$30 off During Our Annual Pro Sale. View Details »

Ransomware and healthcare - Hacking Health

OWASP Montréal
October 24, 2016

Ransomware and healthcare - Hacking Health

Pour le lancement de la saison 2016 - 2017, OWASP Montréal propose à la communauté de la sécurité des TI et aux gestionnaires de la santé une incursion dans le monde du logiciel malveillant ciblant le domaine de la santé.
Cette conférence s'intége dans le Coopérathon co-organisé par le Mouvement Desjardins et Hacking Health.
Le domaine de la santé serait devenu une cible privilégiée des campagnes de ransomware parce que l'industrie a souvent payé la rançon demandée pour récupérer les données confidentielles et vitales de ses clients. Monsieur Ed Gershfang nous brossera un portrait du phénomène et des meilleures pratiques à mettre en place en matière de sécurité applicative.
Ed Gershfang possède une expérience solide dans l'infrastructure informatique et plus de 6 ans d'expérience dans les domaines de la sécurité de l'information, de la vulnérabilité, de la gouvernance et de la gestion des risques. Il était directeur de la sécurité pour la société PeriGen, un chef de file de développement de logiciels médicaux en Israël.

OWASP Montréal

October 24, 2016


  1. RANSOMWARE and Healthcare There is more risk than just money

  2. Content • What is ransomware • History • Ransomware in

    Healthcare • Prevention • Future Trends
  3. What is ransomware

  4. Ransomware History The first known ransomware was "AIDS" (also known

    as "PC Cyborg"), written in 1989 by Joseph Popp. Its payload hid the files on the hard drive and encrypted their names, and displayed a message claiming that the user's license to use a certain piece of software had expired. The user was asked to pay US$189 to "PC Cyborg Corporation" in order to obtain a repair tool. Popp was declared mentally unfit to stand trial for his actions, but he promised to donate the profits from the malware to fund AIDS research AIDS Trojan was ineffective due to its use of symmetric cryptography, since the decryption key can be extracted from its code
  5. Ransomware History By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus,

    Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes. Gpcode.AG, which was detected in June 2006, was encrypted with a 660-bit RSA public key.[28] In June 2008, a variant known as Gpcode.AK was detected. Using a 1024-bit RSA key, it was believed large enough to be computationally infeasible to break without a concerted distributed effort.
  6. Ransomware History Encrypting ransomware returned to prominence in late 2013

    with the propagation of CryptoLocker—using the Bitcoin digital currency platform to collect ransom money. In December 2013,ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users. The CryptoLocker technique was widely copied in the months following, including CryptoLocker.
  7. Ransomware History Q1 2016 – 300 % 362,000 variants 1000

    variants per day 4000 attacks per day 325$ Million USD
  8. Anatomy of ransomware

  9. Delivery Methods 1. 93 % of phishing email are now

    delivering ransomware (Macros, JavaScripts) 2. Drive by downloads - Exploit Kits (Angler, Neutrino, Magnitude, Rig, etc..) 3. Vulnerabilities (Flash, Java) 4. Social Networks 5. USB Stick
  10. Industries Affected

  11. Ransomware in Health

  12. Why hospitals are perfect targets ? 1. Doctors are gods

    and don’t let anybody tell them what to do 2. If you have patients, you are going to panic way quicker than if you are selling sheet metal. 3. Have not enough trained their employees on security awareness 4. Don’t focus on cybersecurity in general primary concern is ()PAA compliance 5. Have often paid ransom to retrieve vital patient data quickly
  13. Potential impact of ransomware 1. No email 2. No access

    to patient records 3. Lab works disrupted 4. Pharmacy disrupted 5. No CT scans 6. Ambulances and patients turned aware and sent to other hospitals 7. Monitoring PCs impacted 8. Potential public relations controversy 9. No access to medical test results
  14. Examples (2016-2015) 1. Medstar Union Memorial Hospital in Baltimore 2.

    Methodist Hospital in Henderson Kentucky (17,000 USD) 3. 3 hospitals operated by Prime Healthcare Management, Inc. were forced to shut down systems (Chino Valey , Desert Valey and Alvarado Medical Center) 4. Hollywood Presbyterian Medical Center (10 days of downtime 3,000,000 USD- 17,000 USD) 5. Kansas Heart Hospital (paid ransom only got partial access) 6. Ottawa Hospital 7. Christopher Rural Health in Illinios 8. Titus Regional Medical Center, Texas 9. Lukas Hospital , Germany 10. Premera Blue Cross, Multiple locations 11. King’s Daughters (ealth, Southwest )ndiana
  15. Hollywood Presbyterian Hospital • 10 days of downtime • Average

    cost $7,900 USD per incident a minute (Over $ 113 Million USD) • Est. downtime from loss of CT scans alone : $1,000,000 USD • Cost of ransom : $17,000 • Manual tasks required double time for physicians to perform • Hidden costs
  16. Case In Point • Possibly paid ransom • Legal costs

    • Notification costs • Restoring impacted assets costs • Internal/external communications costs • Overtime costs for IT personnel • Damage to reputation and brand • Regulatory penalties and fines • Increased compliance and audit costs • Lost trust from patients Sources: Intel Security analysis; Ponemon Institute’s Cost of Data Breach study; Modern Healthcare’s annual Hospital Systems Survey.
  17. Still Reportable Under HIPAA? Yes, you do have to report

    a ransomware attack on your healthcare organization to the HHS, since the data was still accessed by unauthorized individuals.
  18. Shit hits the fan… 1. Isolate the infected machine 2.

    Alert law offices (FBI, IC3, Canadian Anti-Fraud Centre) 3. DON’T PAY T(E RANSOM !!!! 4. https://www.nomoreransom.org/ 5. Reimage 6. Restore 7. Pray 8. Documented Incident Analysis and Response
  19. An ounce of prevention is worth a pound of cure

    1. Awareness, Awareness, Awareness 2. Backups 3. Security Software 4. Patch Management 5. Network Segmentation 6. Identity and Access Management 7. Disaster Recovery Plan 8. Policies and procedures 9. http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
  20. Future Trends – it s all bout the money •

    )t’s not a malware problem it’s a criminal business digital currencies and dark web • Higher ransoms, shorter times (Cryptoworm demands $1,000,000 USD within 8 hours) • Better delivery, higher returns • Getting personal – exposing data • Ransomware as service – business like operations • Mobile Devices, IoT, Smart Houses, cars
  21. Questions

  22. Thank You Eduard Gershfang gredik@outlook.com 514-943-6106 www.linkedin.com