Resolving a hospital ransomware infection may not be as easy as paying the attackers’ ransom demand, as was shown by the Kansas Heart Hospital ransomware attack last week.
Hospital Ransomware Infection Not Removed After Ransom Paid
The Kansas Heart Hospital ransomware attack which occurred last week was the latest in a string of attacks on healthcare organizations in the United States. Ransomware was accidentally installed on a hospital worker’s computer and files were locked and prevented from being accessed.
A ransom demand was received demanding payment for decryption keys to unlock the infection. The decision was taken to pay the ransom to resolve the hospital ransomware infection quickly.
After the ransom was paid, the attackers did not make good on their promise and failed to unlock all of the files. Some Instead the hospital was issued with a second ransom demand.
In this case, the initial ransom demand was relatively low. Ransomware attackers typically demand a fee of approximately $500 per device to unlock an infection. If multiple computers have been infected, that figure is then multiplied by the number of devices that need to be decrypted.
Ransomware locks each individual machine separately, and a different key is required to unlock each one. Otherwise a victim could pay up and then publish their key and no one else would be required to pay.
Kansas Heart Hospital did not disclose how much was paid, but this could well have been the fee to unlock a single machine. However regardless of the amount, the incident shows that even if a ransom is paid there is no guarantee that the attackers will play ball and make good on their promise. Further demands may be made from more Bitcoin. Resolving a hospital ransomware infection may not necessarily mean just paying the ransom demand.
Healthcare Industry Under Attack
Over the past few months the healthcare industry has come under attack from criminals using ransomware. Some authors of ransomware have taken steps to prevent healthcare providers’ computers from being attacked by their ransomware by including checks to determine the environment in which the ransomware has been installed. However, not all attackers feel they have a moral responsibility to prevent attacks which could cause people to come to physical harm.
Hollywood Presbyterian medical center, Alvarado Hospital Medical Center, King’s Daughters’ Health, Kentucky’s Methodist Hospital, California’s Chino Valley Medical Center and Desert Valley Hospital, and MedStar Health have all been attacked with ransomware this year.
That list is likely to continue to grow. Hospitals and medical centers are attractive targets for ransomware gangs. Many healthcare organizations have under-invested in cybersecurity measures to protect their networks and many hospital employees have not received extensive training in security awareness. This makes it easy for attackers to install ransomware.
Furthermore, if patient data are locked this can have a negative effect on patient health. If patients are at risk of harm, organizations are much more likely to respond to ransom demands and pay up to ensure patients do not suffer. If patients are harmed as a direct result of poor investment in cybersecurity or mistakes that have been made by healthcare employees, healthcare organizations are likely to face lawsuits that could result in damages far in excess of the ransom being demanded.
With attacks likely to continue, healthcare providers must take steps to prevent ransomware attacks from occurring, and develop policies that can be implemented immediately upon discovery of a ransomware attack. As the Kansas Heart hospital ransomware attack has shown, paying a ransom is no guarantee that the file encryption will be unlocked. Hospitals may find that they still have to recover files from backups or explore other means of unlocking infections.