JOIN (Jurnal Online Informatika)

Volume 5 No.1 | October 2020: 1-3 p-ISSN: 2528-1682

DOI: 10.15575/join.xxxxx.xx e-ISSN: 2527-9165

Ransomware Attacks in The Healthcare Industries: Risk and Protection

Abdul Majid Azhar Hamidan
Department of Information Systems, Asian Banking Finance and Informatics Institute Perbanas, Indonesia

Article Info ABSTRACT

Article history: Cybercriminals have begun to target the healthcare industry with
ransomware, malware that encrypts an infected device and any attached
Received Oct 23, 2020 devices or network drives. After encryption, cybercriminals demand a
ransom before releasing the devices from encoding. Without adequate
disaster recovery and backup plans, many businesses are forced to pay the
ransom. We examine recent ransomware infections in healthcare settings,
Keywords: the liabilities and cost associated with such infections, and discuss possible
risk mitigation tactics. Risks associated with ransomware attacks on
Health Information Security healthcare facilities include financial, future business loss and damage to
Ransomware reputation. Healthcare facilities should have a disaster plan with adequate
Cyber Attacks data backups and educate employees who are the usual source of
Hospitals ransomware attacks.
Risks

Corresponding Author:
Abdul Majid Azhar Hamidan,
Department of Information Sytems,
Asian Banking Finance and Informatics Institute Perbanas,
Jl. Perbanas, Kuningan, Karet Kuningan, Kecamatan Setiabudi, Kota Jakarta Selatan, Daerah Khusus
Ibukota Jakarta 12940, Indonesia
Email: [email protected]

1. INTRODUCTION
Ransomware, as defined by the Merriam-Webster dictionary, is a malware that requires its victims
to pay a ransom. Ransomware is a type of malware used by criminals that encrypts files and then attempts to
extort money in return for the key to unlocking the data files (Spencer et al., 2018). The healthcare industry is
a prime target for criminals using ransomware because of the number of patient records in its possession and
the revenue those data could generate in the black market for criminals. The healthcare industry holds
valuable information that could generate financial gains for criminals and could also be beneficial to state
actors for political gains. Ransomware attacks on the sector generated much success and will continue as
long as cybersecurity experts do not put in place effective methods to limit its damages.
Before 2016, healthcare organizations were not thought to be a primary target for ransomware.
However, 14 hospitals had become the target of ransomware and a total of 173 hacking/information
technology (IT) incident data breaches had been officially reported by October 16, 2016, Hospitals have
become an easy target for hackers for two reasons: (1) the necessity of computer storage of information
associated with patient care (e.g., electronic medical records) and (2) the security holes in IT systems. In fact,
a report from Ponemon Institute in 2016 stated that 89 percent of healthcare organizations suffered at least
one data breach involving the loss of patient data over a two-year period, and 45 percent had more than five
such breaches. Also, the frequency of successful hacking of patient medical files increased from 55 percent in
2015 to 64 percent in 2016. When hit with ransomware, some hospitals have been desperate to pay the
ransom because of their need for the most up-to-date information, such as drug interactions, care directives,
and medical history, in order to provide critical care to patients. Accordingly, the healthcare industry is now
considered to be at a substantial risk of a ransomware attack, mainly because it trails other leading industries
in securing vital data.
Hackers have found it easy to attack hospitals with ransomware because of hospitals’ rapid adoption
of IT without a concomitant increase in the number and sophistication of IT support staff. This IT adoption

1
 JOIN (Jurnal Online Informatika) p-ISSN: 2528-1682
e-ISSN: 2527-9165

occurred after the government allocated funds for the Meaningful Use program, which encouraged the use of
electronic health records (EHRs). With the Meaningful Use incentives, HER utilization increased from 9.4
percent in 2008 to 96.9 percent in 2014.
With such a substantial increase in IT utilization in a short time frame, many healthcare facilities
have been unable to adopt adequate network security and other information technology resources to combat
potential attacks. Without sufficient funds, many hospitals do not have the staff to employ simple barriers to
hackers, such as the quick installation of electronic patches. According to a 2016 report by Verizon, 85
percent of successful exploits take advantage of vulnerabilities such as old patches.
The purpose of this study was to determine the extent of recent ransomware infections in the
healthcare setting, the risk liabilities and costs associated with infections, and possible risk mitigation tactics.

