Doxxing Raises the Stakes of Ransomware for Healthcare Providers

In a very short time, ransomware has grown from a known but infrequent cyber attack to a profitable and widespread epidemic. Attacks are increasing in frequency and severity. On average, a new business is attacked every 40 seconds, and a disproportionately high number of victims are healthcare providers. In fact, research shows that healthcare providers were 4.5X more likely to be hit by Cryptowall ransomware than operators in other industries.

When attacks do happen, the damage can be devastating. The loss of access to patient records has resulted in critical services being suspended and in communications grinding to a halt. There have even been cases where entire hospitals have been crippled for days.

Perhaps the only consolation for victims has been the general consensus that ransomware does not constitute a data breach. Private files, encrypted and then restored, have not automatically triggered the same kind of disclosure and public notification that traditional data breaches have forced. Victims mainly restored their data internally from backups while some chose to pay the ransom.Ransomware

Seeing this, attackers are changing their tactics, and, unfortunately, new ransomware attacks are evolving to be more dangerous and threatening. To increase the likelihood of payment, these new attacks promise more than just the threat of file encryption and data loss, they now also threaten the public release of captured sensitive and private data — a practice known as doxxing.

3 Lessons US Hospitals Can Learn from UK Hospital Malware Attacks

There are already ransomware variants that are demonstrating this approach. First spotted in April 2016, Jigsaw ransomware not only encrypts a victim’s data, but also threatens to send copies of those stolen files to all of the victim’s contacts if the ransom is not paid. CryLocker is another ransomware variant spotted leveraging doxxing as a tactic last September.

For healthcare providers, adding doxxing to the extortion equation transforms ransomware from a critical service issue to a costly matter of HIPAA notification compliance and a case of public data breach, raising the stakes considerably. Organizations are required to report this kind of exposure of unsecured protected health information to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). In addition to potentially issuing a fine — the largest issued to date totaled $4.8 million — the OCR also publicly exposes all organizations experiencing breaches totaling 500 records or more.

This public exposure also puts patients at risk. Stolen medical records released publicly can quickly become fodder for a wide variety of fraudulent activity, from buying and reselling medical equipment or prescription drugs to filing false claims with insurers. Medical identity theft can be a painful and damaging logistical nightmare for patients, potentially ruining their credit and even endangering their lives. Victims experience the consequences of unpaid deductibles, corrupted medical histories, and even prosecution for fraud.

An Ounce of Prevention is Worth a Pound of Detection and Response
Having reliable backups of your files has always been cited as a best practice to defend against ransomware, but it’s only effective when the threat is limited to the deletion or irreversible scrambling of critical data. When public exposure is on the table, restoration of the data through backup isn’t relevant, since the information is available to hospital, patient and criminals alike. A new best practice is required.

The increasingly immediate threat and fallout posed by ransomware has resulted in a necessary change of priorities when it comes to IT security. The emphasis has shifted from reactive detection and response to investment in proactive prevention, specifically against the earliest phases of the infection. Many healthcare organizations that are slow to respond to this shift may find themselves over-invested in monitoring, incident management and recovery while short-changing the actual target of most attacks — the user system or endpoint.

Ransomware authors utilize a variety of tricks to bypass antivirus and other traditional security solutions to initially infect user endpoints and spread their attacks from there. Knowing that new malicious programs regularly bypass these pre-execution defenses, providers need to focus on developing additional last lines of defense that block malware at runtime and prevent the attack from fully executing in the first place. In some cases, IT and security professionals may be able to utilize application whitelisting and Software Restrictions Policies to block unnecessary or suspicious executables and even isolate infected systems before the attack has the chance to spread. For some organizations, however, these types of restrictions can be difficult to rollout and manage, particularly in complex working environments (i.e. hospitals). In those cases, utilizing a third party tool specifically designed for runtime protection can be a more suitable solution.

As always, the best protection for user systems also improves the security of the users. In addition to investing in security technology and infrastructure, organizations should train users on common forms of attack, and staff on rapid security response. Through a combination of system protection and user awareness, even these new attacks will be blunted, along with the motivation for attackers to look for even more dangerous payloads to deliver.

Jack Danahy is co-founder and CTO at Barkly.

About The Author