 So, I hope if some of you here are from the healthcare world, you'll tell me a little bit. I plan to leave lots of time for questions and comments and discussion about your perspective on dealing with some kinds of ransomware threats and other types of online security issues that you've perhaps encountered. My background is really in thinking about the aftermath of security incidents. I'm interested in what happens after something goes wrong, after data is stolen, after hard drives are infected, whatever it's going to be. How do people make decisions about what the right response is? How do policy makers give guidance about what those decisions should be? How does that guidance actually influence decisions? Does it influence decisions at all? Who sues whom? How are the costs going to be settled? So, I want to give sort of a brief overview, both of the emergence of ransomware for those of you who may not be super familiar with it as a threat model and also kind of how hospitals in the healthcare industry gets dragged into this space in the first place. So, this is a graph, which is not showing up very well in this light blue, that's basically showing you the drop in how much you can sell a stolen payment card number four on the black market. So, if you think back 10 years, right, if we're talking 2006, 2007, the typical model for the online cyber, for the cyber criminal is like Albert Gonzalez, who leads the big heist at TJX, steals millions and millions of credit card numbers. That's where the money is. You steal lots of credit card numbers. You fence them through Eastern Europe, Ukraine, they're sold all over the place. Now, worth a fair bit of money, right? People will buy those stolen payment card numbers, probably in 2006, 2007, for upwards of $25. There, you're already starting to see it decline in 2011. People do a lot of that, right? You've all read about a lot of these breaches in which retailers are hacked and millions of payment card records are stolen. And around 2011, 2012, by 2014, you're starting to see this really precipitous drop in how much you can sell those payment card numbers for. And there are a couple reasons for that, right? Part of it is just there's this huge glut, right? The supply has gotten so great that everybody's competing in these black market forums. Part of it is also that credit card companies, payment networks are getting better at detecting and mitigating the effects. You're detecting these things faster, so you can't spend as much money on these credit card numbers that you're purchasing a lot of the time. But for all of these various reasons, by 2016, this is data collected by Intel Security and in the Verizon Data Breach Investigations Report last year, right? You've dropped from $25 per record in 2011 to $6 per record in 2016. And as this is happening, as we're seeing these prices drop, one of the things that gets a lot of attention in the media and people who sort of think about the economics of cybercrime is the fact that the medical records have gotten really valuable, right? There's not that glut yet of medical records. It's worth people think about five to 10 times as much as a payment card record on the black market in 2011, 2012. We're not the only people who can read these articles. Criminals catch on to the fact that this is where the money is. And accordingly, you see exactly what you would expect, a huge increase from 2011 to 2015 in the number of medical records that are being stolen, right? If you think about the big medical breaches you've probably read about, Anthem, Blue Cross, Blue Shield, those are relatively recent compared to kind of the payment card retailer breaches. From before, again, a number of reasons why we might think of medical records as being more expensive or more valuable, that's data that usually isn't discardable, right? The way you can cancel your credit card number can't do that with your health insurance policy number. For the most part, in the way I actually sort of started getting interested in healthcare and started talking to hospitals and people in that industry was because I was doing a project looking at what happens after these large-scale data breaches and why has it been so hard to translate a lot of the lessons learned in the payment card industry to the healthcare industry, right? Why haven't we gotten to the point at detecting healthcare fraud or cancelling policy numbers or replacing some of this data that we've got to over years of learning about it in the payment card world, which was totally fascinating and I learned a lot about sort of how healthcare data is handled and I'm sure there's much, much more that I don't know. But as this is happening, 2015, we've got 80 million records, 80 million medical records stolen, right? The same thing is happening to the medical data that happened to the payment card data a couple of years earlier. All of a sudden there's this huge glut. Everybody's medical records have already been stolen five times over. You can't sell them for as much money anymore. You start to see these drops in price again. Here's a record, I don't know if you can read this one either. It's being sold for $5, full medical record, right? This is not big money anymore. And so the next step in this progression, not just for hospitals, for everybody pretty much, is really going to be ransomware. And that's going to start in sort of full force in 2013, 2014. We're going to see Crypto Locker and all of its sort of subsequent copycat programs coming out, making millions of dollars there. And it's going to hit the healthcare industry on the whole, as with the data breaches a little bit later, right? It's not going to become a sort of big deal healthcare problem pretty much until last year. You start reading about hospitals being hit by ransomware. I have to caveat that in sort of every other factor statistic. I'm vaguely going to reference with the fact that there is so much we don't know when we talk about ransomware numbers, right? You're not obligated to report ransomware incidents. So we assume that however many we know about, there are hundreds, thousands, millions more out there that we don't know about. For a lot of good reasons, you probably don't want to talk about it if you're a company that's been hit by ransomware. There's just really, really incomplete information. So everything I say should be sort of treated in that vein, as we think this is true based on what very, very little we know. What we do know is that last year there were more than a dozen successful ransomware attacks on hospitals. And by successful, I just mean managed to encrypt all of their servers, managed to sort of either force them to make a payment or to shut down everything and start from scratch, rebooting from their backups if they had backups. And the other thing that's really interesting about hospitals, which on the whole is not true of other sectors where we see ransomware, is that there's actually strains of ransomware that have been designed specifically for hospitals, that we see them being targeted in a more focused way. Most ransomware that you're familiar with is just kind of indiscriminate. It goes out, it looks for servers, it says here's a server, it encrypts it and it demands a generic fee in bitcoins, usually sort of hundreds of dollars, let's say between three and six hundred dollars. And what you start to see last year with a piece of