2. CRUCIAL CHALLENGES, ISSUES AND RISKS

2.1. Details of Previous Ransomware Events
The first documented case of hospital ransomware in Indonesia occurred at Dharmais Hospital and
Harapan Kita Hospital in 2017. In that events, the extent of the ransomware attack was not reported; a
ransom was believed to be paid in both cases, but the amounts were never disclosed. However, it was not
until the highly publicized ransomware attack at Hollywood Presbyterian Medical Center in February 2016
that hackers actively began to target healthcare facilities. In this attack, the staff was unable to access patient
records, x-rays, and other equipment or to restore equipment from backup data and was forced to pay the
ransom. Initial reports claimed that the criminal initially demanded a ransom of $3.6 million, but the ransom
was negotiated down to approximately $17,000 or 40 bitcoins.
Paying a ransom, however, does not ensure that cybercriminals will provide the encryption key for
the locked files. In the case of Kansas Heart Hospital, the ransom was paid, but the key was not provided.
Instead, the cybercriminals demanded a second, more substantial ransom, which was not paid.
After the success of the ransomware attack on Hollywood Presbyterian Medical Center, the
healthcare industry was targeted more frequently, with two hospitals attacked later that month and five
hospitals targeted the next month. These affected hospitals did not pay the ransom but instead were able to
restore information from their backups.Ransomware attacks on other hospitals and health systems quickly
followed within a month.
2.2. Risk Liabilities and Cost of a Ransomware Attack
According to the legal expert, four risk categories are associated with ransomware attacks:
1. medical malpractice,
2. data privacy,
3. property and reputation, and
4. cost and expense issues.
Although medical malpractice has been a regular concern for hospitals, there could be an additional
risk of medical malpractice during a ransomware attack if patient care is affected or if a patient is harmed as a
result of ransomware. If a hospital relying on a Computerized Prescription Order Entry (CPOE) system were
to lose that system for any reason, the number of prescription errors associated with returning to a manual
prescription system would increase substantially, perhaps doubling, especially during a forced transition
when individuals who were familiar with the CPOE system would have to be retrained or trained to use the
manual method.
The second threat has been the risk of patient data privacy loss, which could lead to a HIPAA
violation. During the first response to a breach, it is vital for staff to identify, if possible, the type of malware
that has infected their network. After the malware has been detected, professionals should assess the risks of
that particular malware and whether a solution to decrypt the files can be found. Unfortunately, decryption
without the necessary key is extremely unlikely, and no free tools are currently available to decrypt files.
The risk of reputation loss and loss of future business were calculated in an annual study that included
interviews with 400 individuals and examined the costs related to these factors in 49 companies in the United
States. This study found that, in 2011, the organizations examined averaged more than $3 million in losses
related to reputation loss, abnormal turnover of customers, increased customer Ransomware in Healthcare
Facilities: A Harbinger of the Future? acquisition activities, and diminished goodwill. In a follow-up study,
24 percent of companies surveyed expressed concern that their reputation would be diminished if they were
to suffer a ransomware attack.
The final risk is losses due to costs and expenses. In 2016, the average total cost of a data breach
was $3.62 million.71 The average cost per record in the healthcare industry in 2014 was $355, which would

Ransomware Attacks in The Healthcare Industries: Risk and Protection 2

(Abdul Majid Azhar Hamidan)
 JOIN | Volume 5 No. 1 | June 2020: 1-3

be a substantial amount for a large or small hospital to pay per record. This total may or may not include
additional costs associated with a data breach, which could vary depending on the size of the organization
and number of patients affected. Such variable costs include credit monitoring provided to patients, which
may cost anywhere from $8 to $30 per patient, depending on the level of oversight needed.
If the institution chooses to pay the ransom, the amount must be considered. The average ransom
demanded has been approximately $10,000 for enterprises and $710 for individuals. In a report published by
Cyberdata and security vendor Imperva, attackers have often tailored the ransom to the country in which the
affected institution is located. For example, the average ransom demand in the United States has been $710.
However, in countries such as Israel, Russia, and Mexico, the average demand has been $500. For this
reason, companies in more developed nations such as the United States are more favourite targets, as they are
thought to be able to afford to pay a greater ransom.

3. VULNERABILITIY IDENTIFICATON: VARIOUS FACTORS SYSTEM VULNERABLE TO

MALWARE
3.1. Security Defects In Software
Malware exploits security defects (security bugs or vulnerabilities) in the design of the operating
system, in applications (such as browsers, e.g. older versions of Microsoft Internet Explorer supported by
Windows XP), or in vulnerable versions of browser plugins such as Adobe Flash Player, Adobe Acrobat or
Reader, or Java SE. Sometimes even installing new versions of such plugins does not automatically uninstall
old versions. Security advisories from plug-in providers announce security-related updates. Common
vulnerabilities are assigned CVE IDs and listed in the US National Vulnerability Database. Secunia PSI is an
example of software, free for personal use, that will check a PC for vulnerable out-of-date software, and
attempt to update it.
Malware authors target bugs, or loopholes, to exploit. A common method is exploitation of a buffer
overrun vulnerability, where software designed to store data in a specified region of memory does not
prevent more data than the buffer can accommodate being supplied. Malware may provide data that
overflows the buffer, with malicious executable code or data after the end; when this payload is accessed it
does what the attacker, not the legitimate software, determines.

