Portions of the hospital chain MedStar Health remain offline Wednesday as a result of a major malware attack that occurred Monday and crippled the hospital’s computer systems and forced one of the largest healthcare providers in Maryland and Washington, D.C. to turn patients away.
The healthcare provider said the attack forced it to shut down its three main clinical information systems, prevented staff from reviewing patient medical records, and barred patients from making medical appointments. In a statement issued Wednesday, it said that no patient data had been compromised and systems were slowly coming back online.
“Clinicians are now able to review medical records and submit orders via our electronic health records. Restoration of additional clinical systems continues with priority given to those related directly to patient care,” according to a statement released by MedStar.
While the hospital still won’t officially confirm the attacks were ransomware related, The Washington Post along with other news outlets are reporting that employees at the hospital received pop-up messages on their computer screens seeking payment of 45 Bitcoins ($19,000) in exchange for a digital key that would decrypt data.
The MedStar cyberattack is one of many hospitals in recent months targeted by hackers. Last week, Kentucky-based Methodist Hospital paid ransomware attackers to unlock its hospital system after crypto-ransomware brought the hospital’s operations to a grinding halt. Earlier this year Los Angeles-based Hollywood Presbyterian Medical Center paid 40 Bitcoin ($17,000) to attackers that locked down access to the hospital’s electronic medical records system and other computer systems using crypto-ransomware.
“Medical facilities don’t give security the same type of attention that other verticals do,” said Craig Williams, senior technical leader for Cisco Talos. “They are there to heal people and cure the sick. Their first priority is not to take care of an IT environment. As a result it’s likely the hackers have been out there for quite some time and realized that there are a lot (healthcare) sites that have a lot of base vulnerabilities.”
Details around the MedStar Health attack are still unclear, but Cisco Talos has recent found new samples of ransomware called SamSam that are targeting the healthcare industry. Unlike traditional ransomware samples that rely on users to click on a malware-infected email attachment or visit a compromised website, this new breed of ransomware is installed once attackers have exploited unpatched server vulnerabilities.
“We are seeing an escalation of the types and frequency of attacks against the healthcare verticals,” Williams said. In the case of SamSam, Williams explains Cisco Talos has documented attacks against additional unnamed hospitals where attackers leveraged JexBoss, an open source tool used by hackers for probing and exploiting flaws in JBoss application servers. This allows attackers to gain access to a hospital’s network and unleash SamSam.
Others within the security community say hospitals are being singled out because they collect a wealth of personal data and unlike other industries, such as financial and retail, people’s lives are on the line when it comes to a hospital.
In a scathing report released in February by Independent Security Evaluators, it concluded everything from hospital bedside patient monitoring systems, automated drug dispensing machines to patient records are inadequately protected.
“Hospitals are focused on things like HIPAA compliance and not enough on critical security vulnerabilities which, if exploited, could result in patient harm or fatality,” said Ted Harrington, executive partner with Independent Security Evaluators, in an interview with Threatpost.
But attitudes are changing within the healthcare industry, said Tom Hughes, director of alliances and strategic solutions at Ciber, a Colo.-based systems integrator that services a number of healthcare customers. He acknowledges entrenched budgets prioritizing life-saving medical devices often trump security spending.
“Healthcare providers are changing their attitudes fast,” Hughes said. “They are quickly realizing if they have to face expensive lawsuits related to patient data breaches and loss of revenue tied to ransomware attacks they are never going to be able to afford that $70,000 CT scanner they’ve been eying.”
MedStar Health didn’t reply to requests for an interview. According to post on its website, the hospital chain said it is moving toward full restoration of its systems. In the interim, patients are encouraged to talk to their health providers directly and not rely on computer systems.