Ransomware in Healthcare: Maui and Risks

Aug 1, 2022 | Industry News

By Mary Grlic

All organizations unfortunately run the risk of ransomware attacks. These threats can be detrimental, costing organizations a lot of money and digital data. With technology becoming more prevalent in our daily lives, ransomware will not be going away anytime soon. Recent ransomware attacks in the news have affected medical organizations, proving that malware is a huge risk for healthcare. 

What is Ransomware?

Ransomware is any malware (malicious software) that hackers use to encrypt data on your device, making such files unusable. Ransomware attackers will usually keep your information until the victim agrees to pay a ransom fee to get it back. When held ransom, hackers may compromise, steal, and threaten your data. 

Ransomware can be spread through a process known as phishing, where users disguise a link as authentic. When a recipient clicks this link, they might get a suspicious attachment on their device, like malware or a virus. With ransomware, malicious software will quickly spread onto the device, locking documents through encryption. Without the proper code to unlock the files, users will not be able to access any encrypted data. The user can then only have access to the data once they pay to decrypt the data. The “ransom fee” can vary but it is often paid in the form of cryptocurrency (digital currency) like Bitcoin. If the victim does not pay the ransom fee, there are consequences, like a data breach.

Ransomware in Healthcare

Preventing ransomware is important for all companies. Unfortunately, hackers can be ruthless and attack confidential organizations such as healthcare. Ransomware attacks in hospitals are becoming a common trend, putting electronic patient health information (ePHI or PHI) at risk. 

Ransomware in healthcare is only growing yearly. According to the HHS Cybersecurity Program, ransomware hit 34% of healthcare organizations in 2020. Data has also shown that a fifth of ransomware victims are a part of healthcare. With these statistics, medical organizations could be a target. 

In the News: Understanding Maui Ransomware

What is Maui?

On Tuesday, July 19, 2022, the United States Department of Justice released that there were two ransom payments made by US health care providers to recover ransomed data. They forfeited nearly $500,000 in ransom payments to protect PHI. “Maui” is a new strain that hackers in North Korea used to deploy ransomware on devices in medical offices. According to CISA (Cybersecurity and Infrastructure Security Agency), Maui is an encryption binary which seems to be “designed for manual execution by a remote actor.” 

Maui uses a combination of different encryption methods (Advanced Encryption Standard, RSA, and XOR) to make files inaccessible for organizations. It starts by encrypting files with AES 128-bit encryption. Each file has a unique AES key that makes it extremely difficult to decrypt. RSA then encrypts each AES key. Maui finally hides the RSA public key using XOR encryption. These multiple layers of encryption make Maui corrupted files extremely difficult to recover. Maui’s ransomware threat report from Stairwell details the encryption and technical overview.

Maui Threats in the United States

In May 2021, hackers deployed “Maui” in a medical facility in Kansas. Maui encrypted files and servers, making PHI inaccessible for over a week. The hospital in Kansas paid $100,000 in Bitcoin ransom fees to regain access to their data. Luckily they told the FBI about the attack which ended up being essential when a similar case happened in Colorado nearly a year later. 

In April 2022, the FBI and the Kansas hospital identified a $120,000 payment in Bitcoin. They were able to confirm that a Colorado medical practice had to pay a ransomware fee after hackers put Maui on their servers and devices. In May 2022, the FBI seized the contents of the two cryptocurrency accounts.

Cybersecurity Advisory

On July 6, 2022, the CISA, the FBI, and the Department of Treasury released a joint Cybersecurity Advisory (CSA) to make healthcare organizations aware about the dangers of Maui. The alert includes tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) on the Maui strain. All three organizations urge that critical infrastructure organizations (like healthcare) apply the recommendations in the mitigation section. 

Mitigation as per Maui CSA

As directly stated from the recent cybersecurity advisory, the FBI, CISA, and Treasury urge that HPH (Health Promoting Hospitals and Health Services) Sector organizations do the following:

  • Limit access to data by deploying public key infrastructure and digital certificates to authenticate connections with the network, Internet of Things (IoT) medical devices, and the electronic health record system, as well as to ensure data packages are not manipulated while in transit from man-in-the-middle attacks. 
  • Use standard user accounts on internal systems instead of administrative accounts, which allow for overarching administrative system privileges and do not ensure least privilege.  
  • Turn off network device management interfaces such as Telnet, SSH, Winbox, and HTTP for wide area networks (WANs) and secure with strong passwords and encryption when enabled. 
  • Secure personal identifiable information (PII)/patient health information (PHI) at collection points and encrypt the data at rest and in transit by using technologies such as Transport Layer Security (TPS). Only store personal patient data on internal systems that are protected by firewalls, and ensure extensive backups are available if data is ever compromised. 
  • Protect stored data by masking the permanent account number (PAN) when it is displayed and rendering it unreadable when it is stored—through cryptography, for example. 
  • Secure the collection, storage, and processing practices for PII and PHI, per regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Implementing HIPAA security measures can prevent the introduction of malware on the system. 
  • Implement and enforce multi-layer network segmentation with the most critical communications and data resting on the most secure and reliable layer. 
  • Use monitoring tools to observe whether IoT devices are behaving erratically due to a compromise. 
  • Create and regularly review internal policies that regulate the collection, storage, access, and monitoring of PII/PHI.

