02/19/2016

When Hospitals Get Hacked

11:45 minutes

On Friday, February 5, staff at the Hollywood Presbyterian Medical Center noticed something out of the ordinary: They were having trouble logging into some of the hospital’s computers. They alerted IT, and soon discovered they were in the midst of an attack. Certain computer systems had been invaded by malware, encrypted, and taken for ransom. The price? Forty bitcoins, or $17,000 dollars, for a key to decrypt the system. Martin Fisher, the information security manager for a hospital system in Georgia, and Liviu Arsene, an e-threat analyst at Bitdefender, talk about how the hospital saved its computer systems, and what to expect from ransomware attacks in the future.

Segment Guests

Martin Fisher

Martin Fisher is Information Security Manager for a hospital system in Georgia.

Liviu Arsene

Liviu Arsene is Senior E-Threat Analyst at Bitdefender in Bucharest, Romania.

Segment Transcript

IRA FLATOW: This is Science Friday. I’m Ira Flatow. A little bit later in the hour we’ll talk about the diversity problems and gender bias in the tech industry. Do you work in tech? Have you encountered these problems? Or maybe your company is tackling these issues. Well we want to hear from you. Give us a call. Our number 844-724-8255, 844-SCI-TALK. Or tweet us at scifri if you work in the tech business and you’ve been involved in diversity or gender bias in the industry. Or maybe you’re a company that’s working against it. Give us a call, 844-724-8255. Tweet us at scifri.

But first, two weeks ago, on the night of Friday, February 5th, staff at the Hollywood Presbyterian Medical Center noticed something out of the ordinary. They were having trouble logging in to some of the hospital’s computers. They alerted IT and soon discovered they were in the midst of an attack. Certain computer systems had been invaded by malware encrypted and held for ransom. The price, 40 bit coins or $17,000, for a key to decrypt the system.

And although they did call the cops and the FBI is investigating, in the end the hospital decided to pay the $17,000 and get their data back. Sort of like the cost of doing business. A statement provided by the hospital says, that the incident “did not affect the delivery and quality of the excellent patient care you expect and receive from Hollywood Presbyterian”. Well is this the new normal now, paying ransom for your electronic records?

And why wasn’t the data backed up so the hospital could reload it into their computers? We weren’t able to get a Hollywood Presbyterian spokesperson to join us but we have someone who probably has lain awake at night worrying about this very scenario. Martin Fisher is an information security manager for a hospital system in Georgia. Welcome to Science Friday.

MARTIN FISHER: Glad to be here, Ira.

IRA FLATOW: Any theories of on how this malware got into the system?

MARTIN FISHER: There are so many different ways these things can show up in a system. It could be someone clicked on a link in an e-mail, clicked on a link on a website, the malware got delivered. And it just took off.

IRA FLATOW: Have you seen other cases of ransomware in action?

MARTIN FISHER: I have, both professionally and personally. Ransomware is a very growing method used by adversaries who are out there to make their quick big coins and move along.

IRA FLATOW: So this is something that’s happening in other hospitals that we may not have heard about. They just go and pay it because why?

MARTIN FISHER: For a lot of these hospitals– and it’s not just hospitals, it’s everywhere. I mean the reports that come out of police departments, that come out of pretty much every vertical, is this data gets encrypted. And you have then really one of two choices. If you have a system where you can restore from backup and it’s what’s called the recovery point. The point that you took the backup to the point now you can afford to lose that data. You do that. Otherwise you pay the ransom and hope that they give you the decryption key.

IRA FLATOW: Aren’t hospitals required to back up data by HIPAA security rules?

MARTIN FISHER: Yeah, the HIPAA security rule does require us to back data up. And I think hospitals do the best they can. But sometimes– I don’t know exactly what happened at Hollywood Presbyterian. I’m not even going to speculate. But with all the varied systems that hospitals have, and some of them are old, some of them are new, doing backups is hard. And sometimes IT systems don’t act the way that you should. And the cost and the time it will take them, even if they had a robust backup program, it may have actually been easier and cheaper to pay the $17,000.

IRA FLATOW: Could we be moving toward just the threat of blackmail? Just the threat of closing your system down? They haven’t even done it yet. You buy protection like they used to do when the racket.

MARTIN FISHER: That’s a great metaphor because a lot of what’s happening from the cybercrime site is organized crime. This is very similar to the guy who, you know, pulled you into the ally and said $5 or I’m going to beat you up. It may get to that point. We’re not seeing that now because really it’s a fire and forget thing for the adversary. They send out spam emails, someone clicks on it, they’re not sure who will. But when it does the malware phones home and says, hey, I just encrypted all the stuff. Here’s the key I created. And then they engage in a dialogue with the victim to see if they can extract the money.

IRA FLATOW: So your opinion on paying the ransom, the cost of doing business or are we encouraging criminals by doing it?

MARTIN FISHER: So my professional information security opinion is I hate the fact that people pay ransom. As a person who’s also in the health care industry and is interested in making sure systems come up quickly so we can serve patients effectively and not have patient safety issues, I totally understand why they made that choice.

IRA FLATOW: Yeah, I get it too. I’d like to bring on another guest now who just published a report on ransomware and how much people in different countries are willing to pay for the key to their data. Liviu Arsene is a senior e-threat analyst at the Bit Defender, a global security technology company in Bucharest, Romania. Welcome to Science Friday.

LIVIU ARSENE: Hello. Thank you for having me.

IRA FLATOW: You just released a report on ransomware surveying attacks around the world. Is it more common in some countries than others?

