Philadelphia is not only the City of Brotherly Love, but it’s also the name of a new variance of ransomware that is wreaking havoc in the healthcare industry by crippling computer operating systems.
“As with all ransomware, Philadelphia is generally associated with phishing and spear-phishing campaigns,” says Matt Anthony, vice president of Incident Response at the Herjavec Group, a global managed security service company, based in Los Angeles.
“Philadelphia is mostly distinguished by being part of a family that we would call 'ransomware-as-a-service',” Mr. Anthony tells Cosmetic Surgery Times. “This means that anyone can go to a website on the ‘dark’ web, which is the alternate, more private and secretive set of sites on the internet, usually accessed through a specialized browser. Once there, you can pay a fee to the authors of this service to download software. Then, as an amateur or extremely low-skilled person, you have access to the ransomware software.”
Such ransomware is “insidious in a way,” according to Mr. Anthony, “because it magnifies the capability of ransomware distributors and creates a profit stream on the back-end for creating the infrastructure to collect and distribute payments and reduces the need to author, or create your own, ransomware to enter the game.”
The ransomware usually infiltrates a healthcare organization through an email to an employee. The email typically looks legitimate and trustworthy, along with a link to click. “In healthcare, the link might be to a patient’s healthcare records associated with a patient transfer or an inquiry to a doctor with a link to a pharmaceutical company,” Mr. Anthony says.
Once the employee clicks the link, a piece of software is downloaded to their computer. The software will encrypt files on the user’s local drive and any network drive that can be gleaned from the computer.
Next, a notice appears on the computer screen that encryption has occurred and that the files are no longer available to the healthcare organization. Instructions are also provided on how to pay a ransom to recover all compromised files and operating systems.
Mr. Anthony says ransom amounts typically range from $500 to $3,000.
Healthcare is being targeted because it is viewed as a “high willingness to pay, due to the urgency of access to the records,” Mr. Anthony says. “There is also a suggestion that healthcare as a sector is more vulnerable than other sectors at this time. There may be weaker training or weaker protocols concerning information sharing, so there is a higher than usual likelihood that those employees will click.”
Fortunately, it is unlikely that any information will be exported or taken away from the organization, such as electronic medical records (EMRs) or a health information management system. Encryption is normally limited to user files like Word documents, Excel spreadsheets and databases.
Also, Philadelphia ransomware appears to have an effective, free decryptor tool. “It is nice when ransomware is engineered poorly enough that free decryptors are available,” Mr. Anthony says.
Denise Anderson, president of the National Health Information Sharing and Analysis Center, says that ransomware hackers seek out entities that have a particular vulnerability or set of vulnerabilities in their environment. “These hackers detect vulnerable systems by scanning the internet; or by using the search engine Shodan, which reveals devices connected to the internet,” she says.
Tips to Avoid Compromise
To avoid being compromised, healthcare organizations need to follow good basic cyber hygiene practices. “One best practice is to keep systems up-to-date and patched to the latest version for increased security,” says Ms. Anderson.
Another good best practice is to apply the principle of least privilege, which limits administrator rights to a very select few in the organization and gives users the lowest level of rights needed to perform their jobs.
Employees also need to be educated about not accessing emails from sources they are not familiar with and not clicking links and attachments within those emails.
“Whitelisting email addresses contained in spam filters is absolutely effective and allows email to be safely accepted by the recipient,” Ms. Anderson says.
Moreover, there are email authentication protocols like DMARC, which tags the veracity of an email at the internet service provider (ISP) level.
Another potential risk is an employee himself. “Every organization is vulnerable to insider threats, so organizations should conduct appropriate background checks and ensure that employees are vetted,” Ms. Anderson says.
Healthcare should also think of cybersecurity from an enterprise risk management perspective. “You need to look at everything within an environment and decide what the risk, likelihood and level of impact is,” Ms. Anderson says. “An organization should look to protect its 'crown jewels' first, and then develop a strategy from there.”
The recent WannaCry ransomware attacks in Europe and elsewhere on May 12, which affected many entities, including the National Health System (NHS) in the United Kingdom, demonstrate that all organizations, including healthcare, need to be vigilant, according to Ms. Anderson.
“Ransomware is disruptive to operations, but can also have lasting financial and reputation impacts. Therefore, organizations not only need to have contingency plans tested, exercised and in practice, but they need to try to be in the position where they are not impacted in the first place,” she says. â