At a recent industry conference, representatives of a clinical trial site disclosed to a panel of expert mentors that their site had been attacked by ransomware. Needless to say, this created a litany of discussion on what happened and, like any good discussion with experts, this one ended up with more questions than answers:
- Did third-party software create the pathway for the ransomware, or was this a general flaw in the site’s system security? If the former, should the sponsor/contract research organization requesting use of the software in its written instructions be responsible, or is it the site’s responsibility to assure the system is secure before installing such software?
- Was the sponsor’s confidential information compromised? Is it subject to further compromise? If so, is the site responsible under the clinical data agreement/clinical trial agreement?
- Must the site be dropped from the study, or can it continue on paper or another computer system?
- If the site pays the ransom, is this invoiceable to the sponsor? [(Also jokingly) would the ransomist accept a quarterly payment and a 10% holdback from the sponsor to assure that the remaining files were actually restored?]
- What happens to active subjects? Was their identifiable protected health information on the computer? Should they be dropped due to the challenges (such as from missing information) raised by keeping them in the study?
- What paperwork needs to be recreated to support the electronic case report form data (i.e., reconsents and/or details gather from other sources)?
What is Ransomware?
Ransomware is a type of malware that encrypts a computer’s data, rendering it useless. The ransomware sender offers the decryption key for a price. The choice is whether to pay the ransom in hopes you can recover your data, or to completely start over by re-imaging the device and using data back-ups to restore it. Oh, and yes…ransomware is migrating from desktops and laptops into mobile and medical devices.1,2
Ransomware can be propagated to the point of shutting down your information technology (IT) systems and medical devices, potentially causing major impacts to operations and patients, as well as making your source documents unavailable. Early-stage investigational devices are especially at risk, as they have yet to develop the necessary protections so soon in their development.
Ransomware in the healthcare ecosystem recently made headlines when someone attacked a major medical center in California and disabled its computer network for several days, until the hospital paid the ransom (in this case, for the low amount of 40 bitcoin, which is about $17,000 USD).3 Before the hospital paid the ransom to get its systems working again, it had to transfer several patients, take many connected systems offline (e.g., pharmacy, lab), and rapidly move many processes back to paper, phone calls, and faxing.4
Many people believe that because this provider (as well as others) paid the ransom, criminal hackers have more reason to increase their attacks on healthcare facilities and users.5 Quoting Stu Sjouwerman, CEO of the security firm KnowBe4, “If you have patients, you are going to panic way quicker than if you are selling sheet metal.”5
Device manufacturers are challenged with this new need for security, as connected medical devices (even if only Bluetooth connected) have been shown to be easily hacked. Popular Science magazine believes that medical device–oriented ransomware (instead of telling Grandma that her pictures will be deleted from her computer, think of telling her that her insulin pump will be shut off if she doesn’t pay $200) will be a significant issue in the upcoming years.6
How Do Ransomware Attacks Happen?
Most ransomware attacks come from the inside, which is to say that although employees, former employees, or visitors probably aren’t sticking nefarious thumb drives into your systems (although this could happen), ransomware is usually introduced through phishing e-mails when the “bad guys” dupe a user into clicking on a malicious link or opening an attachment. This “spray and pray” technique is much cheaper (and apparently more effective) than attempting high-stakes, espionage-like hacking, especially when ransomware kits are available on the open, but illegal, market for only thousands of dollars to help people do it.
Most people are accustomed to phishing scams in terms of e-mails seemingly coming from a trusted external company/entity (e.g., your bank, the IRS, Microsoft), but ransomware artists are sophisticated enough to know the names of people in your company, especially senior officials, and to make the phishing e-mail appear as if it is coming from them. They may even track when the executives go on vacation, so as to send messages during that time with “do this for me quickly” instructions (see advice below in helping to avoid this).
Although phishing is the most common method of entry, ransomware can also be obtained by visiting specific untrusted websites through your browser, through social media links, by checking untrusted QR codes (those little black and white boxes with a bunch of dots that take you to websites), and/or by being installed without any effort on your part by a traditional hacker through a hole in your system. Rebooting the system usually does not work (as many pieces of ransomware attach to the boot process), and in some cases the ransomware notification tells you that rebooting will only accelerate the deletion of files or make the ransom price go up.
