By DAN GOLDBERG and ADDY BAIRD 04/14/16 05:30 AM EDT
Amid a flurry of cyber attacks in which hackers have demanded ransom payments from health systems, a top executive at Northwell Health met with FBI officials and federal prosecutors on Wednesday to discuss how law enforcement can help combat this persistent and growing threat.
Northwell Health, the largest private employer in the state, is attacked unsuccessfully millions of times each month by computer programs and programmers looking for a way into their system, said John Bosco, the company’s senior vice president and chief information officer.
Northwell is hardly unique. Health systems have for some time been favorite targets for bad actors looking to steal patients’ personal information, and, increasingly, for ransom attacks that offer to restore files only after financial demands are met. “It’s getting worse all the time,” Bosco said.
“[Attacks] are getting more sophisticated and more frequent. Right now, they feel like they are at a peak.” High-profile hacks have made headlines in recent weeks. In February, Hollywood Presbyterian Medical Center paid $17,000 in bitcoins to regain control of their computer systems. In March, MedStar Health Inc., which employs more than 30,000 people and treats hundreds of thousands of patients in the Washington D.C. region, was the victim of a ransom demand, and the culprits demanded $19,000 to restore the files. MedStar denied paying any ransom.
That same week, San Diego-based Alvarado Hospital Medical Center was hit, the third hospital owned by Prime Healthcare Services to be attacked in March. Chino Valley Medical Center and Desert Valley Hospital were also attacked but none is known to have paid any ransom.
U.S. Senator Barbara Boxer, a Democrat from California, recently sent a letter to FBI director James Comey asking what law enforcement was doing to prevent these attacks.
“I am concerned that by hospitals paying these ransoms, we are creating a perverse incentive for hackers to continue these dangerous attacks,” she wrote.
In New York, home to some of the nation’s largest health systems, most experts agree it is a matter of when, not if, a major breach occurs.
“It is naive at this point to think you won’t have some kind of attack,” said Jennings Aske, vice president and chief information security officer at New York-Presbyterian.
Presbyterian, he said, is unsuccessfully attacked thousands of times every week. Some of that is just pokes at the firewall to see if a port is open, while others are more insidious.
“Everybody should assume they are under attack,” said Daniel Barchi, chief information officer at Presbyterian.
Barchi said Presbyterian, like most major health systems, works to educate its employees so that they can suss out scams. They also have mechanisms in place to prevent catastrophe should an employee click on a malicious link, he said.
Not all of these are ransomware attacks, the kind that threaten to corrupt files or deny access to an electronic medical records system until a payment is made. Many hackers are looking for personal information, which they can steal, sometimes without anyone knowing. Medical records are far more valuable on the black market than credit card numbers, in part because they allow for insurance fraud. So those types of theft remain more common, if less flashy.
Hospitals are hacked much the same way that anyone else is, said Brian Calkin, the vice president of operations at the Center for Internet Security, a cybersecurity firm in East Greenbush.
“What we tend to see is people running out-of-date software,” he said. “Malicious ads will infect the out-of-date software and the hospital’s systems are then vulnerable to attacks.”
In the case of targeted attacks on hospitals, doctors will receive emails with attachments or be directed to links asking them to enter information on a site that looks nearly identical to a website they regularly use, perhaps their own system’s human resources department. “It comes down to hoping your users do the right thing and don’t open those email attachments,” he said.
Bosco said Northwell sends out its own phishing emails to many of its 61,000 employees, looking to see what percentage click on something they shouldn’t. Employees who do see a video educating them about their mistake.
The percentage isn’t as low as Bosco would like, he said, but he declined to give specifics.
Recognizing the severity of the threat, the Healthcare Association of New York State, a trade group, is convening a forum next week with cybersecurity experts from the Department of Homeland Security, the FBI, the NYPD and the New York State Police to discuss prevention strategies.
The proliferation of bitcoin, an untraceable online currency, has also made hacking more prevalent, and more lucrative.
Once a system is compromised, hackers direct hospital administrators to websites such as Coinbase, a bitcoin exchange that accepts bank transfers and credit cards so hospital administrators can convert dollars into bitcoins in order to pay hackers.
“These are, in general, economically motivated cyber criminals that are now generating seven-figure revenue,” said Jonathan Levin, the co-founder of Chainalysis, a New York-based start-up that focuses on building tools to prevent cyberattacks on financial institutions.
The best way to prevent a ransomware attack is to ensure that everything is backed up somewhere else, said Anita D’Amico, the CEO of Northport cybersecurity firm Code Dx.
“The hospital IT staff needs to ensure that mission-critical data is stored separately from other data and that it is routinely backed up, and stored off-line,” D’Amico said in an email. “If the hospital has its critical data backed up, then there is not much data to be held ransom.”
It’s too early to know whether Boxer’s fear — that paying the ransom encourages copycats — will be realized.
Some believe that identity theft is still a far more lucrative option. But others feel Hollywood Presbyterian’s public capitulation could begin a new wave.
“The attackers know there is precedence for getting what they want,” D’Amico said.