Hacked medical centre not the first
The Queensland medical practice that has become the victim of a ransomware attack is not the first, with four other medical centres in the state understood to have been similarly targeted two months ago.
As reported by ABC Online yesterday, the Miami Family Medical Centre on the Gold Coast has become the latest victim of international attackers who hack into systems, encrypt the data and then demand a ransom for sending a key to release it.
Queensland Police first reported small businesses being targeted in September, although it is not known if these attacks were merely a common scam involving the use of an Australian Federal Police logo that pops up on infected systems and demands payment of a fine, or a more sophisticated attack that security experts say is now occurring more frequently.
The scammers tend to use infected websites and target home PCs, and only demand a small ransom of $50 or $100. The more sophisticated attacks are targeting businesses with confidential financial or medical information and are demanding ransoms in the thousands.
The specialist IT security publication SC Magazine reported on the new ransomware threat in September, detailing how a Northern Territory air conditioning and refrigeration contractor was targeted by eastern European hackers who encrypted its financial records and demanded a ransom of $3000, which the business eventually paid.
In the case of the Miami Family Medical Centre, the hackers are understood to have locked down the practice's entire practice management system, thought to be practiX, and are demanding $4000.
Practice principal Munira Butt told News Ltd's goldcoast.com.au that the hackers had disabled many of the practice's programs and had corrupted its back-up discs as well. However, it is not yet clear if the practice had an offsite back-up system in place as well.
Practice co-owner David Wood told the ABC that the hackers had “literally got in, hijacked the server and then ran their encryption software”.
"It's people who know how to break in past firewalls and hack passwords to get onto the server. We're trying to work out how to pay the hackers or find someone to decrypt the information."
The ABC reported that the server holding the encrypted information is being held offline and an IT contractor is working with the practice to restore a back-up of patient records.
The method is the same as reported earlier this year, with Queensland Police confirming four other medical centres had been targeted. According to the ABC's Landline program, those centres did not want to be identified, but their data had been locked up and encrypted.
A ransom of $3000 was then demanded, increasing by $1000 a day until paid. Landline reported that other Queensland businesses had also been attacked, with some agreeing to pay the ransom.
Security consultant Chris Gatford, whose company HackLabs provides penetration testing and vulnerability management to many Australian businesses, said the ransomware attack was not yet very common but it did seem to be occurring more frequently.
“An attacker gains access, encrypts the contents of what he thinks is most sensitive to you, and then sends you a message indicating that he is willing to unencrypt it for a certain fee,” Mr Gatford said.
He said healthcare providers didn't seem to be targeted in particular, but rather small to medium sized businesses that are less likely to be following security best practice.
There are three common methods for this type of attacker to gain access to organisations, he said.
“If you have a system connected to the internet, and that system allows you to connect to it with a username and password, it is entirely possible that a person has guessed the username and password. That is still the most common method that these groups use – guessing usernames and passwords.
“The next method is as simple as a patch not being applied and therefore there is an outdated piece of software. You run an exploit against that piece of software and you then take advantage of the security vulnerability that the vendor is trying to patch, and you gain unauthorised system admin-type privileges to that particular machine.”
He said another common method was social engineering, where phishing emails tempted the naïve into clicking on a link. However, some are more sophisticated than that, he said.
“Sometimes they can be specifically crafted for the organisation, trying to get a user to submit their internal credentials through an external service. That type of phishing is very successful. With the number of resources online these days it is very easy to find a lot of information about people in a relatively small amount of time.”
It is understood that some of the lower-level scammers who demand small ransoms can be defeated by removing what is simple malware, but the higher-level attackers are quite professional about how they do things.
Mr Gatford said they often took pride in their work and some actually honour their promise to send a key to unencrypt the data once the ransom has been paid.
“This is a profession to some of them. Some of them take pride in it and want to get it out that paying the ransom actually worked out for the victims. In that way victims are more likely to pay if there is good news about it. But you just can't take that gamble."
He said these specific scams usually ended up with law enforcement called in, so there is no real way of knowing how many people pay the ransom, but he has heard of some getting access to their data eventually.
“I certainly don't think that it's guaranteed, and it is certainly a risky path. The attackers are clever in that they price it at a point that it is better value to pay the attacker than it is to get in external security people to help you get your data back.”
His advice to practices was that the “first rule of security is there is no security”.
“The method by which this group got access to the patient records in the first place is really speculation at this point as we don't know what was performed or what kind of configuration this practice had, whether they had an internet-facing server or an internal server.
“Software vendors may have a secure offering but it is reliant upon the end user running it in a secure fashion. People think I've got anti-virus and that's all good, but security has been more than anti-virus forever and a day.
“It is this conception that people have, they somehow think that security is having good AV and unfortunately having good AV was only a reasonable defence a long time ago. It is certainly not a defence these days.”
Mr Gatford's company makes its living by being “ethical hackers” who are hired to test out security systems, and he says it is a relatively easy thing to do for those practised in the art. He is also seeing more malicious activity targeting healthcare organisations, particularly health insurers.
“It is becoming more concerning to me when I see the rush to health information becoming electronic and the ease of access to it,” he said. “It is starting to become a bit of a problem and I don't see a lot of direction in the industry.”
The new national PCEHR system has even provided him with several new customers. The federal government has given a guarantee that the system is protected by the highest level of security possible, but the government is not what worries him, Mr Gatford said.
“I'm concerned about all of the different entities connecting to it and pulling data to and from it. That is where the vulnerability will be. The government has got a reasonable amount of resources to ensure things are secure, but all of these third parties that are trying to send data or pull data from it don't.”
The Royal Australian College of General Practitioners publishes a workbook to help practices comply with its Computer and Information Security Standards (CISS), part of its accreditation process.
Pulse+IT is waiting for more information from the Miami Family Medical Centre.
Posted in Australian eHealth