ransomware called Locky is a piece of ransomware that has been specifically designed to target one sector. It's charging much higher fees, right? It knows it's not just going after your individual laptop. It knows that it's targeting places that have more money to spend than just a few hundred dollars. So it's raising those fees and it's working pretty well on the whole. For those of you who have been fortunate enough not to encounter a lot of ransomware in your life, I want to give you sort of a little bit of a sense of what that process looks like, how it works, especially how it works with this one piece of ransomware we're going to talk a lot about. And Locky, here's everybody realizing last year there's too much stolen health care data. Something's got to give. What gives is Locky, right? So you start to see, starts out usually as an email, send a kind of generic email to somebody in the hospital, accounting system. Dear Sir Madam, please see attached file regarding client's recent bill. There's a Word document attached, invoice, blah, blah, blah, blah. You open the Word document. Again, there's a lot of training in these hospitals. There's a lot of training that you all probably go through wherever you work about you never open that attachment and never click on that email in the first place, which is good training and is important to learn. But also when you go and you talk to people in these hospitals, they say, you know, I get invoices all day long. I get emails with attachments that are really important from insurance companies, from patients, from doctors, right? There's no obvious way to feel that's the answer. We're just going to teach every single person who works in every single hospital, much less every other place in the world, not to open this attachment, though we could certainly be doing better at that than we are. You open the attachment, you get this totally indecipherable Word document of garbage, and it tells you, look, if the data encoding is incorrect, enable macros, right? Up top, Microsoft Word is warning you. Be careful, you're in protected view. Email attachments can contain viruses. Unless you need to edit, it's safest to stay in protected view, but then there's a little button you can click to enable. And if you do that thinking, OK, clearly the encoding is wrong, I should enable macros. That's when Locky gets your hard drive, resets your wallpaper to give you very explicit instructions. One of the problems that people who operate ransomware schemes encounter a lot of the time, by the way, all payments in ransomware are generally made in Bitcoin, because it's much less easy to trace, right? It's much harder to figure out who you've paid or for law enforcement to catch them. A lot of people, hospitals, but also lots of other places, don't really know how to purchase Bitcoin. So you start getting these sort of very detailed descriptions of, OK, guys, here's what you do, you know, open up this browser, go to this address, step by step, there are even customer support operations. Really, right, you can call and you can say, I'm trying to pay you, but I don't know how, and they've really tried to make it easier. And I should mention, by the way, one of the reasons that ransomware doesn't get big until the past few years, not just that you can sell stolen payment card data for a lot of money, ransomware as a model, as a piece of malware, has been around since the 90s, but you need some untraceable payment system, right? You can't be demanding this and asking for a master card number, because then it's really easy to trace whose master card account that is. It's really easy for a master card to shut that down. So you need to wait for Bitcoin to get sort of popular and accepted enough that you can walk any clueless hospital administrator through the process of purchasing it. Locks your screen, here's your instruction set, and then you have to make a decision about what you do next. And a lot of my interest and a lot of what I want to talk about today is sort of how you make that decision, what guidance you have in terms of the kind of reigning king of hospital data security, which is of course HIPAA, the Health Insurance Portability and Accountability Act, what kind of information you have from that that maybe helps you think about what you should do next. And what I want to try and focus on, because I talk a lot about sort of ransomware in general and how it works and how people respond to it, but because this is a healthcare series, I want to focus on sort of hospital ransomware attacks in particular in the spirit of how are these ransomware attacks different from all other ransomware attacks. You can see I started thinking about this talk right around passing over. And what you've seen so far is pretty standard, right? That could happen to anybody, it does happen to anybody. You see, law firms hit with this, again, not specialized. Locky was for hospitals. Law firms get this, they get the demand for $500, they just pay it, they move on. They think they're lucky nobody asked for more. Hospitals start seeing this, it's not huge sums of money. We see sort of some negotiation at the very beginning of 2016 in which they're asking for a million dollars in bitcoins and they're hospital saying okay, pay that. How about 25,000, right? So you see it sort of balance out around 20,000 or a little lower in terms of payments that we know of actually being made by hospitals. And to the criminal right, the cost of distributing this is not such that you need it to be a million dollar payout. $17,000 is a good amount of money to get for one ransomware infection. Much more than you're getting from most ransomware from most individual infections. Mostly it's being paid directly by hospitals at the moment because mostly they can't get insurance to cover ransomware in particular, right? It's too recent and insurers are too sort of nervous about how to model it and how to cover it that for most policies you're not gonna get that included. But it's been an issue and insurers are actually very interested in the question of how they can sell these policies but they're scared that they don't, that they can't sort of build the actuarial models in a way that means they'll definitely be able to cover their costs if they do that. One other thing I wanna point out about Locky, it goes right for the volume shadow system which is the kind of default windows backup system that many hospitals use and many windows users use to create automatic backup. So kind of like if people use Mac's time machine where it automatically goes through and backs up your stuff somehow every set number of hours or days. So a system like that used for windows creates these shadow copies they're called if your shadow copies are networked to your computer, right? If you plug in external hard drive and then you take it away, Locky can't do anything about that because it has no connection but if it's networked as it often would be in a hospital for a lot of servers, Locky goes straight for those and encrypts them as well. So it's not the most sophisticated piece of malware that we've ever seen but it's good enough to look for the backups. It's good enough to get the job done in a lot of cases. In terms of why hospitals are a little bit different why people would target hospitals, why they'd be interested in sort of making that a focus for an entire piece of malware. A