What Can You Do to Prevent an Attack?
Basically there are “silicon-based” defenses (software) as well as “carbon-based” defenses (people). Even many layers of strong silicon-based security defenses can’t protect against every ransomware attack. The behavior of carbon-based people plays a huge role, as well.
The most important thing you can do is to raise awareness. Talk to your staff and colleagues about the dangers of phishing and the importance of security awareness—ransomware attacks really happen, and they have now happened in the clinical research industry! While silicon-based defenses are generally left to the IT professionals, below are some carbon-based protections you can utilize.
- “Think before you click.” Be certain that click is legitimate. Do not open e-mails or attachments from unknown senders. Do not open e-mails or attachments from someone you know unless you are expecting it or know what it contains. Watch for suspicious attachments (e.g., “Revised Consent.pdf.exe” or “Protocol v2.docx.com”). Never click “unsubscribe” to unsolicited junk mail. Never click “Agree,” “OK,” or “I Accept” to get rid of a pop-up ad, unexpected warning, or even an offer to remove spyware. Instead, close the window by clicking the “X” or, even better, by pressing ALT+F4 on your keyboard, because that “X” might be a cleverly disguised hyperlink. If you are compelled to click the “X,” hover over it first to see if it changes your mouse icon from the little arrow to a hyperlink icon (i.e., the little hand).
- Don’t use strange WiFi connections. Assuming your company has this capability, always connect to the internet through VPN when working remotely. Connecting through your VPN gives you the silicon-based protections your company has to offer, as opposed to connecting to the web (even your home WiFi) without those protections. Hotel, coffee shop, and other public WiFi areas are popular hubs for dissemination of malware. Avoid alluring and/or unofficial SSID network names such as “Free_WiFi” or “Airport_WiFi.”
- Avoid untrustworthy websites and use bookmarks to access your favorite site. As much as possible, only access websites that you need to perform your job. In particular, never access gambling sites, any sites related to computer hacking, or sites containing pornographic or hate-motivated material. Never download screensavers, games, music, or other executable files (such as files ending in .exe, .vbs, or .com) from the Internet or any other outside source unless your IT department has the chance to check it. Finally,
- Cautiously use “Out of Office” autoresponses. While it is always nice to let your stakeholders know you may be delayed in your response (or a quicker response can be obtained through a colleague covering for you), autoresponses are similar to social media posts that put people at risk of home burglaries when announcing to the world they will be away on vacation.7 Ransomware artists can send you junk mail, get an out-of- office response, and then make that phishing e-mail look like it came from you during your vacation time so that nobody can easily check with you before they “check this out” or “click on this link.”
- Regularly backup your important files. Although backup is a best practice for recovery in case you are attacked, it is not a guarantee, as some ransomware is smart enough to encrypt before your scheduled backup and only asks for the ransom after your backups have been overwritten by the infected files.
- Protect your USB ports from nefarious activity. While most ransomware is introduced by Internet communications, physical introduction through USB and other connections is possible. Although your company may have protections from USB downloads (i.e., preventing downloads of protected health information or other company confidential information to a thumb drive), it may not have protections from uploads. This involves reassessing your electronic and/or physical security measures.
- Keep antivirus protections, pop-up blockers, and software up to date. Although common knowledge, this prevention activity is often not done or is delayed until it is too late.
- White Hat hack your systems. While you may not have the resources to hire hackers to expose your silicon-based securities, you likely could perform your own (or through a vendor) internal “phishing response” test to see if your workforce has understood the importance of maintaining security awareness. Many companies are surprised to find that, despite a plethora of training, posters, and reminders, employees will still click on things they should not. Case studies have shown that despite best efforts, human behavior is still hard to manage—such as the one by KnowBe4, which started out in a financial institution with a 39% phishing response rate and even after 12 months of training still had 1.2% response rate.8
- Use strong and different passwords, as well as two-step verifications. Yes, nobody likes the inconvenience of having to use a different username and password for each site (and sometimes this is difficult, as the sites require you to use your e-mail address as your user ID). Know that every company out there is at risk of being hacked, and that using the same password gives the hackers your username and password to access other sites. Use two-step verification when offered, as having the company send you a text with a code each time you want to log in is an extra step that trades off about 15 seconds of delay in login time for significant enhanced security.
