Ransomware is coming to your Clinic, are you prepared?

[Guest post by clinicea – cloud software for clinic management]

Ransomware is a malicious software. It is operated by a bunch of criminals to make money off you. Before you brush this off as mumbo-jumbo technical stuff that is not relevant to you, let me explain why you would be terribly wrong. It no longer matters whether you are in USA, India or Japan. Ransomware is not racist, it does not understand the difference between a developing or a developed country. It does not matter if you are a large hospital or a small private clinic. If you are online, with an email address, you can be found. 9 out of 10 times Ransomware will get through to your computer via an email attachment.

“MY mother received the ransom note on the Tuesday before Thanksgiving. It popped up on her computer screen soon after she’d discovered that all of her files had been locked. “Your files are encrypted,” it announced. “To get the key to decrypt files you have to pay 500 USD.” If my mother failed to pay within a week, the price would go up to $1,000. After that, her decryption key would be destroyed and any chance of accessing the 5,726 files on her PC — all of her data — would be lost forever. from New York Times


Let’s start off by understanding what exactly is Ransomware. It is a virus. Once it manages to get through to your computer and infect it, it will simply lock up your entire hard disk. All the documents you have stored, your emails in Outlook, your videos, consent forms, in-take forms, tax returns, family pictures i.e. everything you ever stored on your computer is kept actually on the hardware inside your computer called the hard disk. Ransomware simply encrypts this hard disk up with a key, and then emails you, demanding from a few hundred dollars to a few thousand dollars. That is the price to get the key back which will unlock your hard disk.

“A number of Medstar(Chain of Hospitals in USA) employees reported seeing a pop-up message on their computer screens seeking payment in bitcoins, an Internet currency. One woman who works at MedStar Southern Maryland Hospital Center sent The Washington Post an image of the ransom note, which demanded that the $5 billion health-care provider pay 45 bitcoins — equivalent to about $19,000 — in exchange for the digital key that would release the data.

“You just have 10 days to send us the Bitcoin,” the note read, “after 10 days we will remove your private key and it’s impossible to recover your files.” – from Washington Post



Let us go over what is meant by encryption and key so that you can visualize what exactly is going on in your hard disk. Let’s say you recorded a Patient Visit and have written down the following note in a Microsoft word document or in an installed EMR software:

c/0 itching and joint pain
Aggravating factors: Several Emotional stress

Medical History:
Current medications: beta-blockers

Family History:
History of Psoriasis: Mother, Grandmother

Social History:
Alcohol: Heavy Drinker


Ransomware: will first generate a secret key ex: b4ee3bd6-057a-43a2-ace7-2db74151f918. This secret key is unique to you only. So if they are attacking 10 different clinics, the key will be different for each clinic. Then the content you have on your disk will be encrypted or locked up using this key. What encryption does is change the human-readable content based on the key being used. So your revised content might look something like this


So there must be a way to somehow convert these unintelligible characters back to the content you wrote? Yes there is the secret key that was used to make “c/0 itching and joint pain…” to “{0DBF52CB-6CA8 …}”, that key basically did the job of putting a lock on your hard disk, and that key alone can now unlock your hard disk. So all you need is that key.



Where can you get the Key from?

You can get it by paying a Ransom to free your hard disk. It is to be paid to the person behind the Ransomware. This person will contact you over an email with a price he has put on your hard disk OR you will get a pop-up message on your screen. You are supposed to make the payment using an online currency called “bitcoins”. Bitcoins are the currency of the internet and it is very difficult to trace them back to the end recipient. You need not have to worry about arranging for bitcoins, there are 3rd party companies who exchange your local currency for bitcoins. In case English is not your first language, do not worry here also, the instructions on how to pay the ransom to come in 28 languages. Talk about customer service!


What happens if I bargain or do not pay

FBI, the premier security agency equipped to handle criminal acts in the digital space officially recommends “to not pay” and instead lodge a complaint :). before you take that too seriously, read this

“Dickson Sheriff’s office staff was listening to radio station WDKN’s online radio stream, in Tennessee, USA, according to Bledsoe, when the “ransomware” infected the department’s report management system. When “cryptowall“ struck, staff were notified by on-screen messages they had a certain amount of time to pay or the data would not be unlocked. The software company used by department was contacted and verified the malicious software as “cryptowall.”

Bledsoe said the department contacted both the Tennessee Bureau of Investigation and the Federal Bureau of Investigation. He said those agencies advised that the cryptowall extortioners usually released the files when the money is paid.

“My first response is we are not going to be held hostage. We are not going to pay a fee to get our records back,” Bledsoe said. “But once it was determined which records were involved and that they were crucial to victims of crimes in this county, and to the operations of the sheriff’s office and the citizens of this county…I had no choice but to authorize to pay this.” from Tennessean



Well the longer you stretch this out, the higher goes the price and the lower the patience. Remember you are dealing with criminals at the other end. There is a real person who is holding that hard disk to ransom. Usually, they tend to double up the price of release. And if you do not pay, you can say Sayonara to your years of data. They have the power to delete it all with a click, and they are remorseless, they will do it if you do not pay up. Whether you are a Not for profit, or a Critical Care Facility, or public-facing bulk billing clinic, it does not matter to them!