number of reasons that are very similar to why they're a focus for data breaches where you've got a lot of legacy systems in hospitals you've got a lot of devices and pieces of machinery that only run on certain versions of Windows that are no longer supported, no longer have security updates that you feel you can't necessarily easily change because the HIPAA compliance is hanging over you and you're worried about, you know, am I sure that the new version meets all of the criteria that the old version did? Do I need to go through a long review process to make sure that this is going to be in compliance with HIPAA in the first place? The only thing I want to say about HIPAA is that it's very focused, right? It's written 20 years ago, Ransomware is not on the scene, obviously. It's very focused on the protection of personal health information. Very interested in the question of, have you let people's private health information be accessed by somebody else? Do you need to let them know about that? What are the rules? And Ransomware is not that for the most part, right? Ransomware is coming at this from a threat model that is not really what HIPAA is designed to protect again. So if you look at the incredibly elaborate and often resource-intensive security systems that are set up in hospitals, right? I mean, there's more security in just in terms of sort of sheer number of things that people have bought in hospitals than I've seen maybe anywhere except financial firms. They're really investing in this. They're really sort of trying hard to take it seriously. But the other thing that HIPAA means because it's pretty complicated because there are a lot of rules and they're constantly being updated is a lot of this is being outsourced to third parties, to consultants who specialize in HIPAA compliance who come in and set up all your systems for you. And often the people at the hospital themselves don't feel like they have a very good grasp on how does this work or why is this set up this way? And you hear just an extraordinary number of stories from people who work in IT at hospitals, who aren't clueless about how networks are set up. The same things like, yeah, they came in and they made sure our system was HIPAA compliant, but then we couldn't print anything. So we had to hire another consultant who came in and then we could print things, but they undid everything that the first consultant did. And there's just, I think, a lot of sort of barriers to people feeling like they can get a handle on what HIPAA means and whether or not their systems are HIPAA compliant. A huge reliance on these third party pieces of software and systems that you're hoping will kind of make sure that you're in line with everything that HIPAA says you need to do, which is not about avoiding ransomware, which is all about making sure that your patient information is not being stolen and sold in those black market forums and whatnot. There's a sense, which I would argue, and we'll talk about this a little bit more, is perhaps not borne out as much as the attackers think it will be. That hospitals really need to keep going. So if you put them on the spot and you say, all of your data's encrypted, give us money now. They'll say, we have to do anything we can because we can't shut down for a day and come back later and think about what to do. Really important continuity of care, real urgency. The stakes are much higher than most of the ransomware incidents that we read about when you're talking about an entire hospital where nobody can access any medical records, nobody can access any lab results, nothing's working. The other thing that comes up that I wanna mention is there's this sense that the people who are targeting the hospitals are like the lowlifes of the cybercriminal underworld. And there's a report that came out last year from McAfee that sort of focused on this and went into some of the malware forums where people trade secrets and talk about the best ways to commit crimes. And there's an enormous amount of hostility for the people who do this. These are some of the quotes that they found, I think translated from Russian. Dumbest hackers ever like they couldn't hack anything else. But there's a sense that this is not the ethical way to be using malware. Here's another one, yes, this is pretty sad and a new low. These ransom attacks are bad enough. People who are like real malware aficionados don't hold you up for ransom, they do cooler things because encrypting your data, that's not hard. But if someone were to die or be injured because of this, it is just plain wrong. The hospital should have backups that they can recover from. So even if they need to wipe the system clean, it would result in only a few days of lost data or data that would later need to be manually input. But the immediate damage and risk is patient safety. And I break this up badly because the criminal ethics are a really big deal for people who operate ransomware rings. Which is like a ridiculous sentence to say and I can't believe I've even just said it aloud. But there are different levels of people who write ransomware. So if I'm a good ethical ransomware operator, which naturally I would be if I went into the business, I write ransomware, it encrypts all of your files, I extort money from you because that's what I do. But once you pay, I really do give you a decryption key and it really does decrypt all of your data. If I'm a less good ransomware operator, remember big spike in this over the past couple of years, people see that it's working, people see that you can get money this way, takes away a lot of the risks of that sort of previous stolen credit card crime because all of those fences, all of those forms where you sell things have been a huge hotspot for like lurking FBI agents who come and catch you that way, removes all of those financial intermediaries, you're just getting Bitcoin payments, you don't need to worry about finding customers because you've got your customers, your victim right there in front of you. So big influx, a lot of people sort of rushing to this, some of them are great, I mean they're criminals but they're great in that they'll do what they say they will, a lot of them aren't, a lot of them will take your money and then no decryption key or the decryption doesn't work or they just don't bother with that part. So this is a big problem for the criminals because the good criminals who will really decrypt your data, all of a sudden people start saying, well don't pay them, I paid and never got my data back anyway, weakens the market for everybody and they kind of turn on each other and there are these really weird sort of tussles about what it means to be a good ransomware operator and any of them, right so there's a lot of tension within the criminal world as well about should we be going after hospitals, is this within the code of ethics for the ransomware operator, doesn't really matter, there are certainly people who are willing to go after hospitals but it does mean a lot of people think that you're not getting the cream of the crop attacking hospitals, that when you're looking at a program like Lockheed, it's good enough but it's not unstoppable, it's not the best malware on the market that you're dealing with, just not the smartest ones, the people who are really good at this are going after bigger fraud, yeah. As a service kit, so for 175 bucks you can buy