By Seth James Nielson and Daron Barnes of Ironwood Experts.
As a younger man, and long before I knew anything about computer security, I was quite a fan of Star Trek the Next Generation. One episode in particular, Contagion, captured my imagination. In this episode, an alien computer virus infects the ship’s systems, resulting in various malfunctions. The virus eventually triggers the ship’s self-destruct sequence but is stopped by shutting down all the systems. The ship is then, essentially, restored from back-up.
It amuses the Star Trek Fan still within me that this type of approach is actually recommended by Trend Micro for dealing with a CryptoLocker Ransomware infection.
Ransomware is a type of attack wherein a bad guy locks out files or systems from the owner(s). Typically, the software invades the target system using the same methods a virus would, but simply encrypts files rather than destroying or corrupting them. The attacker’s malicious software then alerts the user that their data is locked–but it can be decrypted… for a price.
Apparently, an L.A. hospital just fell victim to this kind of attack. The attackers locked down the hospital’s files so effectively that the hospital paid a $17k ransom to regain access. There appear to be no injuries or deaths attributable to this reduced capacity, but the hospital felt it had no choice but to pay up. According to some reports, without access to the locked files, the hospital had been forced to revert to paper medical records transmitted by phone and fax.
This story surprises me–the hospital’s locked files should be recoverable from backups. Daily, or at least weekly, backups are pretty standard for even the smallest institutions these days. Surely a hospital backs up their files. Even week-old restored data should have been enough to prevent a catastrophe.
I hope that more is revealed about this story in the coming days and weeks, but I have a guess about what happened. In the past, the Hospital probably had a backup solution for all of its data. Then, at some point, their systems changed. New data was generated on new systems not covered by the previous backup configuration. The hospital was no longer backing up all of their files. The attacker, either through insider knowledge or surveillance, figured out certain critical patient files that were unprotected and chose those as his target.
As I said, this is just a guess. But these kinds of practical security problems happen all the time. Effective security relies on assumptions and boundaries, models of trust, and models of threat. And unfortunately, the underlying reality of those assumptions and boundaries change over time, especially in a chaotic environment like a medical facility. Without careful management, critical systems can slip outside the security perimeter.
Ross Anderson discusses this in his book entitled Security Engineering (second edition). Says he,
“We’ve also seen many cases where the policy and mechanisms were set when a system was first built, and then undermined as the environment (and the product) evolved, but the protection did not.”
Anderson goes on to discuss how organizations can and should manage their evolution, noting that they must be willing to spend sufficiently for necessary and effective technological tools, and highly competent people.
The takeaway message is this–nobody can just put up a computer security wall and say, “now I’m safe!” Security is a constant and ongoing exercise in vigilance, education, and training.