LIVIU ARSENE: Yeah, of course. Some countries are more prone to ransomware attacks like the US, Germany, or other popular countries in Europe. Mostly because people worry about their data and are more willing to pay to get it back.

IRA FLATOW: So how did the attackers set the price? Is it different from around? I mean $17,000 versus what around the world?

LIVIU ARSENE: Well its basically $17,000 versus how much you’re willing to pay. Usually these guys have a 24 hour time line in which if you don’t pay they actually rack up the time for 48 hours or 36 hours and then they just come up with a new price. They usually double it, triple it, and so on and so forth. But usually it sometimes goes up to $500, $600 for end users and for companies, as we’ve seen with the Hollywood incident, it may end up to be $17,000.

IRA FLATOW: But you don’t want to rack it up too high. You want them to pay the money, right?

LIVIU ARSENE: Exactly. You want to hook the victim for as long as you can. So you give them another chance and another chance to pay the ransom. Martin Fisher, the hospital has claimed that it doesn’t believe any patient records were compromised. But is there really any way to know if the hackers copy over some data for their own use? How do you know even they are not going to do this again?

MARTIN FISHER: Well these guys will definitely try it again with other people. I’m sure they’re trying it with thousands of other potential victims. As far as knowing whether or not data exfiltrated or not, that’s really going to be up to the experts that Hollywood Presbyterian brings in. They’re going to look at logs. They’re going to look at what happened and hopefully be able to detect if that data was actually exited the hospital.

IRA FLATOW: Liviu, can you just buy this ransomware program on the dark web somewhere?

LIVIU ARSENE: You’d be surprised to find out how cheap it is to buy yourself a ransomware kit. If I’m not mistaken we found one a couple of months back, used to be as high as $3,000 I think. And you can just buy your own ransomware kit and start delivering it to hundreds, potentially thousands, of victims. And make potentially hundreds of thousands of dollars in return. So for $3,000 investment you can end up making hundreds of thousands of dollars in ransom.

IRA FLATOW: Well why limit it to a hospital or a police department? Why not each one of us who has health care records? And then we get a phone call saying, hey, what’s it worth to you to keep it quiet?

LIVIU ARSENE: Well exactly. Everybody could be a potential victim as long as you do not take minimum precautions. For instance, you do not actually take good care of what you open doing your e-mails, for instance, links or attachments. And you could be infected at any point. You could even be infected while browsing the web, for instance, it’s called drive by attack.

IRA FLATOW: Now I understand there’s even a worse version of this called extortion ware. Is that right?

LIVIU ARSENE: Exactly. So the worst case scenario is they don’t actually– they don’t only encrypt the data but they also download it to the attacker control server. So after you pay the ransom, you’re like, OK, I got access to my data. But then the attacker comes over at you and says, OK, so if you pay us an additional amount of money we will make sure we won’t publish what we got from you online so that everybody else can see it. This could be potentially even more damaging for companies then end users.

IRA FLATOW: Martin, where does this end?

LIVIU ARSENE: I have no idea where this is going to end or how this is going to end. But what I do know is that the threat is definitely out there. These guys are definitely finding out new ways to monetize this. So it’s kind of like they’re making a lot of money out of us. And since 50% of us that are victims end up paying for these ransoms, we’re actually fueling this entire criminal activities with money.

IRA FLATOW: Martin, if we just backed up the data would that not help? I mean–

MARTIN FISHER: Absolutely. I mean, I think what you’re seeing in more and more companies as the ransomware has become a bigger and bigger issue, it’s forcing IT Groups to do more often, better backups, faster recovery times, faster restore times. And that’s how you end up dealing with this threat, is no one wants to pay the ransom. So instead a lot of IT groups are talking to their management team saying, hey– and you know, unfortunately Hollywood Presbyterian is going to be a cautionary tale of, do we want to be this news story? Most hospital administrations don’t. So what do we have to do to not to be that? And you’re going to see basic IT operations is really the key to having a secure environment. And my hope is that more hospitals will look at this and decide what they need to do.

IRA FLATOW: Liviu, what do you think each of us should do? Just not open strange e-mails, you said. Is anything else?

LIVIU ARSENE: Well this is at least a minimum degree of awareness that every user should have. At least in the home sector. I mean for every private user that has an email address, please make sure that once you open a new email attachment you’re sure that it comes from someone you know. For the business sector however, that’s an entirely different story. Because you can have your IT administrator or your security team set up different layers of securities that can prevent this type of threat from actually reaching an employee’s computer or at least executing on an employee’s computer.

IRA FLATOW: You know Martin, if we backed it all up to our iPhone it’d be pretty secure, wouldn’t it?

MARTIN FISHER: That’s the going theory.

IRA FLATOW: We’ll find out. Thank you both for taking time to be with us today. We’re joking but it’s a very, very important story to talk about. All the security that’s going on and being ready for extortion ware.

MARTIN FISHER: Thanks for the opportunity to be here.

IRA FLATOW: You’re welcome. Martin Fisher, information security manager for a hospital system in Georgia. Liviu Arsene is a senior e-threat analyst at Bit Defender, a global security technology company in Bucharest, Romania.

Copyright © 2016 Science Friday Initiative. All rights reserved. Science Friday transcripts are produced on a tight deadline by 3Play Media. Fidelity to the original aired/published audio or video file might vary, and text might be updated or amended in the future. For the authoritative record of ScienceFriday’s programming, please visit the original aired/published recording. For terms of use and more information, visit our policies pages at http://www.sciencefriday.com/about/policies.

Meet the Producer

About Christopher Intagliata

Christopher Intagliata was Science Friday’s senior producer. He once served as a prop in an optical illusion and speaks passable Ira Flatowese.

Explore More