Claire C McGlave,Sayeh S Nikpay,Carrie Henning-Smith,Katie Rydberg,Hannah T Neprash

DOI: https://doi.org/10.1093/haschl/qxad037

2023-08-28

Abstract:As cybercrime increasingly targets the health care sector, hospitals face the growing threat of ransomware attacks. Ransomware is a type of malicious software that prevents users from accessing their electronic systems-demanding payment to restore access. In response, momentum is gathering to enact policy that will help hospitals strengthen their cybersecurity defenses. However, to design effective policy, it is crucial to understand the characteristics of hospitals associated with the risk of ransomware attack. In this paper, we compare the characteristics of ransomware-attacked and non-attacked short-term acute care hospitals in the United States. Using data from the American Hospital Association's Annual Survey and the Healthcare Cost Report Information System, we found that ransomware-attacked hospitals were larger, had higher net operating revenue, were more likely to be financially profitable, and more likely to provide trauma, emergency, and obstetric care than non-attacked hospitals. Measures of information technology sophistication did not vary between ransomware-attacked and non-attacked hospitals. These results can be used to tailor policy interventions in order to most effectively respond to and prevent cybercrime in health care.

Benyamine Abbou,Boris Kessel,Merav Ben Natan,Rinat Gabbay-Benziv,Dikla Dahan Shriki,Anna Ophir,Nimrod Goldschmid,Adi Klein,Ariel Roguin,Mickey Dudkiewicz

DOI: https://doi.org/10.3389/fdgth.2024.1321485

2024-02-16

Abstract:Importance: Healthcare organizations operate in a data-rich environment and depend on digital computerized systems; thus, they may be exposed to cyber threats. Indeed, one of the most vulnerable sectors to hacks and malware is healthcare. However, the impact of cyberattacks on healthcare organizations remains under-investigated. Objective: This study aims to describe a major attack on an entire medical center that resulted in a complete shutdown of all computer systems and to identify the critical actions required to resume regular operations. Setting: This study was conducted on a public, general, and acute care referral university teaching hospital. Methods: We report the different recovery measures on various hospital clinical activities and their impact on clinical work. Results: The system malfunction of hospital computers did not reduce the number of heart catheterizations, births, or outpatient clinic visits. However, a sharp drop in surgical activities, emergency room visits, and total hospital occupancy was observed immediately and during the first postattack week. A gradual increase in all clinical activities was detected starting in the second week after the attack, with a significant increase of 30% associated with the restoration of the electronic medical records (EMR) and laboratory module and a 50% increase associated with the return of the imaging module archiving. One limitation of the present study is that, due to its retrospective design, there were no data regarding the number of elective internal care hospitalizations that were considered crucial. Conclusions and relevance: The risk of ransomware cyberattacks is growing. Healthcare systems at all levels of the hospital should be aware of this threat and implement protocols should this catastrophic event occur. Careful evaluation of steady computer system recovery weekly enables vital hospital function, even under a major cyberattack. The restoration of EMR, laboratory systems, and imaging archiving modules was found to be the most significant factor that allowed the return to normal clinical hospital work.

Stephen Gilbert,Francesco Ricciardi,Tauseef Mehrali,Constantinos Patsakis

DOI: https://doi.org/10.1038/s41746-024-01044-5

IF: 15.2

2024-03-21

npj Digital Medicine

Abstract:The hospital at home concept integrates key digital medicine technologies and concepts in a single platform approach, with telemedicine, wearables, and sensors. It could bring benefits to patients, who face lower risks from hospital infections and who want to be at home with their loved ones. Moreover, it may lead to efficiency savings, through its seamless integration of data flows, and therefore is likely to be an increasingly implemented model. But what happens when the platform succumbs to exploited platform/infrastructure vulnerabilities or cyber attacks like ransomware that have been weaponized to bring networked systems crashing down? Exploring the attack modes and their consequences could help prioritize adequate safeguards.

