Anti-Malware , Fraud , Phishing

Experts Recommend Steps to Defend Against Uptick in Malicious Assaults Marianne Kolbasuk McGee (HealthInfoSec) • March 23, 2016    

Ransomware attacks against hospitals are becoming commonplace this year, with at least five incidents revealed in recent weeks.

See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations

In each case, attackers encrypted data and demanded ransom to decrypt it. Most of the incidents reportedly involved the use of Locky ransomware, but at least one involved WinPlock, a new variant of Cryptolocker.

Only one of the five recently targeted hospitals has admitted paying a ransom to unlock data, while the others were able to resolve the situation relying on backups.

Security experts suspect that those five cases are only the tip of the iceberg, with many other cases being quietly resolved without grabbing headlines.

"Some get reported. Others are handled more discreetly," says Adam Greene of the law firm Davis Wright Tremaine. "Accordingly, while I think that we will continue to see a rise in ransomware, it's hard to say how many of these attacks will be in the headlines over the coming months."

Healthcare organizations can take specific steps to help prevent falling victim to these attacks, including backing up data and educating users about how to recognize phishing attacks that can result in compromised credentials, security experts advise.

Recent Attacks

The latest attacks coming to light this month targeted Methodist Hospital in Kentucky and two California hospitals operated by Prime Healthcare Inc.

Other recent ransomware victims include Ottawa Hospital in Canada and Hollywood Presbyterian Medical Center in California. The Hollywood hospital paid extortionists a $17,000 bitcoin ransom in February to unlock its data, which was maliciously encrypted by extortionists.

In the most recently revealed attacks, two of Prime Healthcare's hospitals in California - Chino Valley Medical Center and Desert Valley Hospital - reported "server disruptions" on March 18 that were linked to ransomware, a spokesman told Information Security Media Group on March 23.

"I can confirm that no ransom has been paid," he said. "As for what kind of virus or how it got into our system, I can't comment as the investigation is ongoing. What I can say is that our expert, in-house IT team was able to immediately implement protocols and procedures to contain and mitigate the disruptions. The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised."

As of March 23, most systems had been brought online, the spokesman added.

Meanwhile, in a March 18 statement about a ransomware attack, Methodist Hospital in Henderson, Ky., said the hospital's information systems department "responded quickly to the virus and immediately shut down the system to control the virus from spreading." While the system was down, a backup system was activated, the hospital says. "The backup system ran smoothly and allowed the hospital to continue its daily operations without interruption."

On March 22, a Methodist Hospital spokeswoman told Information Security Media Group, "the virus has been contained and there have been no further outbreaks. Our system is up and running." The incident was "a result of a malicious email that made it through the spam filter and was opened. No ransom was paid; they were asking for bitcoins. The situation has been reported to the Henderson Police Department in Kentucky and the FBI is investigating. No patient data or records were compromised."

Canadian Attack

Earlier this month, Ottawa Hospital in Canada contained ransomware infections on four of the hospital's 9,800 computers that were attacked over a three-week period, a hospital spokeswoman tells ISMG.

"No patient information was affected. The malware locked down the files and the hospital responded by wiping the drives," she says. "We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security."

Although other recent ransomware attacks affecting hospitals have reportedly involved the Locky malware, the Ottawa Hospital spokeswoman says WinPlock ransomware, a new variant of Cryptolocker, was involved in that hospital's recent incidents.

The string of recent ransomware attack revelations began in early February, when Hollywood Presbyterian grabbed headlines with its statement about paying a ransom.

Hospital officials said that on Feb. 5, the organization's IT department determined that "malware locked access to certain computer systems and prevented users from sharing communications electronically." After dealing with the problem for several days, the hospital's CEO, Allen Stefanek decided, "the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," according to a hospital statement. "In the best interest of restoring normal operations, we did this."

The Growing Threat

In a report released in January, the Institute for Critical Infrastructure Technology, a non-partisan, non-profit group of technology providers, cited ransomware as "the primary threat" to healthcare organizations in 2016. And the string of recent events seems to confirm that conclusion.

Plus, healthcare privacy and security experts say there likely have been a number of ransomware attacks that have not been publicized.

"I believe we are only learning about a small percentage of the incidents involving ransomware," says David Holtzman, vice president of compliance at the security consulting firm CynergisTek. "Organizations that are successfully fending off these cyberattacks or discovering them before they can do damage are making strategic decisions to not publicize that they have been targeted."

Many organizations are falling victim to ransomware attacks because they "do not invest in the technologies or human resources needed to develop and maintain adequate information security protections," Holtzman contends.

The recent ransomware attacks on hospitals are the latest signs of a rise in external attacks against the sector, says regulatory compliance attorney Robert Belfort of the law firm Manatt Phelps & Phillips LLP.

"There's been a sea change in the industry's evaluation of security risk over the last two years," he says. "Before 2015, I would say most health insurers and healthcare providers viewed insider threats as their main concern. The external hacking that had been occurring in other industries hadn't really come to healthcare, but that radically changed last year," with the cyberattacks on Anthem Inc. and others.

