Hackermania runs wild…all the way to the bank! Ransomware strikes Crozer-Keystone, UCSF med school, others

News to make you livid. After surviving (to date) the COVID pandemic, health systems and medical schools are being attacked by ransomware criminals. Both the small Crozer-Keystone Health System and the globally known University of California San Francisco School of Medicine have been attacked by the ever-so cutely named Netwalker (a/k/a MailTo). Yes, this criminal hacker gang isn’t outside banging pots for first responders or donating money, or even sticking to a brief truce (Emsisoft), but figuring ways to spread malware into healthcare organizations for fun and profit. 

And profitable it’s been. UCSF paid Netwalker the princely sum of $1.14 million (£910,000) in 116.4 bitcoins after an attack starting 1 June that was also (to add insult to injury) published on Netwalker’s public blog. In the timeline presented by BBC News, it was negotiated down (professionally) from $3 million; BBC also obtained some key parts of the negotiation via an anonymous tipoff, and it’s fascinating reading. Netwalker leads the victim to a dark web ‘customer service’ site where there’s a countdown to double payment or deletion of your now-encrypted data. They are also able to live chat with the victim.

UCSF was able to limit the malware encryption damage to servers within the School of Medicine (according to the BBC, literally unplugging computers; according to UCSF, isolating servers) but decided to pay the ransom to unlock the encrypted data and return data they obtained, stating in its public release “The data that was encrypted is important to some of the academic work we pursue as a university serving the public good”. They will work with the FBI on the incident and have brought on board outside expert help.

According to FierceHealthcare, Netwalker was also behind the attack on the Champaign-Urbana Public Health District (Illinois) website in March and Michigan State University’s network in May.

Paying ransom is contrary to the advice of the major world security services such as the FBI, Europol, and the UK’s National Cyber Security Centre, on the simple basis that it encourages them. It’s a true damned-if-you-do, damned-if-you-don’t situation, as Brett Callow, a threat analyst at cyber-security company Emsisoft, said to the BBC: “But why would a ruthless criminal enterprise delete data that it may be able to further monetise at a later date?” 

Crozer-Keystone to date has refused to pay ransom. On 19 June, bitcoin publication Cointelegraph published a screenshot of Netwalker’s dark web auction page of the data. Apparently it is all financial and not medical records or PHI. Crozer also isolated the intrusion and took systems offline. Crozer is a small system of four hospitals in suburban Philadelphia (Delaware County) and serves parts of the state of Delaware and western New Jersey.

Neither Crozer nor UCSF have gone public with the source of the breach, but it is known that the main lure during the pandemic has been phishing emails with COVID-19 results or news, loaded with malware downloads.

As this Editor wrote back in May 2018 on the anniversary of WannaCry, it’s not a matter of if, but when, at highly vulnerable organizations like healthcare and academia with high-value information records. Right now, the Hakbit spear-phishing ransomware connected to an Excel spreadsheet macro is targeting mid-level individuals at pharma, healthcare, and other sectors in Austria, Germany, and Switzerland, according to tech research firm Proofpoint. TechGenix

More: Becker’s 22 June on Crozer-Keystone, 29 June on UCSF, 12 largest healthcare breaches to date, 10 healthcare system incidents for June, Kroger hacking incident exposing 11,000 health records. DataBreaches.net news page.

Soapbox: How healthcare disruption can be sidetracked

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2014/04/Thomas.jpg” thumb_width=”170″ /]Ron Hammerle’s comment on Disruptive innovation in healthcare hasn’t begun yet: Christensen (TTA 31 Mar), posted on LinkedIn’s Healthcare Innovation by Design group, made the excellent point that a potentially disruptive and decentralizing healthcare service–retail clinics–has been sidetracked, at least in the US, leaving an open question on their reason for being. This Editor thought it was worthy of a Soapbox. Mr. Hammerle knows of what he speaks because his Tampa, Florida-based company, Health Resources Ltd., works with retail and employer-based clinics to connect them via telemedicine/telehealth systems with medical centers.

When Clayton Christensen first anticipated that retail clinics would be disruptive to the established healthcare industry, their business model was potentially disruptive. What has subsequently happened, however, is a prime example of how potentially disruptive movements can be sidetracked.

After acquiring MinuteClinic and laying the foundation for taking retail clinics national, CVS Caremark chose to make deals with hospitals, which could easily afford to rent, open and operate such clinics without making money on the front end or facing real disruption. Retail clinics were a loss leader to hospitals in exchange for large, downstream revenues, and slightly-enhanced market share for the retailer’s pharmacy.

After CVS shocked Walgreens with one-two punches involving MinuteClinic and Caremark acquisitions, Walgreens came back with three counter-punches of its own:

1. They doubled the number of their clinics (to 700) in less than two years, thwarted AMA opposition, leapfrogged ahead of CVS in clinic count and totally changed the retail clinic model by setting up politically-invisible, broader service, make-your-profit-up-front, employer-based clinics. (more…)