LA hospital ransomware payout shows high stakes of cyber war

Interest in cyber security has rocketed in the last few years amid a torrent of hacks of major companies and government systems.

From small businesses to the biggest corporate brands, no one is safe it seems, although the last few years have seen hospitals become a favourite target for hackers.

This year a hospital’s systems were even taken hostage by ransomware. “This is something we expected to see based on attacks on financial systems,” Mike Ahmadi, global director of critical systems security for the Synopsys Software Integrity Group, told me. “The reality is people don’t just walk into banks anymore to rob them; they’d rather just do it the comfort of their home whilst eating Cheetos.”

Ahmadi , a member of the US Department of Homeland Security Industrial Control Systems Joint Working Group and part of the advisory board for the US Secret Service Electronic Crimes Task Force, says one thing is for sure when it comes to cyber security trends: “We’re going to start to see a lot more malicious activity”.

“One reasons why t’s so easy to break into a system today is the power of the computer is so insane that passwords aren’t even a challenge”

Ahmadi has been in the industry for a few years. He started in the medical industry and has since worked in industrial control systems, the automotive industry and recently started working with the International Atomic Energy Administration (IAEA), helping them figure out cyber security issues for nuclear facilities. One thing that has struck him during his career is a growth in awareness of the discipline.

“When I started working in cyber security in 2007 full-time and people asked what I did,” he recalls, “I would say cyber security and they didn’t have a clue what that meant. Today when I say I work in cyber security, everyone knows what I’m talking about.”

“Additional opportunities”

As traditional crime rates continue to fall across the Western World (in contrast, it seems to the fear of crime), cybercrime seems to be heading in the other direction, while the internet of things is multiplying the vectors of possible attack. “The continued growth of technology and continued increase of power and computational power is going to create additional opportunities for hackers to break into systems.”

So why do the criminals seem to have the upper hand in what used to be called cyberspace, even as some traditional crimes, like burglary or armed robbery, are much less practical and worthwhile than they used to be?

“One of the main reasons it’s so easy to break into a system today is the power of the computer is so insane that passwords aren’t even a challenge,” says Ahmadi.

Nevertheless, growing awareness does not necessarily equate to taking the problem seriously. “The software industry are really pushing back on any attempts to regulate them against cyber security issues,” explains Ahmadi. “If governments don’t start mandating some sort of real responsibility for software companies, where many of the serious issues actually lie, I believe we may be facing a black-swan event.”

He believes we are getting closer to such a black-swan event – a term popularised by Nicholas Nassim Taleb that means an event that is low probability, high impact and extremely difficult to predict. “There will be at least one very big event that will be devastating. As much as I hope this doesn’t happen, all the data seems to be pointing in that direction”.

“We’ve done tests at some places where we’ve seen you can take down an entire network of infusion pumps by just sending a couple of bad packets to the network.”

In early 2015, an LA hospital’s entire internal computer system went down for more than a week after becoming infected with ransomware, which encrypted patient records and set the ransom for unlocking them at 9,000 bitcoins (almost $3.7m). Unable to access patient’s records the hospital had to revert to using paper and pen and had to send A&E patients to different hospitals as emergency rooms were unable to function properly.

Though medical devices weren’t affected in this instance, Ahmadi fears the prospect is certainly possible. “We’ve done tests at some places where we’ve seen you can take down an entire network of infusion pumps by just sending a couple of bad packets to the network.”

“Indicators”

Drawing an analogy with society’s response to environmental crises, he says: “We all knew pollution was getting bad, we knew about it for a long time, but by the time we started to do something on a global basis, it had grown to be huge problem.”

He continues: “The thing that is interesting about black-swan events is that they’re usually preceded by a bunch of indicators that something like this is coming – we’ve seen what’s happening with security but the amount of action that people in the government are taking to solve the problem is nowhere near how bad the problems are getting”.

Ahmadi believes this is not entirely a technological problem; rather it’s more of a policy and people problem. “People don’t want to spend the time or money, or make the change.”

Unfortunately, it often takes a major incident before decisive action is finally taken. Organisations tend to be reactive rather than proactive.

“I was working with a major medical device manufacturer when their insulin pumps were hacked and because they faced such a huge PR issue and backlash about what happened, they put a lot of time, effort and money into fixing their problem and have now got to a point where there systems are really solid,” recounts Ahmadi.

The risk of anything happening in a single instance is so low it breeds complacency, even if the chances of things happening across thousands of instances is actually quite high. “Because we haven’t had a black swan event yet, people always look at the numbers and risks and it looks like a fairly safe risk for them to take.

“They look at it and think: ‘what are the odds of it happening?’ If you look at the numbers, the risk can be construed as being small. I understand they’re playing the odds, but if it happens, the consequences could be really huge.”