Ransomware and Academic International Medicine

*Andrew C. Miller, Abbas M. Khan and Sophia Ziad*

#### **Abstract**

Healthcare is among the leading industries targeted by cyber-criminals. Ransomware exploits vulnerabilities to hijack target information technology (IT) infrastructures for monetary gain. Due to the nature and value of information, access to medical information enables cyber-criminals to commit identity theft, medical fraud, and extortion, and illegally obtain controlled substances. The utility and versatility of medical information, extensive centralized storage of medical information, relatively weak IT security systems, and the expanding use of healthcare IT infrastructure all contribute to an increase in cyber-attacks on healthcare entities. Research suggests that an individual's medical information is 20–50 times more valuable to cyber-criminals than personal financial information. As such, cyber-attacks targeting medical information are increasing 22% per year. This chapter explores the history of ransomware attacks in healthcare, ransomware types, ransom payment, healthcare vulnerabilities, implications for international health security, and means of institutional protection.

**Keywords:** information technology, cyber-attack, ransomware, healthcare

#### **1. Introduction**

Healthcare is among the leading industries targeted by cyber-criminals [1]. Malware, or malicious software, refers to programs designed to infiltrate computers without the users' consent, and includes threats such as viruses and ransomware. Ransomware, a version of malware, exploits vulnerabilities to hijack target information technology (IT) infrastructures for monetary gain. Health information is an attractive target for cyber-criminals, as research suggests that an individual's medical information is 20–50 times more valuable than personal financial information [1]. Access to medical information enables cyber-criminals to commit identity theft, medical fraud, and extortion, and illegally obtain controlled substances. The utility, versatility, and centralized storage of medical information, relatively weak IT security systems, and expanding use of healthcare IT (HIT) infrastructure all contribute to an increase in cyber-attacks on healthcare entities [1]. In fact, cyber-attacks targeting medical information are increasing ≥22% annually [1]. Depending on completeness, recency, and accuracy, a single patient's file may fetch hundreds to thousands of dollars on the Dark Web [2, 3]. In Australia, it has been reported that the medical card number of every citizen is for sale on the Dark Web [3]. Moreover, attack-associated costs are reported to cost \$1–3.7 million USD to clean up, with an average downtime cost per attack being \$141,000 USD [1, 4–6]. A study by IBM and the Ponemon Institute reported that

cyber breaches in the United States (U.S.) cost up to \$6.2 billion per year and that almost 90% of hospitals have reported a data breach [7].

### **2. Search strategy**

A literature search was performed of: China National Knowledge Infrastructure (CHKD-CNKI), Cochrane CENTRAL, CINAHL, Directory of Open Access Journals (DOAJ), Embase, Korean Journal Database (KCI), Latin American and Caribbean Health Sciences Literature (LILACS), IEEE-Xplorer, information/Chinese Scientific Journals database (CSJD-VIP), Google Scholar, Magiran, PsycInfo, PubMed, Scopus, Scientific Electronic Library Online (SciELO), Scientific Information Database (SID), TÜBİTAK ULAKBİM, Research Gate, Russian Science Citation Index (RSCI), and Web of Science (WoS). Relevant bibliographies were also searched. The search terms included the U.S. National Library of Medicine MeSH terms *hospitals* and *computer security*, as well as the terms *ransomware*, *cyber security*, *web security*, and *healthcare*.

## **3. What is ransomware?**

Ransomware utilizes malicious software to infiltrate computer systems or connected devices to encrypt a user's files in order to carry out an extortion attack [8, 9]. Most commonly, ransomware infects a system when its user opens a compromised e-mail or visits a compromised website (i.e., drive-by downloads) [8]. Once downloaded, servers (i.e., web and e-mail), databases, end-user computers and removable media may become involved, including personal cloud storage services [2, 9]. The intended purpose of encryption is privacy, where someone with access to the encrypted data ("ciphertext") is unable to discern its contents in a readable form ("plaintext") [9]. There are two types of encryption, or cryptography: symmetric key and public key. In symmetric key cryptography, the sender and receiver use the same secret key to encrypt and decrypt the data. Public key cryptography uses a pair of keys: a public key (shared between both parties) and a private key (sender and receiver have their own unique private key) [9].

Ransomware uses a hybrid encryption system that combines the two cryptographies to create an asymmetrical cryptosystem in which data are encrypted using a randomly generated symmetric key, which is subsequently encrypted using a public key where one party has the corresponding private key [9]. The cyber-criminal uses the private key to decrypt the symmetric key in order to decrypt the data back into "plaintext" and sends the key back to the victim, who can then use it to regain access to their system [9].

Once encrypted, information becomes indecipherable and inaccessible. The user receives a pop-up notification demanding payment of a ransom (usually in untraceable digital currency such as bitcoin) in exchange for the decryption key [10]. Ransomware often does not destroy data, but rather, locks-up the data until a ransom is paid [11]. Even if the ransomware infection is removed, the data may remain encrypted [11]. But it is important to note, the mere infection of a machine with ransomware is not enough. The ransomware must communicate with a server to get an encryption key and report its results [11]. This requires a server hosted by a company that will ignore the illegal activity and guarantee the attackers anonymity (called Bulletproof Hosting) [11]. These companies are often located in China or Russia [11]. Attackers also use a proxy or virtual private network (VPN) services to further disguise their own internet protocol (IP) addresses [11]. Attack numbers

**71**

*a*

**Table 1.**

*Ransomware types and characteristics.*

*Ransomware and Academic International Medicine DOI: http://dx.doi.org/10.5772/intechopen.91762*

**3.1 Ransomware types**

Crypto- Cryptolocker

Cryptowall CTB-Locker KeRangera Locky Petya Santana TeslaCrypt TorrentLocker WannaCry

Locker- Reveton Creates a digital locker around the

Wipe- PetrWrap Encrypts files and data. Does not unlock

*Believed to be the first piece of ransomware to successfully infect Mac computers (running OS X).*

untouched

have grown in part because malware authors have adopted an easy-to-use modular design of ransomware distribution [12]. This Ransomware-as-a-Service (RaaS) approach has become increasingly available, assisting technically naive attackers through simplistic distribution with phishing and exploitation kits, while employing a trustworthy business model [12]. RaaS is most easily accessed on the Dark Web [13], where prospective cyber-criminals are provided access to an affiliate console allowing them to walk-through the process of receiving their ransomware exploit kit, configure settings, target selection, and selecting ransom rates [13].

Ransomware can be divided into three basic types: crypto-, locker-, and wiperansomware (**Table 1**). Although crypto- and locker-ransomware represent the two main categories, current variants often incorporate traits from both [8]. Cryptoransomware (most common) encrypts both files and data [11]. Thus, infected files remain inaccessible if transferred to another device [11]. Critical system files are typically spared, enabling the device to continue functioning, as it may be needed to pay the ransom [11]. Additionally, crypto-ransomware prefers bitcoin due to the increased privacy of cryptocurrency. However, owing to worries over law enforce-

Conversely, locker-ransomware (a less effective extortion tool) locks the device by creating a digital "locker" around the computer system to block access [8, 11]. However, unlike crypto-ransomware, the data stored on the device are typically untouched and can often be recovered by moving it to another functioning computer for access [11]. Moreover, users may be able to remove the locker-ransomware remotely and avoid paying the ransom [8]. However, if remote malware removal is unsuccessful, ransom payments are typically made through payment voucher systems or cryptocurrency [8]. For example, online betting services may accept the

**Ransomware Type Examples Characteristics Data** 

Encrypts files and data. Typically, does not target critical system files, thereby allowing the device to function as it may

computer system to block user's access. The data on the device are typically

files or device after ransom payment

be needed to pay the ransom

**recoverable by moving files to another device?**

No

Possibly

No

Metrics on malware instillations and success rates are also available [13].

ment, bitcoin anonymizers and laundering services have emerged.

*Ransomware and Academic International Medicine DOI: http://dx.doi.org/10.5772/intechopen.91762*

have grown in part because malware authors have adopted an easy-to-use modular design of ransomware distribution [12]. This Ransomware-as-a-Service (RaaS) approach has become increasingly available, assisting technically naive attackers through simplistic distribution with phishing and exploitation kits, while employing a trustworthy business model [12]. RaaS is most easily accessed on the Dark Web [13], where prospective cyber-criminals are provided access to an affiliate console allowing them to walk-through the process of receiving their ransomware exploit kit, configure settings, target selection, and selecting ransom rates [13]. Metrics on malware instillations and success rates are also available [13].

#### **3.1 Ransomware types**

*Contemporary Developments and Perspectives in International Health Security - Volume 1*

almost 90% of hospitals have reported a data breach [7].

**2. Search strategy**

*web security*, and *healthcare*.

**3. What is ransomware?**

access to their system [9].

and receiver have their own unique private key) [9].

cyber breaches in the United States (U.S.) cost up to \$6.2 billion per year and that

A literature search was performed of: China National Knowledge Infrastructure (CHKD-CNKI), Cochrane CENTRAL, CINAHL, Directory of Open Access Journals (DOAJ), Embase, Korean Journal Database (KCI), Latin American and Caribbean Health Sciences Literature (LILACS), IEEE-Xplorer, information/Chinese Scientific

Journals database (CSJD-VIP), Google Scholar, Magiran, PsycInfo, PubMed, Scopus, Scientific Electronic Library Online (SciELO), Scientific Information Database (SID), TÜBİTAK ULAKBİM, Research Gate, Russian Science Citation Index (RSCI), and Web of Science (WoS). Relevant bibliographies were also searched. The search terms included the U.S. National Library of Medicine MeSH terms *hospitals* and *computer security*, as well as the terms *ransomware*, *cyber security*,

Ransomware utilizes malicious software to infiltrate computer systems or connected devices to encrypt a user's files in order to carry out an extortion attack [8, 9]. Most commonly, ransomware infects a system when its user opens a compromised e-mail or visits a compromised website (i.e., drive-by downloads) [8]. Once downloaded, servers (i.e., web and e-mail), databases, end-user computers and removable media may become involved, including personal cloud storage services [2, 9]. The intended purpose of encryption is privacy, where someone with access to the encrypted data ("ciphertext") is unable to discern its contents in a readable form ("plaintext") [9]. There are two types of encryption, or cryptography: symmetric key and public key. In symmetric key cryptography, the sender and receiver use the same secret key to encrypt and decrypt the data. Public key cryptography uses a pair of keys: a public key (shared between both parties) and a private key (sender

Ransomware uses a hybrid encryption system that combines the two cryptographies to create an asymmetrical cryptosystem in which data are encrypted using a randomly generated symmetric key, which is subsequently encrypted using a public key where one party has the corresponding private key [9]. The cyber-criminal uses the private key to decrypt the symmetric key in order to decrypt the data back into "plaintext" and sends the key back to the victim, who can then use it to regain

Once encrypted, information becomes indecipherable and inaccessible. The user receives a pop-up notification demanding payment of a ransom (usually in untraceable digital currency such as bitcoin) in exchange for the decryption key [10]. Ransomware often does not destroy data, but rather, locks-up the data until a ransom is paid [11]. Even if the ransomware infection is removed, the data may remain encrypted [11]. But it is important to note, the mere infection of a machine with ransomware is not enough. The ransomware must communicate with a server to get an encryption key and report its results [11]. This requires a server hosted by a company that will ignore the illegal activity and guarantee the attackers anonymity (called Bulletproof Hosting) [11]. These companies are often located in China or Russia [11]. Attackers also use a proxy or virtual private network (VPN) services to further disguise their own internet protocol (IP) addresses [11]. Attack numbers

**70**

Ransomware can be divided into three basic types: crypto-, locker-, and wiperansomware (**Table 1**). Although crypto- and locker-ransomware represent the two main categories, current variants often incorporate traits from both [8]. Cryptoransomware (most common) encrypts both files and data [11]. Thus, infected files remain inaccessible if transferred to another device [11]. Critical system files are typically spared, enabling the device to continue functioning, as it may be needed to pay the ransom [11]. Additionally, crypto-ransomware prefers bitcoin due to the increased privacy of cryptocurrency. However, owing to worries over law enforcement, bitcoin anonymizers and laundering services have emerged.

Conversely, locker-ransomware (a less effective extortion tool) locks the device by creating a digital "locker" around the computer system to block access [8, 11]. However, unlike crypto-ransomware, the data stored on the device are typically untouched and can often be recovered by moving it to another functioning computer for access [11]. Moreover, users may be able to remove the locker-ransomware remotely and avoid paying the ransom [8]. However, if remote malware removal is unsuccessful, ransom payments are typically made through payment voucher systems or cryptocurrency [8]. For example, online betting services may accept the


#### **Table 1.**

*Ransomware types and characteristics.*

#### *Contemporary Developments and Perspectives in International Health Security - Volume 1*

voucher codes as payment, subsequently transferring the money to prepaid debit cards [11]. Money mules are then used to withdraw the cash.

Wipe-ransomware first appeared in 2017 with the PetrWrap attack that encrypted the target's master file table (MFT) forcing the operating system (OS) to reboot [14]. Unlike crypto- and locker-ransomware, the files encrypted by wiperansomware do not unlock it after payment, effectively resulting in data loss [14].

#### **3.2 Ransom payment**

Before 2005, online payment methods were less readily available. Victims were instructed to pay ransoms by sending checks to offshore accounts, SMS text messages, prepaid cards, or even premium rate telephone numbers that earned money for the attacker [11, 15]. However, these methods were risky since they were traceable. In 2008, the largely anonymous cryptocurrency bitcoin came into use, facilitating expansion of ransomware attacks [11]. The use of third-party holdings companies such as PayPal has provided additional payment avenues [15].

Since one's ability to pay may vary greatly by geography and local economy, ransomware uses dynamic geographical pricing. Once a computer or system is infected, the ransomware establishes contact with its command-and-control (C&C) server, reports the infected device's IP address, and the C&C server returns a price for the country associated with that IP address based on a prepopulated database [11]. Additionally, criminals more frequently target businesses than individual users owing to greater potential for ransom extraction. It has been reported that about \$10,000 USD may be the optimal business ransom as it is both low enough to pay, and low enough to generate reluctance on the part of law enforcement to investigate [11].

The decision whether to pay the ransom is critical. The U.S. Federal Bureau of Investigation (FBI) does not recommend paying ransoms, as only 50% of victims ultimately regain access to uncorrupted usable data. Further, ransom payment incentivizes attackers to continue exploiting healthcare targets [16]. Even so, an estimated 40% of organizations choose to pay the ransom in hopes of recovering data accessibility and mitigating further losses [17]. This may be more likely to occur if the hospital has a questionable backup and no business continuity [13].

Choosing not to pay, however, comes with the added costs of extended downtime and recovery, which may approach 23 times the ransom cost [6, 18]. Smaller organizations have been forced to close after not paying the ransom [19]. The FBI estimated that in 2016 alone, ransomware-associated monetary losses exceeded \$1 billion USD, with an average downtime cost per attack of \$141,000 [4–6]. Ultimately, the decision of whether to pay the ransom is an individual one and depends on the unique circumstances and stakes of every incident.

#### **4. Ransomware and healthcare**

The targeting of healthcare by ransomware dates to 1989, when the Harvardtrained evolutionary biologist Dr. Joseph L. Popp used malware to prey on scientists and organizations interested in early acquired immunodeficiency syndrome (AIDS) research [1, 11]. Dr. Joseph Popp, a World Health Organization (WHO) consultant and AIDS researcher himself, mailed 20,000 floppy disks containing ransomware to a group of attendees at the WHO's International AIDS conference [1, 11]. When inserted into the target's computer, the virus (known as *AIDS Program*, *AIDS Trojan*, or *PC Cyborg*) infected the computer with a virus that lay dormant until the 90th time the system was re-booted, at which point a note would appear on the

**73**

*Ransomware and Academic International Medicine DOI: http://dx.doi.org/10.5772/intechopen.91762*

over 78 million medical records stolen in 2015 [7].

**4.1 Why is healthcare vulnerable?**

screen asking for licensing fees to be paid while it encrypted and locked computer files [8, 12]. A \$189 USD ransom to be mailed to a physical mailing address was demanded to "renew the software," or users must forgo further use of their computer [1, 8]. Although authorities apprehended Dr. Popp, his creation resulted in many derivatives that serve as a framework for modern cyber-criminals [1]. Over 15 years passed before the next instance of ransomware (GPCoder), which was delivered via e-mail [15]. Among the first major medical centers attacked was Hollywood Presbyterian Medical Center (2016), a 400-bed hospital in Los Angeles, California [1, 10, 11]. Rather than pay the initial \$3.7 million USD ransom, the hospital reverted to paper records until they were able to negotiate the decryption key ransom payment down to 40 bitcoins (about \$17,000 USD) [1, 10, 11]. However, this does not account for 10 days of lost revenue while the hospital's systems were inaccessible, nor does it account for a damaged reputation in patient data security. Subsequent U.S. attacks have included academic, government, and private healthcare systems including: Alaska Department of Health Office of Children's Services (Anchorage, Alaska); Appalachian

Regional Hospitals (Lexington, Kentucky); Berkshire Health Systems (Pittsfield, Massachusetts); Emory Healthcare (Atlanta, Georgia); Hancock Regional Hospital (Greenfield, Indiana); Heritage Valley Health System (Pennsylvania); Medstar (Baltimore, Maryland); Kansas Heart Hospital (Wichita, Kansas); Keck Medicine of the University of Southern California (Los Angeles, California); Los Angeles Health Department (Los Angeles, California); Methodist Hospital (Henderson, Kentucky); National Capital Poison Center (Washington, D.C.); Princeton Community Hospital (Princeton, West Virginia); J.W. Ruby Memorial Hospital of West Virginia University (Morgantwown, West Virgina); University of Buffalo and State University of New York (Buffalo, New York); and Verity Medical Foundation (San Jose, California) [9, 10, 12, 20, 21]. Additionally, health insurance companies have also been targeted [7]. The Anthem Blue Cross insurance company (USA) had

This problem, however, is far from constrained to U.S. entities; it is global. On May 12, 2017, a ransomware (WannaCry) that utilized a stolen National Security Agency (NSA) tool that highlighted a vulnerability of the Windows OS (MS17-010) infected more than 300,000 computers in at least 150 countries [12]. Sixty trusts within the United Kingdom's National Health Service (NHS) experienced systemwide lockouts forcing at least 16 hospital closures, ambulance diversions, inability to access patient records, patient care delays (canceled appointments and elective surgeries), and function loss in connected devices such as MRI scanners and blood storage refrigerators [3, 21–23]. Five hospitals, including Barts Health (Royal London Hospital), one of the main trauma centers in London, had to close their emergency departments [7]. Similarly, the Singapore Health System experienced a breach of over 1 million patient records, including those of the Prime Minister [7].

The rise in healthcare attacks in the U.S. may be linked to the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 [24]. This identified healthcare organizations as potential cash cows for cybercriminals. Prior to 2008, only 9.4% of hospitals had adopted a basic electronic health records (EHR) system [8]. By 2014, 75.5% of hospitals had adopted basic EHRs [8], and now approximately 95% use them [12]. Additionally, HIT including glucose meters, infusion pumps, and implanted medical devices are also connected to, and dependent on, the hospital's network [12]. Moreover, healthcare systems are twice as likely to have Flash (Adobe Inc., San Jose, USA) installed and three times as likely

#### *Ransomware and Academic International Medicine DOI: http://dx.doi.org/10.5772/intechopen.91762*

*Contemporary Developments and Perspectives in International Health Security - Volume 1*

cards [11]. Money mules are then used to withdraw the cash.

**3.2 Ransom payment**

enforcement to investigate [11].

**4. Ransomware and healthcare**

voucher codes as payment, subsequently transferring the money to prepaid debit

Wipe-ransomware first appeared in 2017 with the PetrWrap attack that encrypted the target's master file table (MFT) forcing the operating system (OS) to reboot [14]. Unlike crypto- and locker-ransomware, the files encrypted by wiperansomware do not unlock it after payment, effectively resulting in data loss [14].

Before 2005, online payment methods were less readily available. Victims were instructed to pay ransoms by sending checks to offshore accounts, SMS text messages, prepaid cards, or even premium rate telephone numbers that earned money for the attacker [11, 15]. However, these methods were risky since they were traceable. In 2008, the largely anonymous cryptocurrency bitcoin came into use, facilitating expansion of ransomware attacks [11]. The use of third-party holdings

Since one's ability to pay may vary greatly by geography and local economy, ransomware uses dynamic geographical pricing. Once a computer or system is infected, the ransomware establishes contact with its command-and-control (C&C) server, reports the infected device's IP address, and the C&C server returns a price for the country associated with that IP address based on a prepopulated database [11]. Additionally, criminals more frequently target businesses than individual users owing to greater potential for ransom extraction. It has been reported that about \$10,000 USD may be the optimal business ransom as it is both low enough to pay, and low enough to generate reluctance on the part of law

The decision whether to pay the ransom is critical. The U.S. Federal Bureau of Investigation (FBI) does not recommend paying ransoms, as only 50% of victims ultimately regain access to uncorrupted usable data. Further, ransom payment incentivizes attackers to continue exploiting healthcare targets [16]. Even so, an estimated 40% of organizations choose to pay the ransom in hopes of recovering data accessibility and mitigating further losses [17]. This may be more likely to occur if the hospital has a questionable backup and no business continuity [13]. Choosing not to pay, however, comes with the added costs of extended downtime and recovery, which may approach 23 times the ransom cost [6, 18]. Smaller organizations have been forced to close after not paying the ransom [19]. The FBI estimated that in 2016 alone, ransomware-associated monetary losses exceeded \$1 billion USD, with an average downtime cost per attack of \$141,000 [4–6]. Ultimately, the decision of whether to pay the ransom is an individual one and

The targeting of healthcare by ransomware dates to 1989, when the Harvardtrained evolutionary biologist Dr. Joseph L. Popp used malware to prey on scientists and organizations interested in early acquired immunodeficiency syndrome (AIDS) research [1, 11]. Dr. Joseph Popp, a World Health Organization (WHO) consultant and AIDS researcher himself, mailed 20,000 floppy disks containing ransomware to a group of attendees at the WHO's International AIDS conference [1, 11]. When inserted into the target's computer, the virus (known as *AIDS Program*, *AIDS Trojan*, or *PC Cyborg*) infected the computer with a virus that lay dormant until the 90th time the system was re-booted, at which point a note would appear on the

depends on the unique circumstances and stakes of every incident.

companies such as PayPal has provided additional payment avenues [15].

**72**

screen asking for licensing fees to be paid while it encrypted and locked computer files [8, 12]. A \$189 USD ransom to be mailed to a physical mailing address was demanded to "renew the software," or users must forgo further use of their computer [1, 8]. Although authorities apprehended Dr. Popp, his creation resulted in many derivatives that serve as a framework for modern cyber-criminals [1].

Over 15 years passed before the next instance of ransomware (GPCoder), which was delivered via e-mail [15]. Among the first major medical centers attacked was Hollywood Presbyterian Medical Center (2016), a 400-bed hospital in Los Angeles, California [1, 10, 11]. Rather than pay the initial \$3.7 million USD ransom, the hospital reverted to paper records until they were able to negotiate the decryption key ransom payment down to 40 bitcoins (about \$17,000 USD) [1, 10, 11]. However, this does not account for 10 days of lost revenue while the hospital's systems were inaccessible, nor does it account for a damaged reputation in patient data security. Subsequent U.S. attacks have included academic, government, and private healthcare systems including: Alaska Department of Health Office of Children's Services (Anchorage, Alaska); Appalachian Regional Hospitals (Lexington, Kentucky); Berkshire Health Systems (Pittsfield, Massachusetts); Emory Healthcare (Atlanta, Georgia); Hancock Regional Hospital (Greenfield, Indiana); Heritage Valley Health System (Pennsylvania); Medstar (Baltimore, Maryland); Kansas Heart Hospital (Wichita, Kansas); Keck Medicine of the University of Southern California (Los Angeles, California); Los Angeles Health Department (Los Angeles, California); Methodist Hospital (Henderson, Kentucky); National Capital Poison Center (Washington, D.C.); Princeton Community Hospital (Princeton, West Virginia); J.W. Ruby Memorial Hospital of West Virginia University (Morgantwown, West Virgina); University of Buffalo and State University of New York (Buffalo, New York); and Verity Medical Foundation (San Jose, California) [9, 10, 12, 20, 21]. Additionally, health insurance companies have also been targeted [7]. The Anthem Blue Cross insurance company (USA) had over 78 million medical records stolen in 2015 [7].

This problem, however, is far from constrained to U.S. entities; it is global. On May 12, 2017, a ransomware (WannaCry) that utilized a stolen National Security Agency (NSA) tool that highlighted a vulnerability of the Windows OS (MS17-010) infected more than 300,000 computers in at least 150 countries [12]. Sixty trusts within the United Kingdom's National Health Service (NHS) experienced systemwide lockouts forcing at least 16 hospital closures, ambulance diversions, inability to access patient records, patient care delays (canceled appointments and elective surgeries), and function loss in connected devices such as MRI scanners and blood storage refrigerators [3, 21–23]. Five hospitals, including Barts Health (Royal London Hospital), one of the main trauma centers in London, had to close their emergency departments [7]. Similarly, the Singapore Health System experienced a breach of over 1 million patient records, including those of the Prime Minister [7].

#### **4.1 Why is healthcare vulnerable?**

The rise in healthcare attacks in the U.S. may be linked to the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 [24]. This identified healthcare organizations as potential cash cows for cybercriminals. Prior to 2008, only 9.4% of hospitals had adopted a basic electronic health records (EHR) system [8]. By 2014, 75.5% of hospitals had adopted basic EHRs [8], and now approximately 95% use them [12]. Additionally, HIT including glucose meters, infusion pumps, and implanted medical devices are also connected to, and dependent on, the hospital's network [12]. Moreover, healthcare systems are twice as likely to have Flash (Adobe Inc., San Jose, USA) installed and three times as likely

to have Java (Sun Microsystems, Santa Clara, USA) installed, two plugins that can be exploited by hackers [8]. Healthcare organizations have been focused on healthcare, not cyber security, thus several issues have increased their vulnerability over time. While aiming to improve care efficiency, increasingly connected technology allowing for multiple ways to connect to easily accessible medical devices increases the likelihood of a breach [3]. Also, the interface between HIT systems and mobile generalpurpose consumer devices (e.g., smart phones) increases the challenge to protect PHI. Moreover, no U.S. federal or state law requires encryption for PHI. Though encryption is encouraged, and often incentivized, nothing requires covered entities to utilize even the minimum standard of encryption [8]. Lastly, cyber-security funding is lacking, contributing to time lags between breech occurrence and detection [3].

Importantly, not all ransomware- and malware-generated traffic patterns are distinguishable from the normal traffic patterns generated by medical devices and systems with networking capabilities [21]. In this sense, both a malware encrypting a shared folder and an application compressing the same files have similar traffic patterns. Moreover, normal changes in the clinical environment may be misinterpreted as attacks if detection mechanisms adapt improperly [21]. Furthermore, malware developers are increasingly using encrypted traffic to avoid payload inspection [21]. Thus, achieving an acceptable balance between detection and false alarm rates remains challenging. A high false alarm rate may frustrate administrators and users, whereas a low detection rate may herald inefficacy.

Despite the growth of new technologies, many healthcare organizations persist in using legacy systems. For example, the use of Window XP (not supported since 2014) by some facilities allowed WannaCry to avoid detection [3]. Additionally, the proprietary nature of medical device software may prevent HIT teams from accessing internal device software, resulting in reliance on manufacturers to design and maintain effective device security [3]. Facilities in low- and middle-income countries (LMIC) may be at added risk owing to their use of open-source EMRs whose security may not be rigorously maintained.

Lastly, outsourcing may play a role in healthcare organization vulnerability. Health insurance niche software and service vendors are offering outsourcing as a remedy for organizational cost controls [9]. However, offshore outsourcing companies are mostly self-regulated [9]. There is currently no standard as to how a healthcare provider may ensure that offshore business associates are adequately protecting the electronic PHI of their patients.

#### **4.2 Implications of international health security**

With the dominance of ransomware as a leading cyber-security threat, it is important to consider its impact on International Health Security (IHS) [25]. Many countries lack the legal infrastructure to prosecute such crimes. Globally, cyberattacks may result in substantial loss of resources, money, and life [26]. Although many security threats have emerged from LMIRs, many of these regions lag behind higher income regions in implementation of automated technologies and EMRs in the medical sector. That said, the IHS community is actively endeavoring to increase the availability and use of these technologies in LMIRs [27]. Thus, with falling costs and rising availability and implementation, HIT security will have an increasingly important role in IHS in upcoming years.

Traditional charting and management methodologies are steadily being replaced with digital ones. Technologies including digital algorithms and artificial intelligence are increasingly being used to monitor and coordinate threat responses [28, 29]. The IHS community has come to increasingly rely upon digital global surveillance networks such as the ProMED-mail (PMM) Network and the World Health

**75**

*Ransomware and Academic International Medicine DOI: http://dx.doi.org/10.5772/intechopen.91762*

Physical safeguards Prevention and

Hardware and software

preparation

Prevention and preparation

**Dimension Role Recommendation**

Leadership • Establish a Board-Level Information Technology

(IT) Committee

• Hire a Chief Information Security Officer (CIO) • IT security should be under the control of executives

• Buildings and equipment access to protect against

• Perform regular back-ups. Store 1 copy off-line • Consider tools such as ShieldFS© or Redemption to create real-time safe-guarded copies of attacked files • Maintain a "gold image" of system configurations; this allows one to reset systems to the pre-attack state

• Test backup's restore function regularly (e.g.,

• Make sure the firewall is properly configured • Segment the network by categorizing IT assets (e.g., desktops, servers, routers), data, and personnel into groups, and restricting access to these groups using

• Turn off wireless network functionality of the

• If widespread, shut down all network operations to

run, while blocking all others, to prevent malicious

number someone can call (i.e., out of band check), and a personal e-mail address that has a legitimate username that people can check in their local directory; e-mail and website links should display complete internet address (URL) to build trust

• Use a virtual private network (VPN) to create a secure connection, even on a public unsecured

• Establishing strict processes of removable media to prevent ransomware brought into the closed

computer and report the incident to the IT support

• Web and e-mail filtering: Block messages with attachments \*.exe, \*.zip, \*.rar, \*.7z, \*.js, \*.wsf, \*.docm, \*.xlsm, \*.pptm, \*.rtf, \*.msi, \*.bat, \*.com, \*.cmd, \*.hta, \*.scr, \*.pif, \*.reg, \*.vbs, \*.cpl, and \*.jar from

entry and exit traffic filtering Incident Response • Disconnect the infected computers from the network

infected machine

Clinical content Intrusion detection • "Whitelist" or allow only specified programs to

User interface Education • Legitimate messages should have a telephone

Prevention and preparation

prevent further spread

executables from running

suspicious sources

network

network

Intrusion detection • At the first sign of an alarm message, turn off the

team immediately

• Patch management for operating system, application software, browsers, plug-ins, firmware, and anti-virus

with extensive IT experience (e.g., CIO)

unauthorized access and theft

• Encrypt sensitive practice data

quarterly or yearly)

software


*Contemporary Developments and Perspectives in International Health Security - Volume 1*

tors and users, whereas a low detection rate may herald inefficacy.

security may not be rigorously maintained.

protecting the electronic PHI of their patients.

important role in IHS in upcoming years.

**4.2 Implications of international health security**

Despite the growth of new technologies, many healthcare organizations persist in using legacy systems. For example, the use of Window XP (not supported since 2014) by some facilities allowed WannaCry to avoid detection [3]. Additionally, the proprietary nature of medical device software may prevent HIT teams from accessing internal device software, resulting in reliance on manufacturers to design and maintain effective device security [3]. Facilities in low- and middle-income countries (LMIC) may be at added risk owing to their use of open-source EMRs whose

Lastly, outsourcing may play a role in healthcare organization vulnerability. Health insurance niche software and service vendors are offering outsourcing as a remedy for organizational cost controls [9]. However, offshore outsourcing companies are mostly self-regulated [9]. There is currently no standard as to how a healthcare provider may ensure that offshore business associates are adequately

With the dominance of ransomware as a leading cyber-security threat, it is important to consider its impact on International Health Security (IHS) [25]. Many countries lack the legal infrastructure to prosecute such crimes. Globally, cyberattacks may result in substantial loss of resources, money, and life [26]. Although many security threats have emerged from LMIRs, many of these regions lag behind higher income regions in implementation of automated technologies and EMRs in the medical sector. That said, the IHS community is actively endeavoring to increase the availability and use of these technologies in LMIRs [27]. Thus, with falling costs and rising availability and implementation, HIT security will have an increasingly

Traditional charting and management methodologies are steadily being replaced with digital ones. Technologies including digital algorithms and artificial intelligence are increasingly being used to monitor and coordinate threat responses [28, 29]. The IHS community has come to increasingly rely upon digital global surveillance networks such as the ProMED-mail (PMM) Network and the World Health

to have Java (Sun Microsystems, Santa Clara, USA) installed, two plugins that can be exploited by hackers [8]. Healthcare organizations have been focused on healthcare, not cyber security, thus several issues have increased their vulnerability over time. While aiming to improve care efficiency, increasingly connected technology allowing for multiple ways to connect to easily accessible medical devices increases the likelihood of a breach [3]. Also, the interface between HIT systems and mobile generalpurpose consumer devices (e.g., smart phones) increases the challenge to protect PHI. Moreover, no U.S. federal or state law requires encryption for PHI. Though encryption is encouraged, and often incentivized, nothing requires covered entities to utilize even the minimum standard of encryption [8]. Lastly, cyber-security funding is lacking, contributing to time lags between breech occurrence and detection [3]. Importantly, not all ransomware- and malware-generated traffic patterns are distinguishable from the normal traffic patterns generated by medical devices and systems with networking capabilities [21]. In this sense, both a malware encrypting a shared folder and an application compressing the same files have similar traffic patterns. Moreover, normal changes in the clinical environment may be misinterpreted as attacks if detection mechanisms adapt improperly [21]. Furthermore, malware developers are increasingly using encrypted traffic to avoid payload inspection [21]. Thus, achieving an acceptable balance between detection and false alarm rates remains challenging. A high false alarm rate may frustrate administra-

**74**



**77**

[10, 37, 41].

files intact [14].

*Ransomware and Academic International Medicine DOI: http://dx.doi.org/10.5772/intechopen.91762*

ability of laboratory systems for IHS use [34, 35].

malwares would likely have been significantly diminished.

not immune to cyber-attack [33].

**5. Protecting your institution**

Organizations (WHO) Global Outbreak Alert & Response Network (GOARN); systems that help organizations improve coordination speed and response time to temper the impact of international infectious disease outbreaks [30–32]. These systems are often used by IHS networks and volunteers in the field and, if compromised, could become a portal of entry for cyber-attack [31]. The attacks on the United Kingdom's NHS demonstrate that even large state-sponsored institutions are

Laboratory security is another important aspect for IHS, as the use and storage of sensitive pathogens make them attractive targets for attacks [33]. For this reason, the Global Health Security Agenda (GHSA) was created to help increase investment in global health security. GHSA is a 67-nation effort that hopes to increase the avail-

As with most HIT issues, preventing a ransomware attack is a complex sociotechnical problem. Richard Schaeffer (2009), the U.S. National Security Agency (NSA) Information Assurance Director, testified to the U.S. Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security that 80% of all ransomware attacks could be prevented by adhering to security measures already in place [36]. In addition to a sophisticated encryption algorithm, ransomware attacks often rely on some form of "social engineering," or the psychological manipulation of people to gain their trust and lead them to divulge confidential information [15]. Solving these problems is a shared task between HIT users and those responsible for configuring, maintaining, and operating the HIT infrastructure. While preventing all ransomware attacks is not possible, there are several steps that healthcare organizations can take to reduce risk and mitigate harm (**Table 2**). Additionally, the U.S. Department Health and Human Services (HHS) offer guidelines on the best policies on how to properly secure electronic PHI. The need to maintain software updates and patches cannot be understated. For example, Microsoft Inc. had released a patch for the vulnerability exploited by WannaCry and NotPeyta 8 weeks before the attack [8]. If systems had remained up to date, the impact of both

Another approach to recover from a ransomware attack without needing to pay a ransom is by copying a file when it is being modified, storing one copy in a protected area, and allowing any changes to be made to the other [14]. ShieldFS© (NECSTLab, Milan, Italy) approaches this by creating a protected (i.e., read-only) copy of files when a process requests to modify or delete it [14]. If ShieldFS© determines that a process is malicious, the offending process is suspended and the copies can be restored, replacing the modified (encrypted) versions [14]. Conversely, Redemption uses a similar approach, but its technique creates a copy of each of the files targeted by the ransomware and then uses the Windows Kernel Development framework to redirect (or "reflect") the write requests or filesystem operations (invoked by the ransomware to encrypt the target files) from the target files to the dummy copies in a transparent data buffer, hence leaving the original

Lastly, any ransomware attack should immediately be reported to the appropriate authorities [37]. In the U.S., federal law dictates that any breach undergo a thorough and properly documented analysis to determine if any unsecured PHI was compromised [38–40]. For anything other than a low probability of PHI compromise, one must inform the U.S. Department of HHS as soon as possible, and no later than 60-days post-breach (when over 500 person's PHI is affected)

**Table 2.**

*An approach to preventing or mitigating ransomware attacks.*

*Ransomware and Academic International Medicine DOI: http://dx.doi.org/10.5772/intechopen.91762*

*Contemporary Developments and Perspectives in International Health Security - Volume 1*

People Education • Do not follow unsolicited Web links in e-mails

Internet

Identity and access • Dual-factor authentication

attack

or group shares

Intrusion detection • Scan all software downloaded from the internet prior to executing Risk assessment • Conduct simulated attacks to raise user's awareness

names and passwords Incident response • System-wide password reset following a successful

required by their job

Preparation • Develop a Health Insurance Portability and

activity

are identified

security regimen Incident response • Contact your organization's insurance provider, a

of a successful attack

• Train users on ransomware prevention strategies, how to identify malicious e-mails, and to avoid clicking on potentially weaponized attachments

• Restrict users' administrative privileges on local desktops and laptops. For users who require administrative access, configure two accounts, one with administrative privileges that is used only when necessary, and one with more restrictive privileges that they use for routine activities, including reading e-mail and browsing the

• Restrict the ability of users to "write" (i.e., create and delete files), on shared drives of departmental

• Establish policies and processes for protection of HIT systems in smart working environment using

cloud computing and teleworking

• Conduct mock system recovery exercises • Conduct regular risk assessments and auditing

• More stringent version of the Unique User Identification Standard to prevent generic user-

• Based on risk and business impact assessments, identify applications and data based on importance to the business (e.g., Tier 0—essential for business operations; Tier 1—1 hour downtime acceptable; Tier 2—1 day downtime acceptable; Tier 3—1 week downtime acceptable)Develop a plan to manage a

• Utilize the principle of "Least Privilege" to limit users' access to only those systems and services

Accountability Act (HIPPA)-compliant information

computer forensics expert, and the FBI in the event

• Monitor network activity to identify suspicious

• Monitor the external environment for security incidents and address gaps and deficiencies as they

prevention or mitigating procedures

• Review any extended downtime (e.g., ransomware) to identify potential root causes, and discuss future

ransomware situation accordingly

**Dimension Role Recommendation**

Identity and access management

Workflow and communication

Internal policies, procedures and environment

External rules and regulations

Measurement and monitoring

*HIT = health information technology.*

*An approach to preventing or mitigating ransomware attacks.*

**76**

**Table 2.**

Organizations (WHO) Global Outbreak Alert & Response Network (GOARN); systems that help organizations improve coordination speed and response time to temper the impact of international infectious disease outbreaks [30–32]. These systems are often used by IHS networks and volunteers in the field and, if compromised, could become a portal of entry for cyber-attack [31]. The attacks on the United Kingdom's NHS demonstrate that even large state-sponsored institutions are not immune to cyber-attack [33].

Laboratory security is another important aspect for IHS, as the use and storage of sensitive pathogens make them attractive targets for attacks [33]. For this reason, the Global Health Security Agenda (GHSA) was created to help increase investment in global health security. GHSA is a 67-nation effort that hopes to increase the availability of laboratory systems for IHS use [34, 35].

### **5. Protecting your institution**

As with most HIT issues, preventing a ransomware attack is a complex sociotechnical problem. Richard Schaeffer (2009), the U.S. National Security Agency (NSA) Information Assurance Director, testified to the U.S. Senate Judiciary Subcommittee on Terrorism, Technology and Homeland Security that 80% of all ransomware attacks could be prevented by adhering to security measures already in place [36]. In addition to a sophisticated encryption algorithm, ransomware attacks often rely on some form of "social engineering," or the psychological manipulation of people to gain their trust and lead them to divulge confidential information [15]. Solving these problems is a shared task between HIT users and those responsible for configuring, maintaining, and operating the HIT infrastructure. While preventing all ransomware attacks is not possible, there are several steps that healthcare organizations can take to reduce risk and mitigate harm (**Table 2**). Additionally, the U.S. Department Health and Human Services (HHS) offer guidelines on the best policies on how to properly secure electronic PHI. The need to maintain software updates and patches cannot be understated. For example, Microsoft Inc. had released a patch for the vulnerability exploited by WannaCry and NotPeyta 8 weeks before the attack [8]. If systems had remained up to date, the impact of both malwares would likely have been significantly diminished.

Another approach to recover from a ransomware attack without needing to pay a ransom is by copying a file when it is being modified, storing one copy in a protected area, and allowing any changes to be made to the other [14]. ShieldFS© (NECSTLab, Milan, Italy) approaches this by creating a protected (i.e., read-only) copy of files when a process requests to modify or delete it [14]. If ShieldFS© determines that a process is malicious, the offending process is suspended and the copies can be restored, replacing the modified (encrypted) versions [14]. Conversely, Redemption uses a similar approach, but its technique creates a copy of each of the files targeted by the ransomware and then uses the Windows Kernel Development framework to redirect (or "reflect") the write requests or filesystem operations (invoked by the ransomware to encrypt the target files) from the target files to the dummy copies in a transparent data buffer, hence leaving the original files intact [14].

Lastly, any ransomware attack should immediately be reported to the appropriate authorities [37]. In the U.S., federal law dictates that any breach undergo a thorough and properly documented analysis to determine if any unsecured PHI was compromised [38–40]. For anything other than a low probability of PHI compromise, one must inform the U.S. Department of HHS as soon as possible, and no later than 60-days post-breach (when over 500 person's PHI is affected) [10, 37, 41].