Will they delete your data even if you pay up? Not to the best of my knowledge. The so-called honour among thieves adage seems to have held up so far. No matter how publicly covered by the media their attack, when the healthcare facility has paid, they have unlocked the hard disk and walked away without any damage done to the data.


Why are they doing it?

Money. Welcome to yet another economy growing faster than BRICS, the malware economy. Software tools that help budding criminals in hacking banks, hospitals, and clinics, are now being used to target individuals also like you and me.

If you end up losing data on your personal hard disk you end up losing out on memories, family albums, videos, tax documents and so on, you might still be able to live with that. But if you lose patient health records you may become medicolegally liable. You need to protect your local computer, as well as be aware of the infrastructure being used in case you use a Cloud-based EMR or Clinic Management System. I will cover both of them below.



How to protect your Clinic against Ransomware

Steps to take to protect your Clinic when using an Offline/Desktop/Server based software

1. Do not open email attachments from unknown senders. Some of the common Ransomware floating around are Cryptowall, TeslaCrypt  – not to be confused with Tesla the carmaker, Locky, WannaCry and CryptoLock. Delete emails with such names in subjects or attachments, and block the sender.

2. Install an antivirus and make sure you switch on “auto-updates”. An antivirus that is not updated for a month is useless.

3. Also ensure your antivirus supports auto-scanning of Email attachments.

4. Make sure Windows/Mac Operating System also has Auto updates switched on.

5. The other way Ransomware gets on to your computer is when you visit a hacked website. Use a safe browser like Google Chrome, which will warn you in case you are about to visit a malicious website.

6. Free wifi is great in coffee shops and airports, but when on it, do not use it to log in to any website which does not start with HTTPS:
NOT GOOD: http://facebook.com
GOOD: https://facebook.com

HTTPS is secure and HTTP is not. If you are on HTTP any hacker in the same coffee shop as you are can read through on his computer whatever information you are sending to Facebook or any other HTTP site

7. Backup your hard-disks regularly

8. Educate your staff on these points

9. Most importantly if you use a desktop/server-based EMR in your clinic, switch over. Even if you have a full-time IT personnel looking after your hardware and software, they just cannot match up to the advancements of Cloud Technologies. Simply put, you are in the stone age of security, where the Cloud is the cutting-edge suite of security tools of the 21st century. You do not stand a chance, switch over to Cloud to run your Clinic.



Steps to take to protect your Clinic if using an Online Clinic Management System

1. Ask the EMR/Clinic Management System vendor if they are on the Web or Cloud. There is a major difference between the two. If on Cloud you can skip the rest and jump to point 2.

If not on the cloud, your vendor’s hardware on the web is at a much higher risk, as they are not covered by the Artificial Intelligence-powered threat detection tools that protect Cloud Servers with the Big 3 (Amazon Web Services, Google Cloud, Microsoft Azure). Technology needs to keep up with threats, but when you have technology available and do not put it to use, it’s borderline criminal. Petition, request, and pressurize your vendor to move to Cloud.


2. If you are on Cloud then half the battle is already won as you are on superior technology right away. Now the remaining half is to be determined based on your Vendor adopting best practices.

Questions to ask your software vendor
a. Who has physical access to the Servers on which you run the EMR
Correct Answer: No one
b. Do you have any antivirus installed on the servers on which you run the EMR
Correct Answer: None
I know my answers would not make sense right away, so let me give an example of what we do at Clinicea.

We do not allow ANY developers to log in to our Cloud Servers that Clinicea is run on. Why not? Because if they cannot log onto the servers, they cannot accidentally browse malicious websites, or inadvertently install compromised software tools, or even think about opening an email to compromise the hard disks that Clinicea runs on. So the question of putting an antivirus on the Servers is a trick question. Your vendor should not be able to put an antivirus on the server, because no one should ever be allowed to log into the servers.

Then how do these Cloud Servers ever get the EMR software you use? That is done through an automated process called “Continuous Integration.” It basically is a state-of-the-art deployment process through which code and only code can travel from the Developer’s computer to trusted code checking servers, which then push it to the Cloud Servers i.e. a developer cannot reach Cloud Servers on Clinicea.

So what is the probability of your data ever getting affected by Ransomware, if your clinic is on Clinicea EMR? You guessed it, 0.00%.


Addendum: Since this article was published, I have been asked, “So does being on a Cloud EMR hosted by the Big 3 make me 100% safe”. No, of course not. It only gives your EMR Vendor the tools to make you safe. Safety will be achieved by them employing the right mix of tools, technologies and processes on the Cloud. Here is a more technically oriented discussion on what your Cloud EMR vendor must do to make your Clinic immune from Ransomware.