Ransomware and healthcare - Hacking Health

Transcript

1. RANSOMWARE and Healthcare
   There is more risk than just money
   

   View Slide

2. Content
   • What is ransomware
   • History
   • Ransomware in Healthcare
   • Prevention
   • Future Trends
   

   View Slide

3. What is ransomware
   

   View Slide

4. Ransomware History
   The first known ransomware was "AIDS" (also known as "PC Cyborg"), written in
   1989 by Joseph Popp. Its payload hid the files on the hard drive and encrypted
   their names, and displayed a message claiming that the user's license to use a
   certain piece of software had expired. The user was asked to pay US$189 to "PC
   Cyborg Corporation" in order to obtain a repair tool. Popp was declared mentally
   unfit to stand trial for his actions, but he promised to donate the profits from the
   malware to fund AIDS research
   AIDS Trojan was ineffective due to its use of symmetric cryptography, since the
   decryption key can be extracted from its code
   

   View Slide

5. Ransomware History
   By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip,
   and MayArchive began utilizing more sophisticated RSA encryption schemes, with
   ever-increasing key-sizes. Gpcode.AG, which was detected in June 2006, was
   encrypted with a 660-bit RSA public key.[28] In June 2008, a variant known as
   Gpcode.AK was detected.
   Using a 1024-bit RSA key, it was believed large enough to be computationally
   infeasible to break without a concerted distributed effort.
   

   View Slide

6. Ransomware History
   Encrypting ransomware returned to prominence in late 2013 with the propagation
   of CryptoLocker—using the Bitcoin digital currency platform to collect ransom
   money.
   In December 2013,ZDNet estimated based on Bitcoin transaction information that
   between 15 October and 18 December, the operators of CryptoLocker had procured
   about US$27 million from infected users.
   The CryptoLocker technique was widely copied in the months following, including
   CryptoLocker.
   

   View Slide

7. Ransomware History
   Q1 2016 – 300 %
   362,000 variants
   1000 variants per day
   4000 attacks per day
   325$ Million USD
   

   View Slide

8. Anatomy of ransomware
   

   View Slide

9. Delivery Methods
   1. 93 % of phishing email are now delivering ransomware (Macros, JavaScripts)
   2. Drive by downloads - Exploit Kits (Angler, Neutrino, Magnitude, Rig, etc..)
   3. Vulnerabilities (Flash, Java)
   4. Social Networks
   5. USB Stick
   

   View Slide

10. Industries Affected
    

    View Slide

11. Ransomware in Health
    

    View Slide

12. Why hospitals are perfect targets ?
    1. Doctors are gods and don’t let anybody tell them what to do
    2. If you have patients, you are going to panic way quicker than if you are selling
    sheet metal.
    3. Have not enough trained their employees on security awareness
    4. Don’t focus on cybersecurity in general primary concern is ()PAA compliance
    5. Have often paid ransom to retrieve vital patient data quickly
    

    View Slide

13. Potential impact of ransomware
    1. No email
    2. No access to patient records
    3. Lab works disrupted
    4. Pharmacy disrupted
    5. No CT scans
    6. Ambulances and patients turned aware and sent to other hospitals
    7. Monitoring PCs impacted
    8. Potential public relations controversy
    9. No access to medical test results
    

    View Slide

14. Examples (2016-2015)
    1. Medstar Union Memorial Hospital in Baltimore
    2. Methodist Hospital in Henderson Kentucky (17,000 USD)
    3. 3 hospitals operated by Prime Healthcare Management, Inc. were forced to shut down
    systems (Chino Valey , Desert Valey and Alvarado Medical Center)
    4. Hollywood Presbyterian Medical Center (10 days of downtime 3,000,000 USD- 17,000 USD)
    5. Kansas Heart Hospital (paid ransom only got partial access)
    6. Ottawa Hospital
    7. Christopher Rural Health in Illinios
    8. Titus Regional Medical Center, Texas
    9. Lukas Hospital , Germany
    10. Premera Blue Cross, Multiple locations
    11. King’s Daughters (ealth, Southwest )ndiana
    

    View Slide

15. Hollywood Presbyterian Hospital
    • 10 days of downtime
    • Average cost $7,900 USD per incident a minute (Over $ 113 Million USD)
    • Est. downtime from loss of CT scans alone : $1,000,000 USD
    • Cost of ransom : $17,000
    • Manual tasks required double time for physicians to perform
    • Hidden costs
    

    View Slide

16. Case In Point
    • Possibly paid ransom
    • Legal costs
    • Notification costs
    • Restoring impacted assets costs
    • Internal/external communications costs
    • Overtime costs for IT personnel
    • Damage to reputation and brand
    • Regulatory penalties and fines
    • Increased compliance and audit costs
    • Lost trust from patients
    Sources: Intel Security analysis; Ponemon Institute’s Cost of Data Breach study; Modern Healthcare’s annual Hospital Systems Survey.
    

    View Slide

17. Still Reportable Under HIPAA?
    Yes, you do have to report a ransomware attack on your healthcare organization
    to the HHS, since the data was still accessed by unauthorized individuals.
    

    View Slide

18. Shit hits the fan…
    1. Isolate the infected machine
    2. Alert law offices (FBI, IC3, Canadian Anti-Fraud Centre)
    3. DON’T PAY T(E RANSOM !!!!
    4. https://www.nomoreransom.org/
    5. Reimage
    6. Restore
    7. Pray
    8. Documented Incident Analysis and Response
    

    View Slide

19. An ounce of prevention is worth a pound of cure
    1. Awareness, Awareness, Awareness
    2. Backups
    3. Security Software
    4. Patch Management
    5. Network Segmentation
    6. Identity and Access Management
    7. Disaster Recovery Plan
    8. Policies and procedures
    9. http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf
    

    View Slide

20. Future Trends – it s all bout the money
    • )t’s not a malware problem it’s a criminal business digital currencies and dark web
    • Higher ransoms, shorter times (Cryptoworm demands $1,000,000 USD within 8 hours)
    • Better delivery, higher returns
    • Getting personal – exposing data
    • Ransomware as service – business like operations
    • Mobile Devices, IoT, Smart Houses, cars
    

    View Slide

21. Questions
    

    View Slide

22. Thank You
    Eduard Gershfang
    [email protected]
    514-943-6106
    www.linkedin.com
    

    View Slide