Your computer screen freezes with a pop-up message—supposedly from a trusted source, like the FBI or another federal agency — saying that because you violated some sort of federal law your computer will remain locked until you pay a fine. Or you get a pop-up message after clicking on an innocuous looking email attachment telling you that your files have been encrypted and you have to pay to get the key needed to decrypt them.
These scenarios are examples of ransomware scams, which involve a type of malware that infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom—anywhere from hundreds to thousands in Bitcion, a decentralized virtual currency network that attracts criminals because of the anonymity the system offers— is paid.
In February, we told you about a California hospital that paid hackers, who breached and disabled its computer network, nearly $17,000 in ransom to restore it. It’s a growing threat. In the last month hospitals in Maryland, Kentucky and the District of Columbia fell victim to a ransomware attack. The attacks left 14 hospitals —10 of which are part of the MedStar hospital group— unable to access patient data and in some cases, having to turn patients away.
MedStar spokeswoman Ann Nickels, told the Washington Post, even though all of MedStar’s 10 hospitals and more than 250 outpatient centers had to shut down their computers and email, the facilities which stretch from Arlington to Baltimore, operated safely throughout the crisis.
But two nurses told The Post the cyberattack created a chaotic environment in at least one MedStar location, and a doctor at another facility said it had created a “patient safety issue.”
“The big difference with health care is that the consequences are greater,” says Kevin Fu, an associate professor at the University of Michigan who studies computer security issues in hospitals, told the MIT Technology Review. “You can lose your email and that’s annoying, but patient records are needed in order to treat patients.”
Like Hollywood Presbyterian was forced to do earlier this year, MedStar fell back on seldom-used paper records that had to be faxed or hand-delivered.
According to the FBI, some 2,500 reports of ransomware were made last year, paying out more than $24 million in ransoms. These attacks are becoming more common and the FBI expects the problem to continue to grow as ransomware becomes more sophisticated.
Cyber-criminals’ recent focus on hospitals offers important clues about the thinking of professional hackers, and hints at other types of organizations and networks that could be similarity vulnerable, said Patrick Upatham, director of threat research at Digital Guardian, a provider of IT security solutions, include managed security services.
“What it comes down to is that there’s definitely no safe business,” he said. “Even with cutting edge tools, some of the variants are not detectable.”
While modern cybersecurity solutions can certainly improve a network’s defenses to attack, Uptham said, nothing is bulletproof.
A line of defense is by providing regular training about the social engineering tactics employed by hackers and to fool employees into clicking on dangerous emailed files, and implementing file backups on a separate server that can be quickly restored.
Uptham also encourages business and other groups to segregate as much of their systems as possible, to minimize the risk to other parts of the network if malware is launched on one machine.