Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.

Hospitals should ‘wash their hands’ of older medical devices, OS: expert

Our Readers are likely well aware that older medical devices may present a Hacker’s Holiday, but putting a very fine point on it was Kevin Fu, associate professor of electrical engineering and computer science at University of Michigan, speaking at a Healthcare IT News healthcare cybersecurity forum this week in Boston. Mr Fu pointed out that many hospitals are actively using old devices and old PC systems; one local hospital had 600 supposedly unpatched Windows XP (!) boxes deployed. Older medical devices were not designed with security in mind, which he likens to basic sanitation:

“If you’re using this old software, these old operating systems, you’re vulnerable to all that malware – that garden-variety malware – that has been out in the wild for more than 10 years.” and “This is not rocket science; this is basic hygiene. This is forgetting to wash your hands before going into the operating room. Here we have medical devices where, if malware gets through the perimeter, there is very little defense.”

The press has been concentrating on the big breaches and external hacking (they do make good copy–Ed.), and we’ve expended a lot of air on things like the EHR Wars, but the real threats are more mundane, as Ponemon and others in the field have warned for years. Software updates and infected USB flash drives can spread malware. A vendor can be a regular Typhoid Mary unintentionally corrupting systems and devices down the line.  (more…)

The pileup of Federal ‘titanic serial IT disasters’ (US)

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/06/keep-calm-and-secure-your-data-4.png” thumb_width=”150″ /]Don’t feel bad, HIT execs–the Feds are even worse. Complementary to our coverage of the increased danger of hacked health IT systems and data breaches (the trail of tears is here and here) is the oddly muted press clamor around the 4 June hacking report of the Federal Office of Personnel Management (OPM). Chinese hackers roamed around two OPM databases–personnel and security clearances–for nearly a year, according to CNN’s Senate briefing coverage. The breach likely exceeded 18 million records, though the real number may never be known. Privacy Rights Clearinghouse summarizes it and provides an interesting link to a timeline by Brian Krebs, whose independent reporting beat is IT security. Megan McArdle, a reformed IT consultant writing for Bloomberg News and independently, points at the Federal lack of urgency around having adequate IT that doesn’t fail. Example–the much chronicled failure around Healthcare.gov and the so-called health exchanges, which appear to be functioning better, but reports say they are nearly porous and hackable as they were in 2013. She notes that it’s all about ‘scorched-earth determination’ and that the direction has to come from the top, meaning the President. And ‘voters have never held Obama responsible for his administration’s appalling IT record’. A thought that should give those in telehealth and telemedicine who are working with CMS value-based program ACOs a great deal of pause. NY Post editorial via Press Reader.

Hackermania running wild, 2015 edition

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”300″ /]

Do we need the Hulkster Running Wild against Hacking? It’s so heartwarming to see the mainstream press catch up to what your Editors have been whinging on for the past few years: that healthcare data is the Emperor With No Clothes. Here we have Reuters and the New York Times with a case of the vapors, seeking a fainting couch. Reuters dubs 2015 ‘The year of the healthcare hack’. The FBI is investigating the AnthemHealth breach, while their counterparts UnitedHealth, Cigna and Aetna are in full, breathless damage control mode. The Times at least delves into the possibility that it was at least partially instigated by China and the People’s Liberation Army (PLA) unit that trolls for intellectual property.

Our Readers, savvy to your Editors’ warnings since at least 2010, were aware that the drumbeat accelerated this past summer. (more…)

Dr Topol’s prescription for The Future of Medicine, analyzed

The Future of Medicine Is in Your Smartphone sounds like a preface to his latest book, ‘The Patient Will See You Now’, but it is quite consistent with Dr Topol’s talks of late [TTA 5 Dec]. The article is at once optimistic–yes, we love the picture–yet somewhat unreal. When we walk around and kick the tires…

First, it flies in the face of the increasing control of healthcare providers by government as to outcomes and the shift for good or ill to ‘outcomes-based medicine’. Second, ‘doctorless patients’ may need fewer services, not more, and why should these individuals, who represent the high-info elite at least initially, be penalized by having to pay the extremely high premiums dictated by government-approved health insurance (in the US, ACA-compliant insurance a/k/a Obamacare)–or face the US tax penalties for not enrolling in same? Third, those liberating mass market smartwatches and fitness trackers aren’t clinical quality yet–fine directionally, but real clinical diagnosis (more…)