health care sciences & services,medical informatics

Owen Dyer

DOI: https://doi.org/10.1136/bmj.q686

2024-03-20

BMJ

Abstract:The US government has announced an investigation into one of America's leading health insurers, UnitedHealth, after a ransomware hack of its subsidiary Change Healthcare last month left thousands of doctors and hospitals with little or no revenue."Given the unprecedented magnitude of this attack, and in the best interest of patients and health care providers, the Office for Civil Rights is initiating an investigation into this incident," the sub-agency of the US Department of Health and Human Services said in a statement.The 21 February attack, for which a hacking group called Blackcat has claimed responsibility, is being described by both government and industry as the biggest ever. Change Healthcare's billing software is used for around half the medical claims processed in the US and is relied on by about 900 000 doctors, 33 000 pharmacies, 5500 hospitals, and 600 laboratories. The service has been offline since the attack to prevent contamination...

medicine, general & internal

Diana Portela,Diogo Nogueira-Leite,Rafael Almeida,Ricardo Cruz-Correia

DOI: https://doi.org/10.2196/41738

2023-06-30

Abstract:Background: Over the last decade, the frequency and size of cyberattacks in the health care industry have increased, ranging from breaches of processes or networks to encryption of files that restrict access to data. These attacks may have multiple consequences for patient safety, as they can, for example, target electronic health records, access to critical information, and support for critical systems, thereby causing delays in hospital activities. The effects of cybersecurity breaches are not only a threat to patients' lives but also have financial consequences due to causing inactivity in health care systems. However, publicly available information on these incidents quantifying their impact is scarce. Objective: We aim, while using public domain data from Portugal, to (1) identify data breaches in the public national health system since 2017 and (2) measure the economic impact using a hypothesized scenario as a case study. Methods: We retrieved data from multiple national and local media sources on cybersecurity from 2017 until 2022 and built a timeline of attacks. In the absence of public information on cyberattacks, reported drops in activity were estimated using a hypothesized scenario for affected resources and percentages and duration of inactivity. Only direct costs were considered for estimates. Data for estimates were produced based on planned activity through the hospital contract program. We use sensitivity analysis to illustrate how a midlevel ransomware attack might impact health institutions' daily costs (inferring a potential range of values based on assumptions). Given the heterogeneity of our included parameters, we also provide a tool for users to distinguish such impacts of different attacks on institutions according to different contract programs, served population size, and proportion of inactivity. Results: From 2017 to 2022, we were able to identify 6 incidents in Portuguese public hospitals using public domain data (there was 1 incident each year and 2 in 2018). Financial impacts were obtained from a cost point of view, where estimated values have a minimum-to-maximum range of €115,882.96 to €2,317,659.11 (a currency exchange rate of €1=US $1.0233 is applicable). Costs of this range and magnitude were inferred assuming different percentages of affected resources and with different numbers of working days while considering the costs of external consultation, hospitalization, and use of in- and outpatient clinics and emergency rooms, for a maximum of 5 working days. Conclusions: To enhance cybersecurity capabilities at hospitals, it is important to provide robust information to support decision-making. Our study provides valuable information and preliminary insights that can help health care organizations better understand the costs and risks associated with cyber threats and improve their cybersecurity strategies. Additionally, it demonstrates the importance of adopting effective preventive and reactive strategies, such as contingency plans, as well as enhanced investment in improving cybersecurity capabilities in this critical area while aiming to achieve cyber-resilience.

Nandita Pattnaik,Jason R. C. Nurse,Sarah Turner,Gareth Mott,Jamie MacColl,Pia Huesch,James Sullivan