3.2. Insecure Design or User Error

Early PCs had to be booted from floppy disks. When built-in hard drives became common, the
operating system was normally started from them, but it was possible to boot from another boot device if
available, such as a floppy disk, CD-ROM, DVD-ROM, USB flash drive or network. It was common to
configure the computer to boot from one of these devices when available. Normally none would be available;
the user would intentionally insert, say, a CD into the optical drive to boot the computer in some special way,
for example, to install an operating system. Even without booting, computers can be configured to execute
software on some media as soon as they become available, e.g. to autorun a CD or USB device when
inserted.
Malware distributors would trick the user into booting or running from an infected device or
medium. For example, a virus could make an infected computer add autorunnable code to any USB stick
plugged into it. Anyone who then attached the stick to another computer set to autorun from USB would in
turn become infected, and also pass on the infection in the same way. More generally, any device that plugs
into a USB port - even lights, fans, speakers, toys, or peripherals such as a digital microscope - can be used to
spread malware. Devices can be infected during manufacturing or supply if quality control is inadequate.
This form of infection can largely be avoided by setting up computers by default to boot from the
internal hard drive, if available, and not to autorun from devices. Intentional booting from another device is
always possible by pressing certain keys during boot.
Older email software would automatically open HTML email containing potentially malicious
JavaScript code. Users may also execute disguised malicious email attachments. The 2018 Data Breach
Investigations Report by Verizon, cited by CSO Online, states that emails are the primary method of malware
delivery, accounting for 92% of malware delivery around the world.

3.3. Over-Privileged Users and Over-Privileged Code

In computing, privilege refers to how much a user or program is allowed to modify a system. In
poorly designed computer systems, both users and programs can be assigned more privileges than they
should have, and malware can take advantage of this. The two ways that malware does this is through
overprivileged users and overprivileged code.

3
 JOIN (Jurnal Online Informatika) p-ISSN: 2528-1682
e-ISSN: 2527-9165

Some systems allow all users to modify their internal structures, and such users today would be
considered over-privileged users. This was the standard operating procedure for early microcomputer and
home computer systems, where there was no distinction between an administrator or root, and a regular user
of the system. In some systems, non-administrator users are over-privileged by design, in the sense that they
are allowed to modify internal structures of the system. In some environments, users are over-privileged
because they have been inappropriately granted administrator or equivalent status.
Some systems allow code executed by a user to access all rights of that user, which is known as
over-privileged code. This was also standard operating procedure for early microcomputer and home
computer systems. Malware, running as over-privileged code, can use this privilege to subvert the system.
Almost all currently popular operating systems, and also many scripting applications allow code too many
privileges, usually in the sense that when a user executes code, the system allows that code all rights of that
user. This makes users vulnerable to malware in the form of e-mail attachments, which may or may not be
disguised.

3.4. Use of The Same Operating System

Homogeneity can be a vulnerability. For example, when all computers in a network run the same
operating system, upon exploiting one, one worm can exploit them all: In particular, Microsoft Windows or
Mac OS X have such a large share of the market that an exploited vulnerability concentrating on either
operating system could subvert a large number of systems. Introducing diversity purely for the sake of
robustness, such as adding Linux computers, could increase short-term costs for training and maintenance.
However, as long as all the nodes are not part of the same directory service for authentication, having a few
diverse nodes could deter total shutdown of the network and allow those nodes to help with recovery of the
infected nodes. Such separate, functional redundancy could avoid the cost of a total shutdown, at the cost of
increased complexity and reduced usability in terms of single sign-on authentication.

4. DEFEND MEDICAL PRACTICE AGAINST RANSOMWARE

4.1. Protect Against the Possibility of Infection
The old medical adage that “an ounce of prevention is worth a pound of cure” applies not only to the
health of patients but also to the health of digital information systems.
Modern cybersecurity software provides robust protection against ransomware and many other types
of malware that might affect a provider’s computer systems. Installing and maintaining modern anti-virus
software is the most important step that providers can take to prevent a devastating ransomware attack.
It only takes a single out-of-date system to serve as the launching point for an attack against a
provider’s entire network. Take the time to verify that every system in the organization has anti-virus
software installed and is receiving daily updates to protect against the most recent threats.
Better yet, install a centralized monitoring solution that can report systems that fall out of
compliance for further investigation.