41 percent of healthcare employees don’t encrypt mobile devices: Forrester

Just after this Editor rhapsodized that one of the unrecognized (except here) wins for Apple’s new iPhone 6 in healthcare will be to give the docs what they want–larger screens–is this sobering stat from Forrester. Only 59 percent of healthcare employees use full-disk encryption or file-level encryption on mHealth computing devices used at work. Yes, here is another hole in the data security dike that needs plugging, because Forrester also cites that 80 percent of data breaches relate to lost or stolen devices. (What, not mulch?)  Author Chris Sherman also quoted street prices for health records to The Wall Street Journal’s CIO Journal blog  (more…)

CHS data breach estimated price tag: $150 million

Huge price tag, is the solution more ‘white hat hacker/crackers’, get a clue, C-Suite and why China leads in hacking (important updates!)

Dan Munro in Forbes got out his calculator and estimated that the cost to Community Health Services, based on prior incidents, may be as high as $150 million. He bases it on recent poster children Columbia-NY Presbyterian and BlueCross BlueShield of Tennessee. The message to healthcare business executives: pay now–by beefing up HIT and data security–or pay later in rush remediation of data breaches like identity theft protection, Office of Civil Rights-HHS fines, potential insurance fraud,  legal charges and damages awarded. On the latter, it took only hours after the announcement for the first class action to be filed in Alabama.

Of course cybersecurity experts, particularly the ‘white hat’ or ‘cracker’ variety, are in increasingly high demand across all business areas and internationally–and there aren’t many at that exalted level or even a rung or two below. Their commensurate compensation is one factor, but calls to hire less expensively overseas as explored in this article are, in this Editor’s estimation, a two-edged sword: much hacking, many sleeper bugs and ‘backdooring’ are engineered overseas (China, Russia, the Balkans, India); what is to say that these ‘former hackers’ aren’t playing both games? Cybersecurity’s hiring crisis: A troubling trajectory (ZDNet)

The C-Suite Must Care…The Workforce Must Be Aware

Since data security and data breaches threaten to swamp many sectors (universities and colleges, even more than healthcare, rank as the most vulnerable), the solution may not be wholly in the code. (more…)

Risky hospital business: happy device hacking, insider data breaches

A heap of ‘insanely easy’ hospital hacking–but no harm done: Essentia Health’s head of information security, Scott Erven, set his team to work–with management approval–on hacking practically every internal device and system over two years, and found that most were ‘insanely easy’ to hack. They successfully hacked drug infusion pumps, EHRs, Bluetooth-enabled defibrillators, surgery robots, CT scanners, networked refrigerator temperature settings and X-ray machines with potentially disastrous results. Where the common security holes are in networked equipment: lack of authentication, weak passwords, embedded web services and the list goes on. Mr Erven presented this at an industry meeting in April, without naming brands or devices as he’s still trying to fix them. Essentia Health operates about 100 facilities, including clinics, hospitals and pharmacies, in Minnesota, North Dakota, Wisconsin and Idaho–and should receive much credit for facilitating this study. This is the environment into which we will be plonking tons of patient information in PHRs and telehealth monitoring. Pass the painkillers. Summary in HealthIT Outcomes, much more essential detail in Wired worth the read.

The ‘Maybe No One Will Notice’ Data Breach:  The recent incident at the University of Massachusetts Memorial Medical Center in Worcester illustrates the difficulty that even academic medical centers have with detecting data security breaches, particularly when they are small, sneaky, over time and by an insider. UMass uncovered a series of low-profile breaches by a former employee who helped himself to patient information such as name, address, date of birth and Social Security number–and may have used it to open up credit card and mobile phone accounts. Only four records appear to have been misused in this way, but at least 2,400 records were estimated to be improperly accessed–over 12 years, which made it even more difficult to find. Perhaps the employee was funding retirement? HealthcareInfoSecurity

The ‘Ambulance Chaser’ Data Breach: What better way for lawyers and shady outpatient clinics to get accident patients fresh from the ER (ED), than to have someone on the inside feeding them patient information? (more…)