2023-07-06

Abstract:As cyber-attacks continue to increase in frequency and sophistication, organisations must be better prepared to face the reality of an incident. Any organisational plan that intends to be successful at managing security risks must clearly understand the harm (i.e., negative impact) and the various parties affected in the aftermath of an attack. To this end, this article conducts a novel exploration into the multitude of real-world harms that can arise from cyber-attacks, with a particular focus on ransomware incidents given their current prominence. This exploration also leads to the proposal of a new, robust methodology for modelling harms from such incidents. We draw on publicly-available case data on high-profile ransomware incidents to examine the types of harm that emerge at various stages after a ransomware attack and how harms (e.g., an offline enterprise server) may trigger other negative, potentially more substantial impacts for stakeholders (e.g., the inability for a customer to access their social welfare benefits or bank account). Prominent findings from our analysis include the identification of a notable set of social/human harms beyond the business itself (and beyond the financial payment of a ransom) and a complex web of harms that emerge after attacks regardless of the industry sector. We also observed that deciphering the full extent and sequence of harms can be a challenging undertaking because of the lack of complete data available. This paper consequently argues for more transparency on ransomware harms, as it would lead to a better understanding of the realities of these incidents to the benefit of organisations and society more generally.

Cryptography and Security,Computers and Society

Yevgeniy Vinogradskiy,Leah Schubert,Amy Taylor,Shari Rudoler,James Lamb PhD

DOI: https://doi.org/10.1016/j.prro.2024.03.001

IF: 3.439

2024-03-20

Practical Radiation Oncology

Abstract:Introduction There have been numerous significant ransomware attacks impacting Radiation Oncology in the last 5 years. Research into ransomware attack response in Radiation Oncology has consisted of case reports and descriptive articles and has lacked quantitative studies. The purpose of this work was to identify the significant safety risks to patients being treated with radiotherapy during a ransomware attack scenario, using Failure Modes and Effects Analysis (FMEA). Methods A multi-institutional and multi-disciplinary team conducted a FMEA by developing process maps and using Risk Priority Number (RPN) scores to quantify the increased likelihood of incidents in a ransomware attack scenario. The situation that was simulated was a ransomware attack that had removed the capability to access the Record and Verify (R&V) system. Five situations were considered: 1) a standard treatment of a patient with and without an R&V, 2) a standard treatment of a patient for the first fraction right after the R&V capabilities are disabled, and 3) three situations where a plan modification was required. RPN scores were compared with and without R&V functionality. Results The data indicate that RPN scores increased by 71% (range 38-96%) when R&V functionality is disabled compared to a non-ransomware attack state where R&V functionality is available. The failure modes with the highest RPN in the simulated ransomware attack state included incorrectly identifying patients on treatment, incorrectly identifying where a patient is in their course of treatment, treating the incorrect patient, and incorrectly tracking delivered fractions. Conclusions The presented study quantifies the increased risk of incidents when treating in a ransomware attack state, identifies key failure modes that should be prioritized when preparing for a ransomware attack, and provides data that can be used to guide future ransomware resiliency research.

oncology,radiology, nuclear medicine & medical imaging

Laura McFadyen,Susie Gurzenda,George Pink,Tyler Malone,Kristin Reiter

DOI: https://doi.org/10.1111/jrh.12864

2024-07-30

Abstract:Introduction: There are long-standing differences in profitability between rural and urban hospitals. Prior to the COVID-19 Public Health Emergency (PHE), rural hospital profitability was decreasing, while urban hospital profitability was increasing. During the PHE, the Federal Government provided billions of dollars of support to hospitals. Given the prepandemic differences in trends in profitability, it is likely that the PHE funding had different effects on rural hospitals and urban hospitals. Methods: This study uses 2015-2023 Medicare cost report data from acute-care hospitals to assess the impact of COVID-19 PHE funding on hospital profitability. We employ descriptive Kruskal-Wallis and chi-square tests and an interrupted time series analysis to evaluate the effect of PHE funding on operating margins for a stratified sample of rural prospective payment system (PPS), urban PPS, and critical access hospitals (CAHs). Results: We found that the PHE funding was associated with significant increases in operating margins, with rural PPS hospitals experiencing similar increases compared to urban PPS hospitals, and CAHs surpassing both rural and urban PPS hospitals in their margin values. However, if PHE funding had not been provided, our evidence suggests operating margins for all hospitals in 2022-2023 would have been below prepandemic levels. Discussion: This preliminary analysis portrays the importance of the PHE government funding in supporting hospitals during the pandemic, and shows declining profitability trends without the funds. Rural PPS hospitals fare the worst suggesting continued need for financial support if the trend continues.

