Mumbai Hospital Hit by Ransomware AttackSecurity Experts Say Healthcare Is a Soft Target for Attackers
"Around 9 p.m. on Sunday, a system message popped saying that our system had been hacked and we should contact the culprits to retrieve our data," said P.K. Shashanker, administrator of the hospital. "They had provided an email address, but we did not write to them and filed an FIR [First Information Report] on Monday. Our technical team is working on retrieving the data. The hospital has not faced any financial loss."
The cyber police team tells Information Security Media Group that the hackers did not demand a specific amount of ransom be paid. The case has been registered under the Information Technology Act.
A recent study done by Sophos and Vanson Bourne, a research house in the U.K., found that India has the highest number of ransomware infections in the world, followed by Mexico and the U.S. Some 67 percent of organizations in India were hit by ransomware in 2017, the study found.
Police say they are continuing to investigate the attack against the hospital. "We are guessing the attackers could have entered through a compromised endpoint," said one police official, who asked not to be named. "But the investigating team is yet to arrive at a conclusion."
Hospital authorities came to know of the attack on Sunday after a receptionist switched on her computer to find a blank screen, according to the Times of India. Soon, the hospital authorities switched off all computers that were part of its local network to arrest the spread of the virus with which the attack has been launched. But it was too late, as all computer terminals by then had been infected, according to the news report. As of Friday, the hospital's systems have all been restored, police said.
Healthcare in Spotlight
The healthcare sector has been a frequent attack target because of its aging IT infrastructure, which is not updated, some cybersecurity experts say.
In the United States, a ransomware attack recently forced a Missouri county medical center to divert ambulances carrying trauma and stroke patients to other facilities as the critical access hospital continued to recover from a ransomware attack.
"Although both healthcare and financial services hold high-value data, healthcare is often perceived as a soft target, leading to increased frequency of attack," a Sophos spokesperson says. "That assumption is not without merit - healthcare tends to have an aging IT infrastructure, leaving security holes, as well as restricted resources for improving IT security. Also, healthcare organizations are also considered to be more likely to pay a ransom."
"A medical device typically has a lifespan of 10 years. Because of this phenomenon, what we see is that in hospitals you would find medical devices which have an obsolete operating system still running," says Minatee Mishra, lead engineer, security center of excellence, at Philips Health Tech, India.
Mishra says hospital IT departments often are reluctant to update devices. "Hospital staff would not like to upgrade a hospital's MRI system because it's a critical thing. They don't touch the device as long as it's running fine," she says. "But if you do not update these devices, they become [vulnerable] to malware, which can then spread to the hospital network."
Many healthcare organizations also have limited resources to devote to security, Mishra notes. "A lack of people, hardware and software lead to patchy security, so even when one part of the organization has the necessary anti-ransomware protection, it's not across the board," she says.
Some experts say hospitals need to ramp up their endpoint security to go beyond merely installing anti-virus software.
For example, organizations might benefit from implementing endpoint detection and response, or EDR, products that provide a play-by-play of exactly what happened on a computer during and after an attack.
But a key step to avoiding falling victim to ransomware attacks is keeping operating systems up-to-date.
"No security solutions will help if you are still running on legacy systems. Most hospitals are ill-equipped and uneducated about basic security controls that can be implemented to secure their IT infrastructure," says Prashant Pandey, founder and chief knowledge officer at Kratikal Tech.
Rohan Vibhandik, a Pune-based cybersecurity researcher working for a global company, says attackers often use low-tech social engineering techniques to lure victims into executing ransomware. "Spam emails are generally sent out with email messages and attachments saying 'your MS account is about to expire' or 'need urgent attention,' or 'find the receipt of payment below' and so on," he says.