Cyber Bytes: Ransomware Attacks on Healthcare Institutions
In the next installment of Sounds Good’s Cyber Bytes series, Tracy Ross speaks with Dr. Michael Ramage, director of Murray State’s Cyber Education and Research Center, about cyber attacks against healthcare systems nationwide. Ramage explains how the cyber attacks began and what that means for medical and educational institutions, other businesses, and individuals.
Ramage begins by pointing to a clear demarcation point in the world of cyber security: before and after Stuxnet. “Stuxnet was designed to infect your computer, look at your computer to see if you were running a certain operating system connected to a certain programmable logic controller in a certain area of the world. If it was, it would do its thing. If not, it would replicate it to your contacts and to your USB drives that were connected and then essentially go dormant and go to the next one.”
“Development of Stuxnet started in 2005. It was actually detected in 2010,” he continues. “When cyber security researchers detected it, they noticed it was zeroing in on Iran and, in particular, it was looking for a computer connected to a programmable logic controller in a rural part of Iran that was not even connected to the internet.”
Ramage explains that Stuxnet was able to infect the offline computer when IT professionals running the machine updated their software. Researchers traced this ransomware to a uranium enrichment program in Iran. Ramage explains that it’s been said that the United States and Israel partnered to infect the computers in Iran, though this was never officially proven. “Whoever it was that officially targeted a computer not connected to the internet in a rural part of Iran succeeded,” he says.
“I share that story to say if somebody wants to target you or me, they can succeed with enough money, knowledge, and resources. These attacks that we’re seeing on hospitals, education, small businesses, and governments, all of these attacks…are exploiting the basic things that we know we should be doing: access control.”
Ramage says that failing to utilize protective access control measures are “allowing what could be an isolated incident to become a more widespread problem, and most of these things are starting because of a user clicking a link or opening an email. If we follow these basic steps, then these attacks that are successful would either not be successful at all or would be limited. The disturbing trend in these is that they are way more impactful than they should be.”
Ramage says that healthcare institutions are often targeted because the dire necessity to get these medical networks back online makes them highly profitable for cyber attackers. He also attributes their vulnerability to the number of access points available, from computers to medical equipment retrofitted to access the internet. Such was the case for a cancer clinic in Louisville whose network was hacked and who had to pay the attackers a ransom immediately to continue to provide life-saving treatments to their patients.
“I think the main takeaway would be — and I’ll even broaden it to all security managers and managers of organizations — you are a target. Accept that you’re a target. Accept that they’re coming after you. Try to figure out — and talk to a professional to figure this out — what steps you can take to prevent it from happening in the first place or minimize its impact on your organization.”
Ramage says this is especially important for medical and educational institutions where HIPPA and FERPA regulations require security breaches to be reported. “It becomes a real issue,” he concludes. “You have to report it to the federal government on how bad that was impacted. So, you can’t sweep it under the rug when it’s regulated.”