Steps to Take

While it appears that most of the incidents that have been mitigated so far without paying a ransom were helped by the organizations having well-prepared backups, sometimes that's not enough.

Dan McWhorter, vice president of threat intelligence at security vendor FireEye, said at the recent HIMSS 2016 Conference that healthcare entities need to be particularly wary of more sophisticated ransomware attackers who destroy backups of databases, then encrypt and lock up main databases.

To help safeguard against those scenarios, Aryeh Goretsky, a researcher as security firm ESET, says, "A backup system must have robust versioning control, and also have an offline component so that in case the backup accounts or computers are affected, recovery is still possible by creating those and using the offline backups."

Also, because fraudsters waging ransomware attacks often steal credentials of privileged users through phishing attacks, workforce education is critical.

"Healthcare providers, regardless of their size or complexity of their IT resources, should educate their staff and physicians on their critical role in preventing cyberattacks," Holtzman says. "Ransomware is often downloaded into the organization's information system when a user clicks on a link contained in an email message from sources they do not recognize, or responding to invitations for free services or apps," he notes. "Educate users on what they are doing and the choices they are making."

Other essential steps, Holtzman says, include hardening systems, updating and patching software and operating systems and improving configuration management.

It's also important to apply software updates promptly, including those for operating systems, browser software and plugins, suggests Lysa Myers, another ESET security researcher. "Use anti-malware software, and make sure it, too, is regularly updated and scanning your files."

Hospitals should also assess their exposure level by performing an audit of platforms and systems to identify potential points of vulnerability, she adds.

James Maude, senior security engineer at endpoint security provider Avecto, suggests: "If we move away from trying to detect the constantly evolving undetectable threats and control the common attack vectors through least privilege, whitelisting and sandbox isolation, then we can not only handle today's threats but tomorrow's as well."

The Department of Health and Human Services' Office for Civil Rights recently offered advice on how healthcare providers and their business associates can avoid becoming victims of ransomware and other scams (see OCR Cyber Awareness Effort: Will it Have an Impact?).

Should Ransom Ever Be Paid?

While experts generally advise against paying extortionists, sometimes entities believe they have little choice in order to get their operations back to normal as soon as possible.

Making the decision to pay a ransom "really depends on the value of your data, and whether you have a viable backup," says ESET's Myers.

Still, even paying a ransom doesn't guarantee the malware problems will be solved, she warns. "Keep in mind that another component of the malware which may not work as expected is decryption. It's possible that your files may still be corrupted beyond repair, even if you do pay the ransom."

Although the battle over whether the courts should compel Apple to help the FBI unlock the iPhone used by one of the San Bernardino shooters is on hold for now, the debate over the privacy issues involved isn't going away.

A March 22 hearing on the court order was delayed because the FBI says it might have found a way to unlock the phone without Apple's assistance (see Feds Obtain Delay in Apple Hearing). Yedioth Ahronoth, a newspaper in Israel, reports the Israeli mobile forensics software provider Cellebrite is furnishing the FBI with the know-how to unlock the phone.

It remains to be seen whether the courts will address, in the San Bernardino case or another one, the issue of whether law enforcement can require technology companies to assist in circumventing passwords, encryption and other safeguards built into their devices and systems. And just because the FBI might have the ability to break into devices doesn't mean it should, Greg Nojeim, director of the advocacy group Center for Democracy and Technology's Freedom, Security and Technology Project, says in an interview with Information Security Media Group (listen by clicking on player beneath photograph).

Evaluating Techniques

Nojeim says a public debate surrounding this matter should focus on whether the techniques law enforcement adopts to bypass safeguards, including exploiting vulnerabilities in encryption software, are legal and how those techniques would have an impact on the privacy and security of ordinary people. "That's the kind of conversation that we need to have, not this going in circles about whether we're going to have backdoors built into encrypted devices and services," he says.

In this interview, Nojeim:

Explains why the FBI's concession that it might have found a way to unlock the iPhone without Apple's help could weaken other government cases to compel technology companies to help circumvent safeguards built into their products and services; Foresees the failure of congressional efforts to enact legislation to require technology companies to help law enforcement bypass encryption and safeguards; and Contends that other national governments - including Brazil, China, Russia and Turkey - also could require Apple and other American technology companies to provide assistance to circumvent encryption if the U.S. invokes such a requirement. "As a result, Apple's concern about information getting into the wild that would compromise the security of its products is quite real."

Nojeim, senior counsel at the Center for Democracy and Technology, directs the group's initiatives that respond to the 2013 disclosures about NSA surveillance and was engaged in the center's efforts to promote the USA Freedom Act, the 2015 law that ended bulk collection of telephone call records under the Patriot Act (see President Obama Signs USA Freedom Act). Before joining the advocacy group, Nojeim served as associate director and chief legislative counsel of the American Civil Liberties Union's Washington legislative office.

In many enterprises, the CISO reports to the CIO, and occasionally you find a CIO who reports to the CISO. But Venafi's Tammy Moskites holds both roles. How does she manage the natural tension between technology and security?