4.2. Back Up Your Data Often

The most crippling ransomware attacks have outsized impact because providers lack the technical
means to recover their data in the wake of an attack.
Performing regular backups of critical records makes a provider resilient not only against
ransomware attacks but also against technical failures, natural disasters and other risks that might damage
information systems.
If a provider conducts routine backups, a successful ransomware attack becomes an annoying
nuisance instead of an existential threat.
Modern backup technology makes the process as simple as purchasing an account with a cloud
backup provider and configuring software to perform regular backups. Backup software incorporates strong
encryption to protect files from prying eyes and allows the rapid recovery of patient records in the wake of an
attack or human error.

4.3. Assess Risk on a Regular Basis

Cybersecurity is not a one-time project. While providers may invest significant time and energy in
an initial project designed to bring operations up to current best practices, they must also treat security as an
ongoing responsibility.

Ransomware Attacks in The Healthcare Industries: Risk and Protection 4

(Abdul Majid Azhar Hamidan)
 JOIN | Volume 5 No. 1 | June 2020: 1-3

After all, threats evolve and business practices change, introducing new risks and security solutions.
Providers should schedule annual risk assessments designed to identify new vulnerabilities and implement
controls to address them.
If the provider’s IT staffers have expertise in security, they may conduct these assessments in-house.
Consulting firms offering assessment services may also be called on to create a point-in-time snapshot of an
organization’s cybersecurity status.

4.4. Create a Robust Response Plan

Every organization should have a cybersecurity incident response plan that outlines the steps that the
organization will follow during a security breach.
Comprehensive plans describe procedures for identifying incidents, containing the damage,
eradicating the effects of the incident and recovering normal operations.
They should also include after-action procedures that help incorporate the lessons learned during an
incident response effort into both the organization’s ongoing cybersecurity program and its response to future
incidents.
Providers seeking an incident response starting point should consult the Computer Security Incident
Handling Guide from the National Institute of Standards and Technology. This free publication is widely
considered the authoritative reference for incident response teams in both the government and the private
sector.
Incident response efforts also benefit from the involvement of skilled professionals. Consider
engaging an incident response firm in advance so that it is ready to assist in the event of a security breach.
CDW offers free incident response retainer agreements to healthcare providers and other organizations.
Ransomware is a serious risk to the ongoing viability of medical practices. An untimely attack can
have devastating consequences for an unprepared provider. By following cybersecurity best practices,
organizations can reduce the risk of a successful attack and limit the damage if threat actors do strike.

5. CONCLUSION
The number of ransomware attacks and variants has increased substantially in recent years.
Healthcare facilities have become a significant target for these attacks, and in response to this increase, it is
crucial that they develop a proper disaster recovery plan and adequately educate their users on information
security. With proper planning in place, a healthcare facility is not only more likely to survive an attack but
also more likely to decrease costs associated with an attack and to mitigate the risk to its reputation.

ACKNOWLEDGEMENTS
This research was supported/partially supported by Marshall Digital Scholar. We thank our colleagues from
Marshall University who provided insight and expertise that greatly assisted the research, although they may
not agree with all of the interpretations/conclusions of this paper.

6. REFERENCES
[1] Drame, Papa S (2019), “Ransomware Attacks in the Healthcare Industry: Attacks Methods and Preventive Steps”
ProQuest Dissertation Publishing, 1-2
[2] Nikki Spence, MS, Niharika Bhardwaj, David P. Paul, and Alberto Coustasse (2018), “Ransomware in Healthcare
Facilities: A Harbinger of the Future?” Perspective In Health Information Management
[3] Paul, III, D. P., Spence, N., Bhardwa, N., Coustasse, A. (2018, April). “Healthcare Facilities: Another Target for
Ransomware Attacks”. Presented at the 54th Annual MBAA Conference, Chicago, IL.
[4] Wikipedia, Malware,
https://en.wikipedia.org/wiki/Malware
[5] Mike Chapple (2020), “5 Ways to Defend Your Medical Practice Against Ransomware”, HealthTech Magazine,
downloaded 22/10/20 from https://healthtechmagazine.net/article/2020/05/5-ways-defend-your-medical-practice-
against-ransomware
[6] Tekno Kompas, Kena Ransomware, Rumah Sakit Ini Terpaksa Bayar Tebusan Rp 226 Juta,

https://tekno.kompas.com/read/2017/05/14/11181737/kena.ransomware.rumah.sakit.ini.terpaksa.bayar.tebusan.rp.2
26.juta?page=all