Yiwei Hou,Lihua Guo,Chijin Zhou,Yiwen Xu,Zijing Yin,Shanshan Li,Chengnian Sun,Yu Jiang

DOI: https://doi.org/10.1145/3597503.3639090

2024-01-01

Abstract:The threat of ransomware to the software ecosystem has become increasingly alarming in recent years, raising a demand for large-scale and comprehensive ransomware analysis to help develop more effective countermeasures against unknown attacks. In this paper, we first collect a real-world dataset Maraudermap, consisting of 7,796 active ransomware samples, and analyze their behaviors of disrupting data in victim systems. All samples are executed in iso-lated testbeds to collect all perspectives of six categories of runtime behaviors, such as API calls, I/O accesses, and network traffic. The total logs volume is up to 1.98 TiB. By assessing collected behaviors, we present six critical findings throughout ransomware attacks' data reconnaissance, data tampering, and data exfiltration phases. Based on our findings, we propose three corresponding mitigation strategies to detect ransomware during each phase. Experimental results show that they can enhance the capability of state-of-the-art anti-ransomware tools. We report a preliminary result of a 41%-69% increase in detection rate with no additional false positives, showing that our insights are helpful.

Amir Atapour-Abarghouei,Stephen Bonner,Andrew Stephen McGough

DOI: https://doi.org/10.48550/arXiv.1911.08364

2019-11-19

Abstract:With the recent growth in the number of malicious activities on the internet, cybersecurity research has seen a boost in the past few years. However, as certain variants of malware can provide highly lucrative opportunities for bad actors, significant resources are dedicated to innovations and improvements by vast criminal organisations. Among these forms of malware, ransomware has experienced a significant recent rise as it offers the perpetrators great financial incentive. Ransomware variants operate by removing system access from the user by either locking the system or encrypting some or all of the data, and subsequently demanding payment or ransom in exchange for returning system access or providing a decryption key to the victim. Due to the ubiquity of sensitive data in many aspects of modern life, many victims of such attacks, be they an individual home user or operators of a business, are forced to pay the ransom to regain access to their data, which in many cases does not happen as renormalisation of system operations is never guaranteed. As the problem of ransomware does not seem to be subsiding, it is very important to investigate the underlying forces driving and facilitating such attacks in order to create preventative measures. As such, in this paper, we discuss and provide further insight into variants of ransomware and their victims in order to understand how and why they have been targeted and what can be done to prevent or mitigate the effects of such attacks.

Cryptography and Security

Ali Mehrban,Shirin Karimi Geransayeh

2024-02-04

Abstract:In recent years, there has been a noticeable increase in cyberattacks using ransomware. Attackers use this malicious software to break into networks and harm computer systems. This has caused significant and lasting damage to various organizations, including government, private companies, and regular users. These attacks often lead to the loss or exposure of sensitive information, disruptions in normal operations, and persistent vulnerabilities. This paper focuses on a method for recognizing and identifying ransomware in computer networks. The approach relies on using machine learning algorithms and analyzing the patterns of network traffic. By collecting and studying this traffic, and then applying machine learning models, we can accurately identify and detect ransomware. The results of implementing this method show that machine learning algorithms can effectively pinpoint ransomware based on network traffic, achieving high levels of precision and accuracy.

Cryptography and Security,Machine Learning

Murat Ozer,Said Varlioglu,Bilal Gonen,Mehmet F. Bastug

DOI: https://doi.org/10.1109/CSCI49370.2019.00032

2020-03-17

Abstract:Over the past three years, especially following WannaCry malware, ransomware has become one of the biggest concerns for private businesses, state, and local government agencies. According to Homeland Security statistics, 1.5 million ransomware attacks have occurred per year since 2016. Cybercriminals often use creative methods to inject their malware into the target machines and use sophisticated cryptographic techniques to hold hostage victims' files and programs unless a certain amount of equivalent Bitcoin is paid. The return to the cybercriminals is so high (estimated \$1 billion in 2019) without any cost because of the advanced anonymity provided by cryptocurrencies, especially Bitcoin \cite{Paquet-Clouston2019}. Given this context, this study first discusses the current state of ransomware, detection, and prevention systems. Second, we propose a global ransomware center to better manage our concerted efforts against cybercriminals. The policy implications of the proposed study are discussed in the conclusion section.

