The Department of Health and Human Services’ Office for Civil Rights published in its January 2018 Cybersecurity Newsletter the increased extortion attempts on healthcare organizations in the past two years. Ransomware attacks encrypt electronic health data preventing healthcare providers from accessing data necessary for servicing patients. Considering the inevitable disruption of services and the cost of restoring data access, entities most often just opt to pay ransom.
Paying ransom seems to be the faster route to recovering data compared to restoring data from backups. This is what Hancock Health believed and so paid 4 Bitcoin as ransom. However, there’s no guarantee that data will indeed be recovered. In 2017, some cybercriminals used wiper malware. This malware mimics ransomware but leaves no keys for unlocking encrypted data. There was also the case of Kansas Heart Hospital. After paying ransom, the attackers did not restore data access but demanded more ransom.
Another type of cyber extortion attack involves data theft followed by threats to expose the data on the web if the organization does not pay ransom. TheDarkOverlord hacking group did many of this type of cyber extortion attacks in the last two years. To execute this type of attack, hackers exploit vulnerabilities to gain data access. With Brute force attacks, weak passwords are exploited. Other exploited vulnerabilities include misconfigured databases and unsecure Amazon S3 buckets. Just like ransomware attacks, there’s no assurance that the attacker will not expose stolen PHI on the web or destroy copies thereof after paying the ransom.
Cyber extortion attacks are not limited to data theft and data encryption to restrict PHI access. There are also Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These attacks send large volumes of traffic to computers and servers making them inaccessible. The attacker demands ransom payment to stop the attacks or threats of attacks.
Because of the relatively profitable attack on healthcare organizations, cybercriminals make the industry a favorite target. OCR reminds healthcare organizations to improve access controls and patch up system vulnerabilities to fight cyber extortion.