Gone are the days of ransomers taking on major risk to score an enormous payoff. Modern crooks can sit in front of computer screens, content in knowing that their exploits stand to net them huge sums of money with essentially no downside should they fail, exemplified by whoever brought Hollywood (Calif.) Presbyterian Medical Center's IT systems to a grinding halt Feb. 5 and cleaned up with a cool $17,000 for their work.
It sounds like a pretty good business, says Mike Overly, a Los Angeles-based lawyer with Foley & Lardner who specializes in information security.
"You can walk into a bank and hold it up, or you can send out thousands and thousands of these ransomware attacks at no cost whatsoever and essentially zero risk," Mr. Overly says. "And you've got the ability to demand untraceable revenue — bitcoins."
Ransomware isn't a new concept, according to Mr. Overly. The practice started to become somewhat prevalent in other industries, even historically well-protected sectors like finance, about 18 or 24 months ago, although it has existed for some time. Hundreds of millions of dollars per year are forked over to hackers, and many businesses are at the point where they factor ransom money into their costs.
"Combine that with the fact that there is almost zero likelihood of being caught, the technology requires no skills to use, and you have a perfect opportunity for organized criminals to use this as an incredible revenue mechanism," Mr. Overly says.
Healthcare has managed to remain mostly on the fringes of those hit hard by the attacks, until now. And there's a good reason why. Healthcare workers are generally a bit better prepared than staff in other industries, trained with confidentiality in mind. The same goes for healthcare IT systems themselves, which are usually a bit more secure for privacy purposes, Mr. Overly says. But those defenses are far from enough.
"You could probably pick the most sophisticated healthcare organization in the world and show up there tomorrow, walk into the cafeteria and lay a USB drive labeled 'radiology' on a table," Mr. Overly say. "I'd be willing to bet that by 5 o'clock that day, someone would have plugged that drive into a computer to see what it contained, and that would be it. They would be doing all the work for me, I could just leave it there and they would infect their own systems."
So what's the answer for hospitals that are increasingly targeted in these costly attacks? Doubling down on personnel training and education is a good place to start.
Investing in increased security measures is also ideal, but for Hollywood Presbyterian and Mount Pleasant, Texas-based Titus Regional Medical Center, which suffered a ransomware attack in January, the source of the problem was very likely user error, according to Mr. Overly.
"This is one of the reasons why we do a lot of training for healthcare organizations in particular to better educate their personnel on taking personal responsibility," Mr. Overly says. "One of the things we've found is it's very important for employees to understand information security both at work and at home. Studies show that getting better security awareness at home carries over into the workplace. We see many organizations developing personal information security rules and guidelines for employees that address best practices both at work and at home."
Although Hollywood Presbyterian's ransom was publicized as $3.6 million, the hospital only paid $17,000 to regain access to its medical records and IT systems, a sum that many would view as reasonable for a large organization. But there's a real danger to chalking that payout up to the cost of doing business.
"These are just going to get worse, not better. Demands are going to get higher, not lower," Mr. Overly says. "Yes, in this case they were able to settle it for a reasonable amount, but we're not going to see that continue. Hollywood Presbyterian is not the first nor will it be the last. The trend is upward, not downward."