a kit that has a console that you can manage, your clients that have been infected and how you're paying it, et cetera, but it's either with a thin client or a thick client and for 175 bucks there's no limit on how long you can pocket it, so. Gee, that's right, you own it. That's great, I love that. Great, but what a lot of ways of making money, that you can. Hang on, are you also a credit card, and I can steal a bunch of stuff? If I steal your medical record, what is that really getting me? Yeah, that's a great question. So there are a couple ways you can go with the stolen medical records. One is just opening fraudulent accounts, right? Usually your medical record will have enough information for me to open a bank account in your name, take out a loan in your name, commit sort of more traditional kinds of financial fraud. We often think about it when we see fraudulent IRS returns filed. We think a lot of that comes potentially from medical records, though it's hard to trace definitively. The other big business there is gonna be medical fraud, right? There's a huge business in filing false claims with Medicare and Medicaid for, you know, million dollar automated wheelchairs through completely fictitious medical shops. And so there's a lot of money there. And as I said, the previous project that got me started looking at hospitals. I learned from the back door what your history is. We don't have any evidence to suggest that. I can't tell you that's never happened, but there's certainly not a lot of cases where we look and say, you know, this employer bought a lot of stolen medical records and looked up whether or not you would be a healthy worker, right? It could happen. I don't mean to say it's never happened, but mostly what we've seen has been health insurance fraud and fraudulent financial accounts. And as I said, there are records where the information is harder to change, right? The health insurance companies don't go around and cancel a lot of policy numbers. Yeah. I'm just curious whether this time frame seems to parallel the growth of electronic health records. I think that's right. I think you've seen, I think the electronic medical records come a little earlier. Right, you see the EMR craze hit maybe a year or two before Locky and the kind of hospital ransomware wave from most of the big systems, right? The banner health system goes to EMR 2014, I think. But yeah, it's happening sort of at a similar moment where hospitals are shifting more and more of their infrastructure online. And you add use of electronic health records, facilitate things for these records. Yeah, in a lot of ways it probably does, right? They, when you set up an EMR system, you have a kind of centralized server with all the records that everybody's computers are reaching into touch. And that's ideal if you want to spread ransomware because if you can sort of get to the centralized hub then that spreads everything quickly. On top of which, of course, if all of your medical records are electronic, then you're much more susceptible to any kind of cyber crime in these ways. Yeah. To use a little bit of a medical term, wondering about the comorbidity, if you will, of ransomware alongside stealing of records, because that's one thing, we're talking about two issues and I don't understand to what extent they're integrated. When someone is subject to a ransomware attack, do those attackers often also remove or upload the files that they capture or? We don't think so. Okay. We don't have evidence. These are really separate sort of people who are perpetrating them for the most part. We may want the records. And there's a totally separate business model. Yeah. And it's also relevant to come back to HIPAA for a moment because a lot of HIPAA is about worrying that medical records are leaving your system. Right, a lot of what you do when you're sort of going through the HIPAA compliance process is making sure, do I have a flag if somebody's exfiltrating a million medical records, which is a good thing to do, but doesn't anybody help you if this is what you're trying to defend against? So we've got the sort of scum of the criminal underworld designing malware, which is not the best malware, but good enough to infect a lot of hospitals, including this one. This is Hollywood Presbyterian in California had a sort of very high profile ransomware attack in February of 2016. High profile for a couple of reasons. First one was that they didn't pay right away. This was one of the negotiated ransoms where there was a million dollars demanded. I was in Bitcoins back and I remember the Bitcoin numbers because they're so meaningless to me and they changed so rapidly. And they negotiated down over the course of about a week. And for a week, they just go offline. They send patients to other hospitals when they can. They're using paper charts there, taking things down to the lab and kind of regressing 10, 20 years. Works okay, doesn't work great because they ultimately end up paying about $17,000 in Bitcoins. Gets a lot of attention because it's one of the first hospitals that actually admits to paying. It's one of the first cases, and certainly not the first case of ransomware where somebody pays. We've seen police departments pay. We've seen law firms. We've seen individuals pay. But one of the first hospitals that pays and one of the things I wanna talk about is why hospitals, especially after this incident, tend to be less likely to pay these ransoms. We think, right, again, hugely incomplete data, everything I say about more likely or less likely caveated all to hell, but we think tend to be less likely to pay. And this one pays, gets a lot of attention and just in general, at the beginning of 2016 where you're seeing Lockheed start to spread, this is a Lockheed infection, one of the early ones that we know about, there's a lot of attention all of a sudden on the question of hospitals and ransomware. There's enough attention to spur the Department of Health and Human Services to issue some formal guidance. And again, one of the things I'm interested in, just in terms of cybersecurity incidents in general is what is the guidance that we get from policymakers about how you should be responding to this and in particular with ransomware where you have this very clear choice, right? Either I'm gonna pay and I'm gonna support a criminal enterprise and by doing that, I'm gonna encourage more criminals to get into this business because I'm making it more lucrative for them. To not to mention, there's a lot of sort of cases where somebody pays in a few months or a year later, comes back again and says, by the way, we're gonna hold you hostage again. So there are a lot of disadvantages to paying. I wanted to look at what's the guidance they get and the guidance comes out a couple months after the Hollywood Presbyterian incident is in the news and it's very vague as most policy guidance on ransomware for everybody is. So this is from the Health and Human Services guidelines that come out in July of 2016. They go through sort of what is ransomware? Will HIPAA help protect you against ransomware? Yes, absolutely, they tell you at great length about how important HIPAA is. Then they go to this really interesting question, right? Part of what HIPAA is, is a way to say if your patient's health information is violated, you need to report that. You've brought that to us, you need to report that to