Cryptography and Security

Jamil Ispahany,Md. Rafiqul Islam,Md. Zahidul Islam,M. Arif Khan

DOI: https://doi.org/10.1109/access.2024.3397921

IF: 3.9

2024-05-22

IEEE Access

Abstract:Ransomware attacks are on the rise in terms of both frequency and impact. The shift to remote work due to the COVID-19 pandemic has led more people to work online, prompting companies to adapt quickly. Unfortunately, this increased online activity has provided cybercriminals numerous opportunities to carry out devastating attacks. One recent method employed by malicious actors involves infecting corporate networks with ransomware to extract millions of dollars in profits. Ransomware falls into the category of malware. It works by encrypting sensitive data and demanding payments from victims to receive the encryption keys necessary for decrypting their data. The prevalence of this type of attack has prompted governments and organisations worldwide to intensify their efforts to combat ransomware. In response, the research community has also focused on ransomware detection, leveraging technologies such as machine learning. Despite this increased attention, practical solutions for real-world applications remain scarce in the existing literature. Numerous surveys have explored literature within the domain. Still, there is a notable lack of emphasis on the design of ransomware detection systems and the practical aspects of detection, including real-time and early detection. Against this backdrop, our review delves into the existing literature on ransomware detection, specifically examining the machine-learning techniques, detection approaches, and designs employed. Finally, we highlight the limitations of prior studies and propose future research directions in this crucial area.

computer science, information systems,telecommunications,engineering, electrical & electronic

Akashdeep Bhardwaj,G.V.B. Subrahmanyam,Vinay Avasthi,Hanumat Sastry

DOI: https://doi.org/10.48550/arXiv.1512.01980

2015-12-07

Cryptography and Security

Abstract:This article attempts to discover the surreptitious features of ransomware and to address it in information systems security research. It intends to elicit attention with regard to ransomware, a newly emerged cyber threat using such encryption technology as RSA, and to help both academic researchers and IT practitioners understand the technological characteristics of ransomware, along with its severity analysis. As ransomware infections continue to rise and attacks employing refined algorithm become increasingly sophisticated, data protection faces serious challenges. The article discusses future trends and research directions related to ransomware, and provides prevention strategies for SMEs.

Sreejith Gopinath,Aspen Olmsted

DOI: https://doi.org/10.48550/arXiv.2202.06108

2022-02-12

Cryptography and Security

Abstract:Healthcare information systems deal with a large amount of Personally Identifiable Information related to patients like dates of birth and social security numbers, patients health information and history, and financial information like credit card details and bank accounts. Most healthcare institutions purchase information systems from commercial vendors and have minimal inhouse expertise required to maintain these systems. Most institutions lack the expertise required to research evolving threats and maintain a tough security posture. We propose a risk transference based system architecture that moves sensitive data outside the system boundary, into data stores that are managed with stringent and efficient security protocols.

Diana Kwon

DOI: https://doi.org/10.1038/d41586-024-01711-3

IF: 64.8

2024-06-13

Nature

Abstract:Hackers are targeting universities and research institutes with ransomware, leaving staff and students without the ability to work. Hackers are targeting universities and research institutes with ransomware, leaving staff and students without the ability to work.

multidisciplinary sciences

Jack Cable,Ian W. Gray,Damon McCoy

2024-08-28

Abstract:Ransomware attacks continue to wreak havoc across the globe, with public reports of total ransomware payments topping billions of dollars annually. While the use of cryptocurrency presents an avenue to understand the tactics of ransomware actors, to date published research has been constrained by relatively limited public datasets of ransomware payments. We present novel techniques to identify ransomware payments with low false positives, classifying nearly \$700 million in previously-unreported ransomware payments. We publish the largest public dataset of over \$900 million in ransomware payments -- several times larger than any existing public dataset. We then leverage this expanded dataset to present an analysis focused on understanding the activities of ransomware groups over time. This provides unique insights into ransomware behavior and a corpus for future study of ransomware cybercriminal activity.

