Attacks/Breaches

1/24/2018
05:56 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware Actors Cut Loose on Health Care Organizations

An attack on Allscripts last week that knocked out EHR services to 1,500 clients is the third reported incident just this month.

A string of recent attacks suggests that ransomware operators are sharply ramping up their focus on healthcare organizations.

Last week, electronic health record (EHR) provider Allscripts became at least the third organization in the health sector to get hit by ransomware since the start of this year.  

The other two were Indiana-based Hancock Health which ended up paying some $50,000 to get back access to critical information systems, and Adams Health Network also of Indiana, that managed to recover without any disruption. In all three incidents, attackers used different variants of SamSam, a well-known ransomware family to encrypt critical data.

Of the three victims, the $1.5 billion Allscripts is the largest, providing service to 45,000 physician practices, 180,000 physicians and 2,500 hospitals. The January 18th attack on Allscripts affected systems hosted in the company's datacenters in North Carolina, resulting in its EHR and Electronic Prescription for Controlled Substances (EPCS) services becoming unavailable to some 1,500 clients.

Most of those impacted by the outage were small healthcare entities and individual physicians, some of who vented their anger on Twitter and other channels as Allscripts worked over a period of multiple days to restore its systems.

The EHR provider did not respond to a Dark Reading request Wednesday for an update on recovery efforts, nor has the company provided any information on the incident on its website. So it is not clear if all systems have been completely recovered as of Wednesday afternoon.

However, in update calls with providers and in statements to healthcare outlets, Allscripts has described in a fair amount of detail, the attack, and its response. One of them, the Texas Medical Liability Trust has provided a relatively detailed timeline of events and recommendations for those impacted by the incident.

Mac McMillan, CEO of CynergisTek, a company that provides security consulting services to healthcare organizations says the attack left those using Allscripts' PRO EHR without access to client medical records. Those working in states that have mandated the use of EPCS had to resort to some very difficult workarounds for prescribing controlled substances to those in need of it, he says.

"The ones most impacted were the small practices that traditionally outsource (electronic medical records) and don't plan for or have a viable backup when their vendor goes down," McMillan says. "They simply have to wait until the vendor recovers."

The attack highlights the need for those using such services to re-evaluate critical systems and vendor support and put response plans in place in the event of outages. "We’ll see more of these cloud-based attacks in the future. Their impact is so much greater for those launching them," McMillan noted.

Ransomware attacks on hospitals and other healthcare organizations are not new. But the flurry of recent incidents suggests a heightened threat actor focus on the sector.

Security vendor Cryptonite in December 2017 released a report on cyberattacker activity in the healthcare sector and noted an explosion in incidents involving ransomware last year. The report, based on data gathered from breaches reported to the Health and Human Services Office of Civil Rights, showed there were 36 publicly reported ransomware incidents among health care institutions in 2017.

The number represented an 89% increase in ransomware attacks from the 19 reported in 2016. Among the top 10 healthcare data breach and hacking incidents last year, the top six were caused by ransomware. The biggest of them—an incident at Airway Oxygen—impacted some 500,000 records.

Mike Simon, CEO and President of Cryptonite says the reasons for the attacker interest in health care institutions are basic. "Healthcare networks are highly interconnected and this provides a substantial opportunity for cyberattackers to penetrate multiple high-value targets," he says. EMR and EHR systems used by hospitals and large physicans' practices are connected to mobile phones and tablets used by ambulatory clinicians, who in turn communicate with labs, nursing facilities, scan and surgical centers, and numerous other facilities.

"Healthcare networks' architectures typically have a relative high number of known vulnerabilities [with] missing patches and updates, embedded and exposed processors in medical devices, a large number of internet of things (IoT) devices and more," he says. "These make them particularly susceptible to a variety of known attacks for which most of these networks have no defense in place."

Another factor driving heightened interest in the health care sector is the apparent success that ransomware attackers have had extracting money from victims. "When an attacker has success within a particular vertical it’s obviously tempting for them to do more of the same," says Richard Ford, Chief Scientist, Forcepoint. "The concept of 'if it ain’t broke, don’t fix it, works just as well for attackers" as it does for defenders, he says.

The use of SamSam variants in many of the recent attacks suggests attackers are going after healthcare organizations in a methodical manner, adds Joseph Silva, a member of Cyxtera's cybersecurity analytics operations.

"Unlike the majority of ransomware families, SamSam isn’t delivered into a victim environment through phishing or malvertising methods," he says. Rather it is being used to target specific healthcare organizations, gaining access to the environment and looking for high-value systems to infect.

"The threat actors utilizing SamSam are actively probing the victim environment for vulnerable servers, and then using those servers to enumerate the environment and identify systems that contain high-value data," Silva says.

Related content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-1732
PUBLISHED: 2018-08-17
IBM Security Access Manager for Enterprise Single Sign-On 8.2.2 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sen...
CVE-2018-15356
PUBLISHED: 2018-08-17
An authenticated attacker can execute arbitrary code using command ejection in Eltex ESP-200 firmware version 1.2.0.
CVE-2018-15357
PUBLISHED: 2018-08-17
An authenticated attacker with low privileges can extract password hash information for all users in Eltex ESP-200 firmware version 1.2.0.
CVE-2018-15358
PUBLISHED: 2018-08-17
An authenticated attacker with low privileges can activate high privileged user and use it to expand attack surface in Eltex ESP-200 firmware version 1.2.0.
CVE-2018-15359
PUBLISHED: 2018-08-17
An authenticated attacker with low privileges can use insecure sudo configuration to expand attack surface in Eltex ESP-200 firmware version 1.2.0.