the patient, you need to report that to the media in some cases. And they ask this question which nobody's really asked in a formal context yet, is it a HIPAA breach? If ransomware in fact is a covered entities or business associates computer system. And everybody's just been operating under the assumption that all of these data breach notification laws and all 47 states or whatever it is now don't apply to ransomware because your data hasn't been stolen, hasn't been exfiltrated. All of a sudden here you have Health and Human Services saying well wait a minute, maybe it does. And what they say is unless you can demonstrate a low probability that the protected health information has been compromised, then a breach of protected health information is presumed to have occurred. That's a very strong statement. Except it's not really because we don't really know what it is to demonstrate a low probability. The entity must then comply with the applicable breach notification provisions including notification to affected individuals without unreasonable delay to Health and Human Services and to the media in accordance with HIPAA breach notification requirements. This is a strong statement. There's nobody in government in any other sector who's tried to say ransomware is gonna be sort of subject to any kind of reporting. From the perspective of researchers, it's great news because you hope that we're gonna start to learn more about how many incidents that are out there and what's going on. From the perspective of hospitals, it's a big deal. We're gonna have to notify all these patients whose health information has been encrypted. That's worrying. That's something you wanna sort of avoid. Do you happen to know if the Erie Medical Center in Buffalo, New York, if that ended up being ransomware? Because I just... You're gonna talk about Erie Medical Center. It is ransomware. So one of the things you do with your hospital is when you shut down all of your computer systems and you send all of your patients away, you sort of hedge a little bit and Erie's not the first to have done this. It's like there's something wrong with our computers. And the first, I think the first case that I know of where they did this was the MedTech or the MedStar hospitals in DC. They're like, this isn't ransomware. We're just doing some rebooting and then employees started sending pictures of the screens to reporters at the Washington Post. So the screens were all like, pay us 500 Bitcoin or die. And so, yes, that is ransomware. I'm gonna come back to that because it's right in my neck of the woods. And it's one of the ways you also sort of try to circumvent it a little bit by saying, rebooting systems, computer problems, we'll get back to you, not ransomware. So all the human services comes out with this guy and there's a big, big loophole in here which is this low probability. Maybe you can say, look ransomware seems to be pretty low probability. We don't have any records of data being stolen. That seems like a low probability. So they addressed that as well. That's the next question. How can covered entities or business associates demonstrate that there is a low probability that the protected health information has been compromised such that breach notification would not be required? This is another really interesting answer. They say, well, here's what you have to consider. You have to think about the integrity of the protected health information. So even if it hasn't been exfiltrated, that's not the only issue, right? When we think about the security triad for those of you who come out of sort of computer science backgrounds, we think about confidentiality, integrity, availability. But that only availability has been compromised here. So I'm gonna say, even if you don't think confidentiality has been breached, even if you don't think anybody's ever seen these medical records who wasn't authorized to do so, you have to worry about the integrity of the data. HHS says, frequently ransomware after encrypting the data it was seeking deletes the original data and leaves only the data in encrypted form. That's sort of a misunderstanding of encryption in some ways, but we'll go with it, right? I mean, deletes the data is not exactly what encryption does, but sure, an entity may be able to show mitigation of the impact of a ransomware attack affecting the integrity of PHI through the implementation of robust contingency plans, including disaster recovery and data backup plans, conducting frequent backups, ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack and ensuring the integrity of PHI affected by ransomware. So the message here is if you back everything up, restore the entire system from your backups, then you can be sure that the integrity of this data has not been violated and you don't have to report anything, right, then you can avoid this whole has there been a HIPAA breach problem. On the other hand, if you pay, if you pay, then you haven't restored everything from your backups, maybe in HHS's understanding of encryption when they deleted all of your information, they restore it to you and they've changed some of it. Again, no evidence to suggest this has ever happened, but it could happen conceivably, right? You could delete some of the encrypted data. You could alter it perhaps, though why you would want to, hard to say. So this sets hospitals down this path, which I would say really we haven't seen in any other sector, of becoming very resistant to paying these ransoms, of feeling like if we pay, not only have we given in to the criminals and fed this horrible business model and encouraged more people to engage in this type of activity, but also on top of that what we really care about is now we have to report a HIPAA breach, we have to send letters to thousands, billions of patients whose data has been affected, we have to sort of start this whole mechanism in process and for them the calculus really changes, right? It's not just a question of can I afford to spend $17,000 on a ransom, it's can I afford to kind of go down this whole horrible path of thinking about what it means to have a large scale HIPAA breach on my hand. So I wanna come back to the Erie County Medical Center, which is a hospital in Buffalo right near me and I wanna talk a little bit about their decision not to pay and where they are now and what happens when you decide not to pay, right? One of the two interesting questions I think come out of this, right? First one is why are hospitals less likely to pay or very unlikely to pay at the very least, right? I think a lot of that has to do with those HIPAA, of those HIPAA addendum I just showed you. Some of it has to do with the fact that it's just frankly not always clear to people in hospitals who can make that decision, right? The finances of a hospital are so complicated that to kind of decide we're gonna make even a relatively small payment, you know, thousands of dollars, which is not a huge amount of money to a big hospital. It's not clear who has that authority. It's not clear sort of where that money comes from or how you account for it in the process. It's certainly not clear if you're worried about HIPAA that once you've paid your ransom, you've eliminated sort of all of the malware from your system, right? Even if you get your data back, could somebody still have some snippets of code lurking on your servers waiting to do this again