What to Do if You are Attacked (or Think You are Being Attacked)
- Don’t panic!
- Remove the affected device from the network (i.e., unplug network cables, turn off Wifi, etc.).
- Report it immediately. Whether it is a suspicious e-mail or a possible infection on your workstation, the faster IT support responds, the better your chance of containing its spread. Also, let your manager know. Not reporting it in a timely manner can be detrimental.
- Document any facts you can remember as soon as you can (i.e., What were you doing when the message appeared? Had you been to any websites or opened any e-mails before the screen changed?). »»Sit and wait—Let the technical team members do what they do best! Don’t turn off your computer and DO NOT initiate any contact with the “bad guys” or follow any on-screen instructions.
- Do I just pay the ransom? Many have, and you have to make your own business decisions, but the Federal Bureau of Investigation (FBI) does not recommend it. FBI Cyber Division Assistant Director James Trainor is quoted as saying: “Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”9
- Do I report a ransomware attack to the FBI? You have to make your own business decisions, but the FBI states, “If you think you or your organization have been the victim of ransomware, contact your local FBI field office and report the incident to the Bureau’s Internet Crime Complaint Center.”9
While the use of ransomware is growing, threats possibly leading to the destruction or inaccessibility of site records and risk for connectivity loss are nothing new to the research enterprise. Natural disasters such as hurricanes, tornados, and floods have caused damage despite warnings. Fires and water damage from leaks can cause such losses, as can general disorganization and clumsiness (lost or dropped laptop). Similar to the dangers from “acts of God” and simple human mistakes, there is never a guarantee that you will be 100% protected from ransomware at all times.
Just as you do with other risks of potential loss of records and/or connectivity, know that the best thing you can do to protect yourself against the growing threat of ransomware is to put in reasonable protections on the front end, and to have a backup plan to support your operations and protection of clinical trial subjects in the event you are attacked. More resources can be found at the FBI’s website, which to my knowledge does not invade your system…but no warranties here.
- “Ransomware on Mobile Devices.” HIPAA Journal. www.hipaajournal.com/ransomware-mobiledevices/
- “Ransomware Now Attacking Mobile Devices.” Technologist March 30, 2016. http://blogs.findlaw.com/technologist/2016/03/ransomwear-now-attacking-mobile- devices.html
- “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating.” LA Times February 18, 2016. www.latimes.com/business/technology/la-me-ln-hollywood-hospital-bitcoin-20160217-story.html
- “Ransomware takes Hollywood hospital offline, $3.6M demanded by attackers.” CSO February 4, 2016. www.csoonline.com/article/3033160/security/ransomware-takes-hollywood-hospital-offline-6m-demanded-byattackers.html
- “Why Hospitals are the Perfect Targets for Ransomware.” Wired March 30, 2016. https://www.wired.com/2016/03/ransomware-why-hospitals-are-the=perfect-targets/
- “Hacked Medical Devices May be the Biggest Cyber Security Threat in 2016.” Popular Science November 23, 2015. www.popsci.com/hackers-could-soon-hold-your-life-ransom-by-hijacking-your-medical-devices
- “How Out-of-Office Replies Can Put Workers at Risk.” Scientific American April 11, 2013. www.scientificamerican.com/article/how-out-of-office-replies-can-put-workers-at-risk/
- “Case Study: Financial Institution.” https://cdn2.hubspot.net/hubfs/241394/Knowbe4-May2015-PDF/CaseStudy_Financials.pdf?t=1463841867202
- “Incidents of Ransomware on the Rise.” FBI Website April 29, 2016. https://www.fbi.gov/news/stories/2016/april/incidents-of-ransomware-on-the-rise
David M. Vulcano, LCSW, MBA, CIP, RAC, (firstname.lastname@example.org) is an AVP and the Responsible Executive for Clinical Research at Hospital Corporation of America in Nashville, Tenn.
Paul Connelly is vice president of information privacy and security and chief information security officer for Hospital Corporation of America.
*To see all figures and/or tables published originally in this article, please visit the full-issue PDF of the August 2016 Clinical Researcher.