"The benefit [of wearing both hats] is that I just have to ask myself for money, and I can say yes," jokes Moskites, who joined the security vendor in 2014 after spending 25 years in leadership roles at such organizations as Time Warner Cable and The Home Depot. But she does acknowledge the true challenge of ensuring that security is built into all of the technology solutions Venafi develops.

"We're fortunate in the sense that Venafi doesn't have tens of thousands of employees," Moskites says. "I'm able to, right away from the beginning, get things done the right way - making sure security is in the beginning of project management. With larger organizations, security was more of a 'Let's check it at the end of development,' and then you have to back-fit security or controls."

In this interview, part of Information Security Media Group's Executive Sessions series of in-depth conversations with security industry leaders, Moskites talks about her career and some of the lessons that security and technology leaders can draw from recent high-profile data breaches.

One of the big lessons is that organizations must make greater efforts to secure fundamental elements such as user IDs, passwords, digital certificates and cryptographic keys. "Keys and certificates are the foundation of our Internet," Moskites says. "[They form] that trust factor - the ability to know who you're doing business with ... is known and trusted."

Moskites also discusses lessons she's learned in her career, and one of the biggest is: Delegate.

"I tried to do a lot of things myself early on in my career because I always felt I had to prove myself," she says, owing, in part, to being one of the relatively few women in IT and security. "I've learned very humbly over the years that there are people who are a lot smarter than me and can do it a lot better."

In this exclusive interview (see audio link below photo), Moskites discusses:

Natural tensions between CIO and CISO roles; The latest attacks on cryptographic keys and digital certificates ; Her advice to the next generation of IT and security leadership.

As CIO and CISO, Moskites helps Venafi's clients fortify their strategies to defend against increasingly complex and damaging cyberattacks targeting the trust established by cryptographic keys and digital certificates. Her professional experience, leadership and domain expertise enables her to help fellow CISOs defend their organizations.

Breach Notification , Data Breach , Fraud

Incident Reportedly Affects 1.5 Million Verizon Enterprise Clients Marianne Kolbasuk McGee (HealthInfoSec) • March 25, 2016    

Verizon Enterprise Solutions, which regularly assists clients in responding to data breaches, admits it's suffered its own breach, reportedly affecting 1.5 million business customers. As a result of the exposure of contact information, those customers are now at greater risk of phishing attacks.

See Also: Unlocking Software Innovation with Secure Data as a Service

In a statement provided to Information Security Media Group, Verizon says: "Verizon Enterprise Solutions recently discovered and fixed a security vulnerability on our enterprise client portal. Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers."

Verizon says that "no customer proprietary network information ... or other data was accessed or accessible. The impacted customers are currently being notified." The company adds that no data about consumer customers was involved.

Verizon did not immediately respond to an ISMG inquiry for more details regarding the breach, including the nature of the "security vulnerability" exploited to commit the intrusion, or the number of customers impacted.

Underground Crime?

The security blog Krebs on Security, which first reported on the incident March 24, says "a prominent member of a closely guarded underground cybercrime forum posted a new thread advertising the sale of a database containing the contact information on some 1.5 million customers of Verizon Enterprise."

The blog reports: "The seller of the Verizon Enterprise data offers the database in multiple formats, including the database platform MongoDB, so it seems likely that the attackers somehow forced the MongoDB system to dump its contents."

The seller priced the entire Verizon package of stolen data at $100,000, "but also offered to sell it off in chunks of 100,000 records for $10,000 apiece," according to the blog. "Buyers also were offered the option to purchase information about security vulnerabilities in Verizon's Web site."

Annual Breach Report

Verizon annually compiles and releases a report analyzing breaches across many industries.

In its most recent annual Verizon 2015 Data Breach Investigations Report, issued in April 2015, the company said it analyzed nearly 80,000 security incidents, including more than 2,100 confirmed breaches.

In an interview last year with ISMG about the 2015 report's key findings, Bob Rudis, a security data scientist at Verizon, said that while attacks are growing in sophistication, many intrusions still rely on tried-and-true social engineering techniques, such as phishing, adding that far too many attacks are successful because organizations have failed to patch known vulnerabilities.

A Prime Target

Mac McMillan, CEO of security consulting firm CynergisTek, says it's not surprising that attackers targeted Verizon, a high-profile security vendor. "What Verizon does - its services and security being a big component - makes the company a huge target," he says. "They get [targeted for] attacks far more than the average company, and finally someone pierced their armor."

Tom Walsh, founder of the consultancy, tw-Security, stresses: "Even when you know you have a good security program in place, it doesn't mean that an organization is immune from a cyberattack. One careless mistake by humans - users, application programmers, network engineers, etc. - may be all that is needed for an attacker to exploit. "We need to get it right 24 x 7 x 365. Hackers only need to get it right once. In the long run, the odds are in their favor."

In the end, the breach is a reminder that all organizations need to have an appropriate incident response plan in place for when the inevitable occurs, Walsh says. "We need to conduct cybersecurity tabletop exercises and drills. Because sometimes it's not the event, but your reaction to the event, that people remember the most."