More Tips from the CSA

The advisory also highly recommends that all HPH sector organizations use methods to mitigate and prevent ransomware incidents as much as possible. They suggest that such facilities follow good cybersecurity procedures through the following tips.

Preparation

  • Keep data backups. A good standard for all healthcare organizations to follow is to keep offsite, offline data backups. With so much electronic PHI (ePHI) it is critical that medical offices protect this data. In the event of a ransomware attack, it is important that medical professionals have patient data stored elsewhere in a safe location. 
  • Have a good managed IT cybersecurity plan for effective responses and communications. Organizations can refer to the National Conference of State Legislatures: Security Breach Notification Laws for information regarding each state’s laws and regulations. For example, in New York State, the SHIELD Act protects personal information in the case of a data breach. However, medical and other organizations are exempt from following this law. If a data breach involves electronic health information, organizations may have to get involved with the Federal Trade Commission or the Department of Health and Human Services. 

Mitigation and Prevention

  • Install and update all devices. Older devices and systems are more vulnerable to hacking, so organizations should stay up to date. 
  • Secure and monitor all devices closely. Ideally, somebody should monitor servers and any electronic devices 24/7 for full protection. By monitoring devices intently, users can possibly attack or at least be aware of any malware before it hits. They will also get immediate notification of any virus. 
  • A cybersecurity awareness training program is important for all employees. By understanding the importance of cybersecurity and maintaining internet safety, organizations can avoid risks of suspicious websites and phishing attacks
  • Enforce login security and use multi-factor authentication. 
  • Have only administrators install software.  
  • Only use protected networks and avoid public or unprotected WiFi connections. 

Response

  • Follow some sort of a ransomware response checklist.
  • Scan backups to ensure that they are not also infected with any malware.
  • Report incidents to the FBI and local offices.
  • Use incident response tactics from Cybersecurity Advisory or other cybersecurity protection agencies.

Ransomware Attacks can Happen Anywhere, Anytime…

Unfortunately for healthcare providers, ransomware is a major threat. While attacks like these seem terrifying, they are also quite common. The FBI and US government agencies are taking measures to protect facilities from ransomware attacks — but it is still likely that similar attacks will still occur. Even after the first Maui threat in 2021, nearly a year later, another organization experienced the same incident. Other groups like Conti continue to target healthcare services frequently. Conti ransomware uses Trickbot and Cobalt Strike and is a ransomware-as-a-service (RaaS) variant. Its structure deviates from other RaaS models, making it even more of a threat. 

To make matters more local, in 2019, a ransomware attack at a medical practice in Brooklyn resulted in the permanent loss of PHI. The Brooklyn Hospital Center, affiliated with Mount Sinai Hospital, became aware of suspicious activity in its servers during July of 2019. After investigating further, they revealed that hackers deployed malware on their systems, encrypting and corrupting hospital files. The hospital operated for another two months before stating that the ransomed data would not be saved. These sorts of attacks can happen anywhere, at any time. No matter where a facility is located, they must understand and use the proper methods to protect data.

Healthcare organizations must take protective measures to monitor their systems securely and prevent a ransomware attack. The hackers are not going away, but with the proper mitigation and recovery tools, hopefully facilities can limit the risk. If your organization wants to more securely protect their data, they must make the effort to implement the safeguards found in the recent cybersecurity advisory. 

CosmicStrand Rootkit Virus

By Mary Grlic Researchers recently uncovered a major security concern: a UEFI-based rootkit virus. Coined “CosmicStrand” by cybersecurity company Kaspersky, the rootkit can implant viruses on the most basic software of a computer (UEFI). This makes it extremely...

Compliance and the New York State SHIELD Act

By Mary Grlic In a world where technology is rapidly evolving, and data is everywhere, it is more important than ever to protect the private information of the people. Countries like Brazil (LGPD), Great Britain (GDPR), and Canada (PIPEDA) are implementing stricter...

Ideas for Training Employees to Avoid Phishing Emails

Phishing is one of the cybersecurity threats that cost many companies billions of dollars annually. For that reason, you can't afford to overlook the importance of taking the necessary precautions to help your employees avoid phishing emails. On the other hand,...