in the year potentially, right? So if you're worried about sort of HIPAA compliance in general, you maybe have some resistance to paying and would rather just wipe everything and start clean. That's what Erie Medical Center decides to do. They're hit by ransomware on April 9th. So almost three weeks ago now, they shut down all of their systems and they're still recovering, right? This has been a very slow process. This has not been, I plug my external hard drive in an hour later, everything looks just like it did before they had backups, so that was good, right? We give them credit for that. But the process of rebooting an entire hospital from backups turns out to be pretty elaborate, pretty slow, doesn't actually kind of end up being a quicker, easy restoration process. And for the past two, two and a half weeks, right? They've been doing all of their patient care pretty much on paper. They're now at the point, or earlier this week we're at the point where they had some temporary email systems set up. They had the ability to view some electronic medical records, but not to edit them. Some, not all of their electronic, they had some financial systems back online. They were beginning to be able to issue paychecks again. By the way, going back to data breaches for a sec. This has been true even before ransomware that we're covering from these attacks for hospitals has been more expensive than for any other sector. This is from Ponaman and IBM do an annual survey of what are the costs of data breaches, and they look at the cost per record to the victim. So this is not the cost you sell it for on the black market. This is how much cost you've incurred to the organization you've breached. Healthcare is way out here at $355 per record compared to research institutions where we only spend $112 per breach record. Yes. Great question, but why isn't all this data encrypted to begin with? Sometimes it is. Well, hospitals should be encrypting patient data. Yeah, sometimes, I mean, you can encrypt encrypted data, right? So just because I've encrypted all of my data, doesn't mean that somebody else can't come in and encrypted further so that I can't decrypt it, if that makes sense. Oh, data breaches? No. What are all of them? So there are a couple answers to that if you're talking about data breaches. So first of all, a lot of protective health information is encrypted. Now, there are a lot of ways to access it in its unencrypted forms, because there have to be a lot of ways to access it in its unencrypted form. So if you are logged in on your hospital computer, you've given all of your credentials, you're checking out your medical records, and you download that attachment, then even though it's all encrypted when the system shut off and stored, it's not encrypted to that adversary at that time. So that's one part, right? A lot of this, the whole point of going through email instead of like scanning for open ports on the servers is to get at it after your credentials have already been entered, when it's live, when it's in clear text. Part of it is that you can re-encrypt encrypted data, right, and just because, since I don't care what the data is as the attacker, I don't really care if it's already been encrypted. All I care about is making it so you can't access it. Right, so I could restore it to you in its encrypted form, which would be good enough for you to decrypt even though, right, you can layer more encryption on top of it if you want to. And also, frankly, there's more encryption that you're seeing in hospitals since the heyday of the medical data breaches a few years ago. But yes, always a good thing to do, not necessarily enough in all of these cases to protect you from everything. Yeah, go ahead. Description, did the Human Health Services guidelines include anything about encryption being able to say that there was a low probability of breach because the integrity was changed? Usually encryption carries checksums with it, as well as guarantees integrity of the data. I don't think Andrew just gives a lot. I mean, so encryption is, you know, certainly covered in HEPA, and certainly there is guidance for hospitals about encrypting protected health information. I don't think, as I recall, that that was in the sort of explicit ransomware guidelines as a way to be sure that the integrity hadn't been altered. Though, you're right, it's not a terrible way of looking at that to say, you know, can you check it based on some of the encryption tools to look at it? I don't think that was considered. Again, I think part of that maybe is about this idea, which I would contest, but which comes out strongly in those guidelines that the data's been deleted, right? And so the sense that, you know, even if it was encrypted, if it's all been deleted, could they just come in and dump some random other data in its place? Potentially, right? I mean, none of these are impossible things. None of them are things that we've ever seen anybody do in any of these cases. Sometimes people don't get their data back. Rarely do they get back the wrong data, right? Rarely does somebody go to the trouble of giving you back decrypted data and you're like, wait a minute, this wasn't my hard drive. This was, so no, the answer is, I think they don't talk about that. It wouldn't be the worst idea as a way of sort of trying to talk about the likelihood of a compromise of data integrity. Come back to your medical center for a second, or just to give you a sense of what this process looks like, right? They've got a little bit of read-only medical records. They've got a couple financial systems going on. This week, as we speak, they were working on getting the bed coordinating system working, right? So they could know where are the open beds and where can we move patients within the hospital, working on establishing a new hospital email system. They're basically running on a sort of lightweight temporary system at the moment, trying to give doctors the ability to view outpatient EMRs. Again, not right to them, just look at them. And trying to be able to communicate with the lab system. One of the things that comes up when you talk to people at these hospitals is perhaps the most urgent piece that's missing is communication with the labs, right? People say we get lab results too slowly. We can't adjust. We can't make diagnoses as quickly as we want to. They're working on that to have communication with their labs. Next week, beginning of May, coming up on a month-long anniversary of this infection, they're gonna be looking at trying to transmit radiological images to the healthcare providers, trying to restore desktop computers. Nobody's using a desktop computer at this hospital for the most part, right? Those are all 6,000 servers. Yes, good sized hospitals. There's a lot of servers, a lot of computers. Very slow process. Trying to restore the inpatient to electronical medical records and finally start thinking about can physicians actually perform any of this documentation they've been doing on paper online again and get into the EMRs, not just in read-only version. So this is about a month, we think, we hope, of work to get this hospital back online. And I think there are a couple reasons why you might see that as a slower process, that it would be some other places. One is, again, there's a lot of HIPAA compliance stuff along the way that you need to be checking, that you need