The news that as many as 500 million user accounts were hacked on Yahoo came roughly when I was typing..er…an email in my Yahoo account.
And I was just writing a story about the problems of hacking into healthcare organizations.
Yahoo may have been subjected to the worst data breach in history.
“The Yahoo hack is HUGE,” says Phil Richards, chief information officer for LANDESK, based in South Jordan, Utah. The impact of that could be staggering.” LANDESK provides IT systems, security service and process management solutions for organizations worldwide.
The FBI is trying to untangle the Yahoo situation, while Congress may investigate, too.
While the Yahoo hack is multifaceted, Richards says there is an immediate lesson for those working in healthcare and a relatively simple one: watch out for re-used passwords, especially among patients.
“Many healthcare systems allow patients to log in to get a copy of their medical records, such as test or lab results, diagnosis reports, or prescriptions,” he says. “Humans, being somewhat predictable, often issue their credentials across multiple systems. If people used the same credential (user id and password) at a healthcare website, as they did for Yahoo, those credentials could be exposed.”
If you run a small hospital system or a doctor’s office, there are other concerns, too, such as hackers going into computer networks, or demanding money from you to get rid of the infections, twists of ransomware.
Phil Richards, an expert on computer security and chief information officer for LANDESK, based in South Jordan, Utah. LANDESK provides IT systems, security service and process management solutions for organizations worldwide.
Ransomware is the fastest growing malware threat, targeting users of all types – from the home user to the corporate network. Obviously, healthcare isn’t the only target of hackers. Hackers implementing ransomware can pinpoint home users, business and government networks.
On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. – That’s a 300 percent increase over the about 1,000 attacks per day seen in 2015, according to the United States Computer Emergency Readiness Team. Healthcare accounts for 88 percent of all detections in the second quarter of 2016, according to managed security provider Solutionary, says a report in Betanews.
.In May, the Kansas Heart Hospital, in Wichita, KS, paid an undisclosed ransom after it was hacked. Once that occurred, officials there might have figured that was the end of it, a headache no longer to be suffered.
It wasn’t. The hospital was targeted a second time by a hacker. The hospital learned a lesson and said “no” the second time to the idea of paying a ransom.
“The police of Kansas Heart Hospital in conjunction with our consultants felt no longer was this was a wise maneuver or strategy,” the hospital said.
Richards says in his blog professionals dread the day when they get a call, like what happened at Kansas Heart Hospital, that someone seeking ransomware has infiltrated a network and already “started encrypting files, drives, and network shares.”
“The hackers are seeing continued profit in ransomware, and with more severity and frequency,” Richards says. “We’re seeing the healthcare being attacked successfully across the board.”
Medical records of smaller hospitals are particularly vulnerable especially with a lack of infrastructure to protect them. (Richards emphasizes that he was referring to generic healthcare providers, not specific cases, such as Kansas Heart Hospital, in which he is unaware of its infrastructure.)
“The nirvana would be to remove all profit potential from ransomware. That is likely not realistic, however,” Richards says.
The federal government and non-governmental organizations are strongly recommending against paying a ransom. Richards agrees and offers these observations:
- There is a possibility that you will not get the files back even after you pay.
- A perception may exist that you are ‘giving in’ to the bandits
- “Bad actors” are encouraged to continue developing ransomware.
- A market perception may exist that your company doesn’t know how to handle security incidents.
In the security world, people are uncertain, worried and anxious what to do next
Ransomware can come about in some of the seemingly most innocuous ways. For instance, a physician may like what seems to be cool software he learned about at a conference and spread the word at his hospital or practice. Once the software is installed, it may only pack trouble and be a place for ransomware. Or a hospital doesn’t its system as often as it should.
Many ransomware “ (operatives) are well organized to quasi-organized, and most of the time not on U.S. soil, but from Russia,” Richards says.
Nothing is perfect, but you can take big steps to reduce the possibility of vulnerabilities in a system that can’t stand a specific attack, he writes. “The best way to protect your system is to make sure that the malware can’t get a foothold, and analyze your computer to find vulnerabilities,” Richards says. A great tool to improve awareness has been established by an inter-agency government task force that offers technical guidance protective measures against ransomware.
Do you have a weak password?
A computer in a public place that hasn’t been locked
An application that hasn’t been patched. Defects in software that require patching, he said, are tracked in the National Vulnerability Database.
A glaring example how vulnerabilities are exploited, he says, is by examining the behavior of Exploit kits. Exploit kits are the second most common way for malicious actors to gain a foothold within an organization, just behind phishing.
Exploit kits are sold on the cybercrime black market to gain control of unsuspecting consumers, Richards says.
The hacking can start when an employee in your organization goes to a website.
Recently, Richards mentioned in his blog a new threat: Betabot, a highly sophisticated piece of ransomware that has the ability to circumvent most of the technology devised to detect it. “The net effect is that the malware will skate through the perimeter defenses and infect the workstations within your network without being detected,” he says.
Ultimately, for hospital systems and physician practices, they must protect their health records. “This is part of treating patients,” Richards says, “and the priority is to secure the records.”