Cryptography and Security

Farshid Javadnejad,Ahmed M. Abdelmagid,Cesar A. Pinto,Michael Mcshane,Rafael Diaz

DOI: https://doi.org/10.1080/17517575.2024.2369952

2024-06-25

Enterprise Information Systems

Abstract:This study comprehensively assesses ransomware/malware risks using the Advisen cyber loss dataset. It classifies malware types by frequency and financial impact, revealing that low-frequency attacks can cause significant economic damage. Some malware types incur extensive losses despite their rarity. The analysis highlights cybersecurity technologies like AI-based tools and Zero Trust Architecture (ZTA) for combating attacks. Large organizations and small businesses can adopt these defensive approaches across various industries. The study underscores the need for robust cybersecurity measures to prevent or mitigate future attacks, offering valuable insights into malware and ransomware patterns and trends, stressing adherence to frameworks, policies, and regulations.

computer science, information systems

Timothy McIntosh,Teo Susnjak,Tong Liu,Dan Xu,Paul Watters,Dongwei Liu,Yaqi Hao,Alex Ng,Malka Halgamuge

DOI: https://doi.org/10.1145/3691340

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:Ransomware has grown to be a dominant cybersecurity threat by exfiltrating, encrypting, or destroying valuable user data and causing numerous disruptions to victims. The severity of the ransomware endemic has generated research interest from both the academia and the industry. However, many studies held stereotypical assumptions about ransomware, used unverified, outdated, and limited self-collected ransomware samples, and did not consider government strategies, industry guidelines, or cyber intelligence. We observed that ransomware no longer exists simply as an executable file or limits to encrypting files (data loss); data exfiltration (data breach) is the new norm, espionage is an emerging theme, and the industry is shifting focus from technical advancements to cyber governance and resilience. We created a ransomware innovation adoption curve, critically evaluated 212 academic studies published during 2020 and 2023, and cross-verified them against various government strategies, industry reports, and cyber intelligence on ransomware. We concluded that many studies were becoming irrelevant to the contemporary ransomware reality and called for the redirection of ransomware research to align with the continuous ransomware evolution in the industry. We proposed to address data exfiltration as priority over data encryption, to consider ransomware in a business-practical manner, and recommended research collaboration with the industry.

computer science, theory & methods

Gavin Hull,Henna John,Budi Arief

DOI: https://doi.org/10.1186/s40163-019-0097-9

2019-02-12

Crime Science

Abstract:Ransomware incidents have increased dramatically in the past few years. The number of ransomware variants is also increasing, which means signature and heuristic-based detection techniques are becoming harder to achieve, due to the ever changing pattern of ransomware attack vectors. Therefore, in order to combat ransomware, we need a better understanding on how ransomware is being deployed, its characteristics, as well as how potential victims may react to ransomware incidents. This paper aims to address this challenge by carrying out an investigation on 18 families of ransomware, leading to a model for categorising ransomware behavioural characteristics, which can then be used to improve detection and handling of ransomware incidents. The categorisation was done in respect to the stages of ransomware deployment methods with a predictive model we developed called Randep. The stages are fingerprint, propagate, communicate, map, encrypt, lock, delete and threaten. Analysing the samples gathered for the predictive model provided an insight into the stages and timeline of ransomware execution. Furthermore, we carried out a study on how potential victims (individuals, as well as IT support staff at universities and SMEs) detect that ransomware was being deployed on their machine, what steps they took to investigate the incident, and how they responded to the attack. Both quantitative and qualitative data were collected through questionnaires and in-depth interviews. The results shed an interesting light into the most common attack methods, the most targeted operating systems and the infection symptoms, as well as recommended defence mechanisms. This information can be used in the future to create behavioural patterns for improved ransomware detection and response.