to be kind of bringing in people who perhaps understand the system or set up the system that you're not super familiar with to help you figure out how all of these things are working. I think there's an incredibly sort of fragmented network structure that you're seeing here where all of these are kind of running on different pieces of software or sometimes running on different operating systems. It's not just kind of one-stop, restore everything all at once. There's a huge amount of diversity and if radiological images are gonna be its own system that's not related to talking to the lab system, that's gonna be its own whole separate project. And there's also, I think, just a lot of caution. On the other hand, one of the things that I found really fascinating about talking to people at hospitals that have experienced this is that going to paper records, this whole horrible, expensive, laborious process is not universally hated by the people who work in these hospitals from the perspective of providing patient care. So I wanna end talking about one quote from a healthcare provider that gives, I think, some sense of sort of how this is viewed from within the healthcare industry in a way that I wouldn't have anticipated. Who they blame for ransomware, how they feel about the kind of technology that they use. She says, I hope for someone somewhere. This was a wake up call about how worthless all of the ridiculous security trainings and email labels and endless login procedures are. All that time wasted putting confidential headers on messages with lab results or going through 12 steps to check our email and for what. So I wanna pause there for a moment and just say, the extent to which people resent, right? There's a lot of security in hospitals, the extent to which physicians, healthcare providers resent it, was really quite striking, right? They don't see this as, of course, this is important because we do such valuable work and we need to make sure our patients are provided. They say, look, this stuff seems like a huge waste of our time. I don't believe this does anything. And now I'm vindicated because all of the systems are down. Even though I was following all of these stupid rules all the time, she goes on and you know, I'm not sure the quality of care was really any worse where we were doing everything on paper for a few days. Labs were slower, so that wasn't good, but I think I know more about my patients and maybe even give better care. When I can see everything laid out on a normal paper chart instead of hitting a bunch of pop-up windows in a computer record, and it was nice to be reminded that we can still take care of patients without machines. I mean, it was awful and chaotic and I wouldn't wish it on my worst enemy, but you know, it was also kind of refreshing in a way. So I'm struck by the extent, she's not the only person who's expressed sentiments along both of these lines. First of all, that this is clear, clear indictment of every stupid security thing they've ever made us do in the hospital, right, this is fascinating as sort of a way of assigning blame for this kind of incident. Nobody wants to sit there and say, you know, who are these scumbags who would target a hospital? Don't they know we're saving lives yet? Everyone wants to say, who were those idiots who thought it was a good idea to put in the email system where I have, you know, a different colored flag in the subject for every different kind of possible health, whatever, they want to talk about how much they hate EMRs because they always want to talk about that. And they also, I think, and this was surprising to me, feel a certain amount of victory, right? This is not paying, this starting from scratch, even this going back to paper. ECMC is not the first one, the Erie Medical Center. Hollywood Presbyterian is not the first one to spend some time on paper either. Feels a little bit like, yeah, we can still do this. You know, our profession is not totally reliant on these computers, they haven't totally stopped us, yeah. But there are still real time machines of various kinds, you know, monitoring me and feeding data into something and so where's my heart monitor data going if it's not going into these computers? So there's a great question, and I think you're depending on the hospital and depending on the machine, there are a lot of different answers. For the most part, everybody seems to feel, and again, this is not my world, so I don't know what all of the most relevant machines are, that like the ventilators are fine, right? When you have a ransomware attack, that's not being operated off of the network. That's not something that's being controlled in a kind of centralized way. That's a machine that does one thing. I think for the most part, isn't gonna be networked, isn't gonna be accessible. Things that are monitoring me and feeding data out to something, and if there's nothing to feed the data out to, how's that effect by patient care? Not great, I mean, but I mean to say, I think a lot of the vital signs are being monitored and read on kind of standalone, non-networked machinery. Not all of them, right? Not everything necessarily, but you're getting a certain amount of the kind of critical life care in a way that's not networked, and this is part of a larger fight, I think, in a lot of these hospitals. Tell me one notice that even if this whole thing's down. The answer is yes, in most hospitals. I think that those monitors are not, I think partly they're too old, right? We couldn't hook them up to the network if we wanted to, and this is part of a larger fight at a lot of these places about, we could get really new fangled high-tech control from your cell phone, what your blood pressure is, but what do we do when we see Locky when all of this stuff starts going down? Is there some security in kind of keeping these old systems off the network and away from everything else? Yeah. I don't know if it was too adjacent, but in terms of when you're seeing a doctor and they take notes, and they don't show you the notes, and there are errors in the notes. They're interpreting what they think they hear or you're saying they want to say it in a different way. And sometimes it's actually a negative comment that is absolutely wrong, according to anything you've had. I've seen that with friends. I've seen that with people that were near end of life, and so even something like egg yolk when you're allergic to self-drugs. It's in big letters on the chart, and they give them self-drugs, and so I've seen that with those old bodies, like blisters, and it's wise going nuts, like she's gonna die, it's gonna die. So there's degrees of severity, of consequences of finding. Is it easy to have in even with the paver system or whatever system they have, a little bit simplified, but still a priority A, B, C, the double check. Another one she said is she went to get meds and the spelling of the one that she was given to get for her husband. It was not a sedative, because he was starting to get worried that the stuff that he was against. So there was a mild, something rather, mild person for anxiety, and then there was one that was filled very closely and really commonly, and it was about half hallucinogenic. Oh, geez. Yes, it's wrong to give him that heart patient, yeah. So errors in medical records are very much not in my field of expertise, and I know there are people who sort of