Spring 2017 Newsletter ♦ Ransomware in Healthcare: A Quick Profit for Cybercriminals

by Rob SoberDirector, Varonis

Healthcare providers have always been attractive targets for data breaches. Why? The value of a health record is high. According to Reuters, health records are 10 to 20 times more valuable than credit card numbers. Rather than stealing health records and trying to sell them on the black market, cybercriminals are using ransomware to turn a much quicker profit.

We’ve seen this play out in the past couple of weeks with a rash of hospital ransomware infections. While the average ransom price is about one or two bitcoins (~$1,000 USD), most hackers know that hospitals are willing to pay much more.

Healthcare providers depend heavily on medical systems with on-demand access to patient information. Without quick access to patient histories, medical images and directives, patient care gets delayed and lives are put at risk.

We’ve seen hospitals react to ransomware infections in different ways. Some hospitals have paid the ransom, while other hospitals restored their data from backup.

Regardless of how the hospital handled the threat, the main effect of ransomware has been downtime. It’s been reported that after an infection, some hospital employees were forced for over a week to use pen and paper to enter patient data. Fax machines and phones were used to relay patient information. Patients were diverted to other hospitals. For safety reasons, high-risk surgeries were pushed to later dates.


The U.S. Department of Homeland Security and the Canadian Cyber Incident Response Centre issued a threat alert in March of 2016 regarding the use of Locky and Samas ransomware against healthcare organizations.

Both extremely potent, you wouldn’t want either to attack. Locky encrypts data on local drives and unmapped network shares, whereas Samas encrypts your entire network.


After a ransomware infection, your hospital is on the clock to pay within 72 hours. Sometimes, you might have more time, but that also means that your ransom amount increases.

Cybercriminals are good businessmen. They’ve done the math and set a ransom so that the results will be in their favor. Their demand for a smaller hospital is a few hundred dollars, whereas a bigger hospital’s ransom is a few thousand dollars. Once the hospitals do the math, the most efficient and fastest route is to pay because lives are at stake.

One hospital that paid the ransom said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.”


However, even if you pay, you might not get your files back. These are unscrupulous criminals and might have copied the health data and sold it on the dark web. Remember health records are valuable. No one says an extortionist has to honor his word.

Some hospitals that were hit with ransomware were able to restore their files from a backup. This was fairly easy since they only had one server to deal with.

Before you decide to restore from backup, here are three things to think about:

  • Ransomware encrypts slowly: Ransomware variants like to slowly encrypt files before displaying a ransom note. If you’re thinking about ‘simply’ restoring from backup, also think about how long before you would even find out your data has been encrypted?
  • Calculate how much downtime your hospital can handle: If you have working backups, figure out how long it would take to restore terabytes of data. You should also figure out how it impacts your agreements: Operational level agreement (OLA), Service Level Agreement (SLA), Projected Service Availability (PSA), Projected Service Outage (PSO) , etc..
  • Ransomware now deletes, destroys and/or encrypts your backups: Not true, anymore. Locky, the strain that’s been targeting healthcare providers, now deletes all the shadow volume copies on the machine so that they cannot be used to restore the victim’s files. Expect your backups to be deleted or encrypted.


Would ransomware infection be considered a breach, according to HIPAA?

Under HIPAA, covered entities have to report a breach to the Department of Health and Human Services—see their wall of shame—if PHI from more than 500 records has been exposed to unauthorized persons.

Some have said that since ransomware locks data—encrypts it and makes it unusable– and therefore doesn’t expose it to unauthorized users, hospitals aren’t required to report it under data breach notification rules. However, Lesley Cothran, a Public Affairs Specialist for the US Department of Health and Human Services released a statement regarding ransomware as it relates to HIPAA, “Under HIPAA, an impermissible use or disclosure of protected health information is presumed to be a breach (and therefore, notification is required) unless the entity demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment…”

Are there other potential HIPAA violations?

HIPAA’s Technical Safeguards—see this primer—are one of the foundations underlying the data security regulations that companies are supposed to be following. CFR Part 164.312 section C(1) expresses the Integrity standard of PHI: its states you should have in place policies and procedures to protect electronic protected health information from improper alteration or destruction.

If you have a backup and can completely restore the locked PHI, it would appear you would not be in violation. If you don’t, you might have some explaining to do to a government auditor.

If you are in violation, HIPAA asks you to do a risk assessment — see this Administrative Safeguards primer –and then update your controls. So even if you survived this attack, you’ll need to address the issue of how the attackers got in and accessed the PHI, and then put in place procedures to either prevent or reduce the risks (see CFR 164.308(a)(1) ).


When ransomware started showing up, a lot of companies turned to endpoint security solutions in the hope that it would detect and stop crypto-malware. However, the industry is catching on to the fact that signature-based antivirus software cannot cope with new strains of ransomware that aren’t catalogued as well as malware-less ransomware that sneak past malware blockers.

The alternative solution is to look at behavior based analytics. Northeastern University’s latest ransomware research paper, Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, analyzed 1,359 ransomware samples and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”

User Behavior Analytics (UBA) is an essential ransomware prevention measure. UBA compares what users on a system are normally doing — their activities and file access patterns – against the non-normal activities of an attacker who’s stolen internal credentials. First, the UBA engine monitors normal user behavior by logging each individual user’s actions – file access, logins, and network activities. Over time, UBA derives a profile that describes what it means to be that user. Sophisticated UBA solutions can also script off anomalous alerts and shut down users who show signs of infection, preventing the spread across the network.


HIMSS SoCal appreciates Rob Sobers’ contribution to this Quarter’s Newsletter. Rob Sobers is a Director at cybersecurity firm Varonis. He has been writing and designing software for over 20 years and is co-author of the book Learn Ruby the Hard Way, which has been used by thousands of students to learn the Ruby programming language.

Rob may be contacted at rsober@varonis.com

Return to Spring 2017 Newsletter