries for safety reasons.
The FBI says that ransomware became significantly more common last year, and it expects the problem to keep growing.
Malware getting into hospitals isn’t anything new. Fu and other researchers have spent years showing that the way hospital networks are architected allows run-of-the-mill malware picked up from malicious e-mail attachments or infected websites to get onto machines holding patient records (see “Computer Viruses are ‘Rampant’ on Medical Devices in Hospitals”).
But ransomware is more concerning because, unlike other forms of malware—for example, the kind that sends spam or steals online credentials—it is designed to be actively destructive. “It wasn’t really until ransomware came around that we saw malware trying to cause direct harm and deliberately make these systems unavailable,” says Fu.
Medical staff should know how to get their jobs done without access to the usual systems, says Fu, but disrupting a hospital’s usual procedures inevitably creates some risks. Some are indirect. When patients get turned away, as they did by Hollywood Presbyterian in February, other facilities had to pick up the slack.
It is likely that researchers like Fu will soon have a lot of data on the effects of ransomware on health-care delivery. Ransomware is getting more sophisticated, and some criminals have started specifically targeting valuable data inside corporations, for example data from HR departments.
“The impressive amount of money cybercriminals are extorting has helped them invest more resources in the development of new strains of ransomware,” says Bogdan Botezatu, a senior analyst at security company BitDefender. Some 2,500 reports of ransomware were made to the FBI last year, with victims paying out $24.1 million in ransoms. When security companies investigated one successful malware variant last year, they found evidence it had raked in $425 million globally.
More sophisticated malware might be even more profitable. The FBI sent out an urgent memo in January warning corporations about a strain of ransomware called Samsam that targets the servers that keep businesses running. It is believed to be behind the IT problems crippling a system of Baltimore area hospitals this week. Several security companies recently reported that skilled hacking groups previously seen stealing company secrets have adopted the ransomware business model (see “Out-of-Work Chinese Hackers May Be Behind Sophisticated Ransomware Attacks”).
The easiest way to recover from a ransomware attack is often to just pay up, because the criminals behind the malware try to offer good customer service to keep their business model working. Hollywood Presbyterian spent $17,000 to get its data back, joining the many individuals, businesses, and even police departments that have opted to pay up to unlock data (see “Holding Data Hostage: The Perfect Internet Crime?”).
Paying off ransomware also raises ethical questions. “By paying a ransom you are giving criminals incentive to continue their campaigns,” says Travis Smith, senior security research engineer at Tripwire. The best option is for organizations to maintain good backups that are isolated from their main systems but can be quickly restored, he says.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today