Sunday, December 22, 2013

I Suspect None Of Us Are Taking This Seriously Enough. Get Caught And It Could Be Very Bad.

About a year ago we had this appear.

Practice won’t pay for ransomed records

9 January, 2013 Kate Newton
A Gold Coast medical practice whose patient records were hacked and encrypted by foreign cyber criminals will not pay a $4000 ransom, instead choosing to recreate the records bit by bit.
GPS at Miami Family Medical Centre discovered last December that their server had been hacked and all 15,000 patient files encrypted, making them unusable.
The hackers, believed by Queensland police to be operating from eastern Europe, did not steal any patient details but demanded a ransom of $4000 to decrypt the files.
The practice was able to recover some patient details through referrals, pathology reports and other outside health services, but had to rely on handwritten notes and appointment books for several days to ensure patient care was not disrupted.
Before Christmas, the practice was seriously considering paying the ransom. However, practice co-owner David Wood, whose wife is a GP at the clinic, said they had now decided against it.
"It's not that simple to pay anyway. You have to give photo ID and all sorts of things to a faceless website, so you just add another problem to the mix of potentially having your identity stolen," he said.
Instead, the practice was piecing together a new set of patient records.
More here:
This then appeared last week:

CryptoLocker still a danger

·         Chris Griffith
·         The Australian
·         December 16, 2013 12:00AM
NETWORK security engineers have had limited success disabling devastating malicious software that encrypts all files on a user's computer.
The malware, CryptoLocker, uses sophisticated 256-bit encryption which makes it virtually impossible for the encryption code to be cracked by accident. Affected users are forced to pay hundreds, sometimes more than $1000 to obtain a "private key" -- a special string of digits and letters needed to decrypt their files.
The only hope for defeating CryptoLocker is when users have offline backups of their data before their computer is infected. The Trojan horse malware will also try to encrypt files on USB external hard drives and even network attached storage -- so as to make it hard for users to recover data without paying up.
Once the encryption process finishes, it tells users to pay a ransom, which so far has been $100, $300 or two bitcoins, currently worth about $1950.
CryptoLocker was first detected in September. Since then, it has infected mainly Windows-based computers in Britain and USA with devastating results. As The Australian recently revealed, there are now confirmed cases of CryptoLocker infecting computers locally.
A number of antivirus suites will detect and disable CryptoLocker malware, which enters computers disguised as attachments on fake emails purportedly from companies such as courier companies FedEx and UPS, and antivirus firm Symantec.
However antivirus suites that disable and remove CryptoLocker can render it impossible for users to get their files back. Victims wanting to decrypt their files have been forced to reinstall the malware and apply the criminal-supplied private key.
Network security firms however have been investigating ways to render CryptoLocker harmless on networks before the malware gets the chance to encrypt any files on a user's computer.
Lots more here:
Given none of the security firms (Symantec etc.) seem to have the problem beaten it is clear that prevention is way better than cure.
See here for very recent Symantec article:
Short summary - once encrypted - files that are not backup up safely are gone for all practical purposes.
There is a useful Computerworld article here:
So what to do:
1. Take the threat seriously - pretty obvious.
2. Make sure your anti-virus and anti-malware scanners are current and active.
3. Make sure you and all who access your network are aware of the risks associated with opening attachments that are not from trusted sources and expected. If at all unsure just delete!
4. Make sure you have current data backups that are not network accessible (switched off drives, detachable drives that are detached, non-mapped drives to your NAS, backups that are encrypted etc.)
5. You may want to check out CryptoPrevent.
Seems like a useful way of adding some protection. Near 100,000 downloads seems to mean others think so. This is the only blocker I have found so far.
Hope this helps…If just one person is saved it will be a very good thing!
David.

3 comments:

Ryan Turan said...

Hi David
This is a very real and serious threat and could potential lead to the total failure of your business if experienced.

As an senior-level information security expert, I would like to respond to your advice with some suggestions that are proven to be more effective (and admittedly require more expertise to implement):

>>2. Make sure your anti-virus and anti-malware scanners are current and active.
Antivirus/malware is very low on the list for effectiveness at stopping malicious code from running. What is the most highly effect, yet the most seldom to be implemented is application whitelisting (aka AppLocker for Windows people). This needs to be your #1 priority if you want to prevent malicious code from ruining your business.

3. Make sure you and all who access your network are aware of the risks associated with opening attachments that are not from trusted sources and expected. If at all unsure just delete!
Because 'spear phishing' is evolving into a very targeted and convincing guise, you can no longer have "trusted sources" via email. All risky attachment types need to be blocked at the firewall, mail server, and workstation. Alternative methods to share files should be seriously considered (e.g. Dropbox), though they also have their own inherent risks.

4. Make sure you have current data backups that are not network accessible (switched off drives, detachable drives that are detached, non-mapped drives to your NAS, backups that are encrypted etc.).

For those using a NAS devices, make sure that you get a NAS that grabs the backup files from your source instead of having a share that is writable by the server... in other words make sure the server can't write to the NAS, but that the NAS copies the files across itself. The NAS should also be able to keep dozens of snapshots so you can go back many versions if need be.

>
There are a host of other suggestions, but to varying degrees of complexity and cost.

Anonymous said...

Does anybody know if the PCEHR is sufficiently secure in this regard? Could the data be stolen and held to ransom in the same way as the Gold Coast practice?
Oh I forgot. Each document in the PCEHR has been sourced from elsewhere, so it should be able to be simply re-created if the data is stolen or lost. Except for the audit log, and the consumer entered data, and the next of kin and the advanced care directive, and the access settings, and…
The audit log might say:
Access type : data taken for ransom, Organisation accessing: unknown, Date accessed: Sometime this week (we think).

Anonymous said...

Agree with Ryan in his synopsis, unfortunately most health professionals in 2014 will come under more and more attacks due to the resale value of patient information and records on the black market.

Australian health professionals are totally unaware of the potential threats to their businesses and one such attack could ruin a business as Ryan outlined.

The Privacy Act amendments that come into play in March 2014 will also have a significant impact on how PII is accessed, disclosed and managed.

Privacy Paul