study this more closely. What I will say is part of the promise of the electronical medical records was supposed to be to avoid those kinds of problems, right? So that instead of sort of trying to figure out what did she write here? I can't read this horrible handwriting, you know, it's all typed, it's all there. I have no sense of sort of to what extent that works, to what extent we actually see a reduction in medical errors, thanks to the implementation of electronic medical records. And certainly everybody likes to complain about them. That doesn't mean they're not helping in some ways. Oh, terrific. I'm the information security officer, but I just met with one of the RNs and she's been there 30 years, but she was saying that everybody went kicking and screaming and she had a different take on maybe this quote, but essentially she said once they were electronic and they had a day where things went down, everybody was complaining because they couldn't read the doctor's handwriting and they couldn't, you know, were in exactly what you're describing. Stuff wasn't getting prescribed, they had no idea what the medication was, so there was a lot of backlash. Medication, well, just like when you have a mispelled word, why not check it? Because that's not that, there's not millions of different normal drugs that are given, but this person's already taken these two and then this new person comes in and say, well, let's add a little bit of this to the next edition, but that should be a link, that should be, you know, hands up here, hello. I think that's probably true. I think revering to medical, to paper records for ransomware purposes probably does create a whole bunch of other issues that you would worry about in terms of. That's the part I guess was my major point was to have the advantages of both having the, anything that you're teaching or learning, there are advantages to having a narrative versus these terse codes, et cetera, that have exceptions, et cetera, so having the terse codes with some modification of multiple choice as an example, because people have this open-ended thing and they can't think of all the vitamins they've taken and all this and all that, but if they, they're, the bigger stuff, if it's about their condition, it can be, and it's where I have it coming for a heart problem and the asthma problem and so on. That's, there's a lot of kind of general, general guidelines of what they're taking that could be check-offs and be on digital as well as the printout in this form, so it's easy for the person to read, to communicate with, to take back to their loved one and discuss when they're not sure what's going on. It almost sounds like what you're advocating for is in preparation for a possible ransomware, make sure that the paper process covers those scenarios and has some preprinted checklist so where it's not more arduous but that you don't put anybody at health risk of dying or getting the wrong medication or as much as possible. May I ask, if anybody here brought up, I was a part of some of these health circles at Harvard of the 12, 14 heads of state, Blue Cross, of, of, of, of, I don't remember. The whole wall, all of the walls were showing about 26, six different big whiteboards of the places that this information goes. Later, when I was working with, while designing wearables and working with installation art, customized stuff, this, a while ago, 10 years ago, they were talking about, there is a, the waves can interrupt, we're talking about interrupting, that's hospital, description for this talk. So it is pertinent to what you said, hospital systems can be held at hostage. Well, individual patients' machines can be stopped without a lot of expense. It's from outside in a car. They're within a certain range. Unless they're in, so the design, it would took up, what they call facilities designed for hospitals and emergency care at the Harvard School of Public Health. And so this was a big issue there, and they knew about it. So they were actually nesting sort of like, not exactly fair day cages, but stuff like that. That's interesting. I haven't heard about that, that particular threat model. Thank you. This has nothing to do with the Internet of Things. This was like, well, it is because they were using no wires directly to the thing, so they were using Wi-Fi and Internet to stop important machinery, and there was, to important people, because there were cases that were very illegal, very, very morally wrong, but all many had been found out. They tried to suppress that. It almost sounds like someone's trying to apply 10-distance catered design principles to certain medical record processing systems. Not just the medical record, I'm talking about the machines. That's true. Yeah, absolutely. Yeah. We're supposed to wrap up, yeah. Our attacks, so it seemed like, part of the Erie County Medical Center, they kind of keep their own data, they have their own servers. Has it ever happened to hospitals or medical centers that use cloud-based EMR, where the company's actually storing the data, or are they less susceptible to these attacks? So the way that HIPAA is set up, as I understand it, if you're gonna use a cloud, what we would think of as a cloud solution, you're gonna be using what we'd call a private cloud, because you're so worried about sort of protecting that health information, so you're gonna have your own set of servers, they may be remote, but they're gonna be yours. You're gonna be sort of really responsible for operating them, so it certainly has happened to places that don't necessarily store their data on site. It's never, there is no hospital, I don't think, to my knowledge, that's like storing all of its data with Google, or with Amazon, just because you can't do that. So the EMR companies, as I understand again, and this is, you know, I'm not the world's expert on EMR, don't store your data for you, they come in and they set it up so that you're storing your own data. Epic will store your data for you. They do it the way you're describing, but I mean, they also have hosting services that they will actually post the data if you don't have a structure to do it. I think if you know how it works. And you these have been posted at their EMR provider, it's an interesting question. Yeah, because I mean, I'm just wondering, because it seems like the concern is the security of the data, wherever it's being stored, or the network, or the security things that are being set up for it, and I'm just wondering if kind of these companies are parenting. I don't think it would matter. That is right, if Epic was gonna sort of set aside some group of servers and say, these are your hospital servers, we'll store the data for you and send it to your computers, then if one of those computers while it's connected to an Epic server gets infected, it's probably gonna be able to infect those Epic servers. But I don't know of any specific cases where we've seen that happen. Most of the hospitals I've talked to have either stored their data on site or you're at a dedicated data facility for them. I don't know to what extent EMR companies feel like they have a good handle on this or feel like everything would be better if people were storing more of their data with us. Yeah. Policy responses to the ransomware, it sounds like the government actually established a protocol that made hospitals less likely to pay. Was that a lucky guess? