EDITOR'S NOTE: Edward Roche, in association with RACmonitor, is writing a series of articles on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the eleventh installment in the series.
Virtually all major healthcare organizations in the United States have reported at least one cyberattack.
Erie County Medical Center is a 550-bed facility located in upstate New York, in the City of Buffalo. A few weeks ago, all of the screens of the computer terminals connected to this Level I trauma center went black. Nothing could be turned back on. It was impossible to access any data.
The hospital received a message.
“What happened to your files? All your files (are) encrypted with RSA-2048 encryption. For more information, search in Google ‘RSA Encryption.’ How to recover files? RSA is a asymmetric cryptographic algorithm. You need one key for encryption and one key for decryption. So you need private key to recover your files. It’s not possible to recover your files without private key. How to get private key? You can get your private key in three easy steps: Step 1: You must send us 1.1 BitCoin for each affected record. 24 Bitcoins for receive all private keys for all affected records. Step 2: After you send us …”
The English has numerous syntax errors and grammatical mistakes.
In short order, the hospital received a demand for payment of 24 Bitcoin, the equivalent $44,000. For criminals, the use of crypto-currency is favored because the flow of funds going directly from the payer to the payee moves in a highly encrypted form, and without any central bank, repository, or intermediary. It can be used anywhere, in any country, and through any information system connected to the Internet.
It is a very private way of sending and receiving payments, because without any intermediary, there is no place that law enforcement or tax authorities or anyone else can look to see a recording of the transaction. In the United States, your banking transactions are considered to be records easily obtainable by law enforcement, as are your telephone records under the pen-trap statutes. But with no records, there is nothing for law enforcement to obtain.
Crypto-currency does have a distributed ledger, whereby all transactions are recorded. This is called the “blockchain.” This public ledger is not maintained in a single place, but instead is passed around by a network of communicating nodes that run the bitcoin software. It is heavily encrypted.
Crypto-currency uses not a centralized database, but instead a distributed database. Every network node keeps a copy of the database. Everything is updated every 10 minutes. When a hospital sends $44,000 in Bitcoin to criminal “X,” this transaction is broadcast to the network of ledgers. The network nodes verify the transaction, then update all other nodes.
Crypto-currency transactions were being processed at the rate of 5,000 per month in 2009, but by 2011 the rate was around 60,000 per month. In 2013, the rate was 1,000,000 per month; and currently, the rate is approximately 10,000,000 per month. If the current growth rate continues, by 2020 the rate should be approximately 100,000,000 transactions per month.
Good luck finding the incriminating transaction in that fog – even if you could read it, which you can’t.
Erie’s Response to Cyber Extortion
Getting back to Erie County Medical Center – it was impossible for the trauma center to cease operation; patients kept coming in. Erie reverted to manual procedures. That is, everything was done with paper and pen. Has anyone run out to a store and tried to purchase carbon paper lately?
Then came time for the decision: “to pay or not to pay?”
The hospital hung tough. Its management decided not to pay.
What was the result? The hospital was forced to hire an ICT consulting firm to come in and completely rebuild its information system. Was it quick? No. It took six full weeks to get everything running again. Actually, it took six full weeks to build and install a completely new information system for the trauma unit.
The Calculus of Cyber Extortion and Ransomware
There is a calculus to cyber extortion. We might even say there is a “sweet spot” in the market. The extortion demand should be large enough to be significant and profitable for the extortionist, but low enough so that the victimized hospital can easily come to the conclusion that it would be cheaper to pay than to go through what it would require to rebuild its information system. As long as the extortion amount is lower than the rebuild cost, it is logical for the hospital to pay up. Actually, if the hospital purposefully chooses the most expensive alternative, it would be violating its fiduciary responsibility. As long as the extorters stay in this “sweet spot,” they can continue to milk the cow without killing it.
Extortion, after all, is a classical criminal activity. For a hospital, the objective is to avoid actual harm to itself or its patients, apart from extortion of money. After all, if cyber extortion took place, and payments were made but data not recovered, then future cyber extortionists would have no credibility. So successful cyber extortion depends on the reputation of the extortionist for doing what they say they will. That is, after the money is received, then the data really can be unlocked.
Other Forms of Cyber Terrorism
There could be a darker side to this. Experts worry that cyber criminals eventually may do more than simply extort money. What would be the likely pattern if the cybercriminal was a terrorist instead of an extortionist? Then, the objectives will have completely changed. There is no need to extort money; instead, the objective is to do as much harm as possible, or even murder as many as possible. In addition to the taking innocent life, an additional objective of terrorism is to make society feel helpless, and even partially at fault itself.
Suppose, for example, that the electronic medical records of patients were hacked. With the correct application of numerous algorithms, it would be possible to change the amounts of prescriptions to either insufficient levels or to excessive levels; either could be fatal. Or surgery on the right side could become surgery on the left. Or tumors could be found where there are none, or hidden when they are metastasizing and deadly. Patients with high fever could be made to look normal. People with insufficient oxygen could be made to look flush.
Lab reports could be changed. Certain infections could be mischaracterized so that the wrong antibiotics are used. The list goes on and on. It is up to the imagination how much damage could be done.
The disheartening aspect of this is that this type of terrorism would have no need to become immediately visible. Like the “sweet spot” in the extortion market, the number of illegal acts could be kept high enough to be effective, but low enough not to be detected immediately. Hundreds of patients might be affected before someone realizes there are problems.
Taking Effective Cyber Security Measures
All across the United States, hospitals and other healthcare providers are in the midst of reassessing their cyber-security, but there is no easy answer, and no single methodology or technology that will address all of the inherent risks.
To a significant extent, all providers are different, and consequently, they all have different information systems. The result is that no one set of cyber security practices will fit every provider.
So the question becomes this: If there is no single cyber security methodology available that is universal enough to work for all providers, how can the auditing standards of the U.S. government be so uniform?
A deeper question is this: how can providers solve their cyber security issues using what in reality is at least a partially customized solution for each provider?
As highlighted in previous editions of this series, preparing for a cyber audit involves taking tangible steps to improve the security of your information system. But being secure is not adequate for the purposes of an audit.
Instead, it is necessary to be able to show documentation of everything you have done. In future issues of this series, we will go into greater detail about cyber audits and address the issue of how audits can be comprehensive enough to cover the vast range of healthcare providers, but at the same time flexible enough to accommodate the inherent differences between them.