The CynergisTek Blog

There is consensus agreement that threats that exploit vulnerabilities in the health care cyberinfrastructure grow and evolve at a breakneck pace. Organizations that take a holistic view in developing a flexible approach to understand, manage and reduce its cybersecurity risk, will be in a better position to defend their enterprise from attack.

The first known instance of what we now know as ransomware was seen in 1989. This first attempt was a poorly executed endeavor to extort $189 from the victims, but it was quickly discovered that recovering the files did not require the "tool" offered. The world and concept of ransomware remained relatively quiet for many years until two researchers Adam L. Young and Moti Yung wrote an academic treatise on the subject in 1996. In their paper and research, they demonstrated the fatal flaw in the first ransomware. The issue was using symmetric encryption which meant the encryption key was in the code of the first Trojan, so extraction of the data with the proper key was possible.

The increase of ransomware attacks on healthcare entities and their business associates continues to be a significant concern. While covered entities (CE) have their own issues to deal with when the attack is directly against the organization, there are additional considerations if the attack is on a business associate (BA). This issue was recently raised when there was a reported attack against a BA used by several healthcare entities. The attack was made public, which means the CEs that used the business associate were on notice of the attack.

Petya, or NotPetya as some call it, has shown itself to either be very poorly thought out ransomware, or more likely a full on destructive malware attack thinly veiled as ransomware. In essence, a “traditional” ransomware threats will encrypt specific important file types and show the user a ransom note telling them to pay or lose their data. In the last week of June, we saw something stranger, on the surface it appeared to be a modified version of a known and fairly common ransomware variant called Petya, hence the NotPetya name. However, unlike standard ransomware, where the entire purpose of it is to make money, the ransom payment and recovery mechanisms built into this new Petya variant were very weak. It relied on a single email address (that was promptly shut down) and a single Bitcoin wallet meaning there was virtually no way for the criminals to know who had paid, or which key might be the right one to unlock the data.

Hospital administrators are reporting challenges in hiring and retaining cybersecurity professionals needed to mitigate the new cyber threats. The issue is getting broad attention outside of healthcare, including a National Public Radio’s All Things Considered aired a segment addressing the issue on July 26, 2017. This is due in part to reports that there are over one million open security positions that can’t be filled. The challenges are real, but they can be managed when properly framed.

IT and InfoSec professionals have been playing catch up with users since the beginning of time (as long as you consider the first computer the beginning of time like I do). This is at least partially caused by an all-encompassing misunderstanding that has been rarely noticed at best and certainly never been remediated.

WannaCry, Petya, NotPetya—recent news reports have been filled with coverage of massive ransomware attacks that swept across the globe, wreaking havoc on public utilities, companies, health systems and government offices. Ransomware is a type of malware that prevents or limits access to a system until a ransom is paid. In the face of these attacks and other emerging cybersecurity threats, what can healthcare organizations do to identify vulnerabilities and protect sensitive patient data?

There is no shortage of professionals and experts talking about security, but if you want to understand security, or even just IT in general, you have to understand human beings. The users and those that administer the systems are all people. If one strives to understand and impact security overall, they must fully understand the human condition.

Airway Oxygen reported the largest ransomware attack to date to OCR’s wall of shame on June 16th, 2017. It affected 500,000 individuals, making it the second largest breach so far in 2017. I believe there are several takeaways from this incident that the industry show know about.

In the United States, we got lucky, very lucky, that a malware researcher known only as @MalwareTechBlog on Twitter found the “kill switch” domain in the code of the WannaCry ransomware. Had he not found and purchased this domain, effectively neutering the ransomware, I believe that the incident could have been much worse. It was already quite bad around the world with estimates of over 200,000 systems infected including many healthcare providers in the United Kingdom.