LA hospital ransomware payout shows astronomical cost of neglecting cyber threat
Interest in cyber security has rocketed in the last few years amid a torrent of hacks of major companies and government systems. From small businesses to the biggest corporate brands, no one is safe it seems, although the last few years have seen hospitals become a favourite target for hackers. This year a hospital s systems were even taken hostage by ransomware.
This is something we expected to see based on attacks on financial systems, Mike Ahmadi, global director of critical systems security for the Synopsys Software Integrity Group, told me. The reality is people don t just walk into banks anymore to rob them; they d rather just do it the comfort of their home whilst eating Cheetos. Ahmadi , a member of the US Department of Homeland Security Industrial Control Systems Joint Working Group and part of the advisory board for the US Secret Service Electronic Crimes Task Force, says one thing is for sure when it comes to cyber security trends: We re going to start to see a lot more malicious activity . One reasons why t s so easy to break into a system today is the power of the computer is so insane that passwords aren t even a challenge Ahmadi has been in the industry for a few years. He started in the medical industry and has since worked in industrial control systems, the automotive industry and recently started working with the International Atomic Energy Administration (IAEA), helping them figure out cyber security issues for nuclear facilities. One thing that has struck him during his career is a growth in awareness of the discipline. When I started working in cyber security in 2007 full-time and people asked what I did, he recalls, I would say cyber security and they didn t have a clue what that meant. Today when I say I work in cyber security, everyone knows what I m talking about. Additional opportunities As traditional crime rates continue to fall across the Western World (in contrast, it seems to the fear of crime), cybercrime seems to be heading in the other direction, while the internet of things is multiplying the vectors of possible attack.
The continued growth of technology and continued increase of power and computational power is going to create additional opportunities for hackers to break into systems. So why do the criminals seem to have the upper hand in what used to be called cyberspace, even as some traditional crimes, like burglary or armed robbery, are much less practical and worthwhile than they used to be? One of the main reasons it s so easy to break into a system today is the power of the computer is so insane that passwords aren t even a challenge, says Ahmadi. Nevertheless, growing awareness does not necessarily equate to taking the problem seriously. The software industry are really pushing back on any attempts to regulate them against cyber security issues, explains Ahmadi. If governments don t start mandating some sort of real responsibility for software companies, where many of the serious issues actually lie, I believe we may be facing a black-swan event. He believes we are getting closer to such a black-swan event a term popularised by Nicholas Nassim Taleb that means an event that is low probability, high impact and extremely difficult to predict. There will be at least one very big event that will be devastating. As much as I hope this doesn t happen, all the data seems to be pointing in that direction .
We ve done tests at some places where we ve seen you can take down an entire network of infusion pumps by just sending a couple of bad packets to the network. In early 2015, an LA hospital s entire internal computer system went down for more than a week by ransomware, which encrypted patient records and set the ransom for unlocking them at 9,000 bitcoins (almost $3.7m). It meant that the hospital was unable to access patient s records, having to revert to paper registrations and medical records and sending A&E patients to different hospitals as emergency rooms were unable to function properly. Though the systems affected were not actual medical devices, Ahmadi believes hackers were capable of doing so. We ve done tests at some places where we ve seen you can take down an entire network of infusion pumps by just sending a couple of bad packets to the network. Indicators Drawing an analogy with society s response to environmental crises, he says: We all knew pollution was getting bad, we knew about it for a long time, but by the time we started to do something on a global basis, it had grown to be huge problem. He continues: The thing that is interesting about black-swan events is that they re usually preceded by a bunch of indicators that something like this is coming we ve seen what s happening with security but the amount of action that people in the government are taking to solve the problem is nowhere near how bad the problems are getting . Ahmadi believes this is not entirely a technological problem; rather it s more of a policy and people problem. People don t want to spend the time or money, or make the change.
Unfortunately, it takes a major incident for real action to be taken. Organisations tend to be reactive rather than proactive. I was working with a major medical device manufacturer when their insulin pumps were hacked and because they faced such a huge PR issue and backlash about what happened, they put a lot of time, effort and money into fixing their problem and have now got to a point where there systems are really solid. Unfornately, the risk of anything happening in a single instance is so low it breeds complacency, even if the chances of things happening across thousands of instances is actually very high. Because we haven t had a black swan event yet, people always look at the numbers and risks and it looks like a fairly safe risk for them to take. They look at it and think: what are the odds of it happening? If you look at the numbers, the risk can be construed as being small.
I understand they re playing the odds, but if it happens, the consequences could be really huge.
Download: The Video Surveillance Report 2016 This exclusive report covers the security needs of surveillance systems as shaped by the physical environment including: What do security professionals think about plug-and-play systems Challenges like low-light conditions or large spaces and the threats posed in various sectors Which cutting-edge features such as mobile access, PTZ smart controls or 4K resolution are most important to security professionals What are the most important factors driving upgrades and would end users consider an upgrade to HD analogue Download the full report here.