Issue link: https://securitytechnologyexecutive.epubxp.com/i/690996
6 SECURITY TECHNOLOGY EXECUTIVE • May/June 2016 www.SecurityInfoWatch.com MY POINT OF VIEW B y Steve L as k y, Edi to rial Dire c to r If you have any comments for Steve Lasky regarding this or any other security industry-related issue, please e-mail him at slasky@southcomm.com. T he advancement of technology is certainly a dou- ble-edged sword and no better example of that is your organization's IP network. It can identify and authenticate both logical and physical access control transactions; stream and store vital video data; amass vast stores of informational data and records that are easily retrievable. Yet this work- horse of technology has vulnerabilities that seem to be uncovered almost every week by those dedi- cated to compromising your precious data. The twist now, however, is that these so-called "data pirates" not only can steal or hold your information hostage; they want you to pay them to get it back. This relatively new world of "ran- somware" attacks has affected several specific industr y markets, but none more devastatingly than the health- care sector. And the reason is simple. It's pure economics when you consider the black market value of private medi- cal records are usually worth almost 50-times more than your run-of-the- mill stolen credit card or social security number because they contain much more personal information. Accord- ing to a 2015 Ponemon report, crimi- nal attacks like ransomware are the new leading cause of data breaches in the healthcare indus- try and have risen 125 percent since 2010. Hospitals are being targeted because many lack the proper strategies and protocols to address these threats from the outset. When it comes to ransomware incidents there is often confusion since information is not covertly breached with the intent to steal but rather held hostage until officials pay to release it. The fact many hospitals fail to back up their patient data records or employ adequate network security make them more vulnerable. The US Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre jointly released an alert1 on March 31st containing the following definition: "Ransomware is a type of malware that infects computer systems, restricting users' access to the infected systems. R ansomware variants have been observed for several years and often attempt to extort money from victims by dis- playing an on-screen alert. Typically, these alerts state that the user's systems have been locked or that the user's files have been encrypted. Users are told that unless a ransom is paid, access will not be restored. The ransom demanded from individuals varies greatly but is frequently $200–$400 dollars and must be paid in virtual currency, such as Bitcoin." There have been at least a half-dozen high- profile ransomware attacks on healthcare facili- ties already in 2016. Perhaps the most brazen to date was directed at MedStar Health, one of the biggest employers in the Baltimore-Washington region, with 10 hospitals and 250 area clinics. In late March IT staff detected malware on the sys- tem and took all networks offline, then bringing in cybersecurity specialists and the FBI. While this attack was in progress, the hospi- tal system was adversely affected turning away patients and delaying critical care and proce- dures. The ransom note demanded 45 bitcoins, or approximately $19,000, in exchange for a decryp- tion key that would unlock the Medstar systems. "In some ways, healthcare is an easy target: Its security systems tend to be less mature than those of other industries, such as banking and tech, and its doctors and nurses depend on data to perform time-sensitive, life-saving work. Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2 to 3 percent. If you're a hacker, would you go to Fidelity or an underfunded hospital? You're going to go where the money is and the safe is easiest to open," con- cluded John Halamka, the chief information offi- cer of Beth Israel Deaconess Medical Center in Boston in a recent Washington Post interview. The US Computer Emergency Readiness Team (US-CERT) within the DHS has established pre- ventative guidelines for combating ransomware attacks (https://www.us-cert.gov/ncas/alerts/ TA16-091A). It would be wise for all security pro- fessionals, not just IT staff, to understand the threat and know how to react in a crisis. ■ Healthcare Data Pirates Security Technology Executive (USPS 009-826), (ISSN 1946-8474, print; ISSN 2158-7078, online) is published fve times per year: February/March, May/June, July/August, September/October and November/December by SouthComm Business Media, LLC. 1233 Janesville Avenue, Fort Atkinson, WI 53538. Periodicals postage paid at Fort Atkinson, WI 53538 and additional mailing offces. POSTMASTER: Send address changes to Security Technology Executive, PO Box 3257, Northbrook, IL 60065-3257. Canada Post PM40612608. Return undeliverable Canadian addresses to: Security Technology Executive, PO Box 25542, London, ON N6C 6B2. Subscriptions: Individual subscriptions are available without charge in the U.S. to qualifed subscribers. Publisher reserves the right to reject non-qualifed subscriptions. Subscription prices: U.S. $31 per year, $62 two year; Canada/Mexico $52 per year, $93 two year; All other countries $77 per year, $144 two year. All subscriptions payable in U.S. funds, drawn on U.S. bank. Canadian GST#842773848. Back issue $10 prepaid, if available. Printed in the USA. Copyright 2016 SouthComm Business Media, LLC. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recordings or any information storage or retrieval system, without permission from the publisher. SouthComm Business Media, LLC does not assume and herby disclaims any liability to any person or company for any loss or damage caused by errors or omissions in the material herein, regardless of whether such errors result from negligence, accident or any other cause whatsoever. The views and opinions in the articles herein are not to be taken as offcial expressions of the publishers, unless so stated. The publishers do not warrant, either expressly or by implication, the factual accuracy of the articles herein, nor do they so warrant any views or opinions offered by the authors of said articles.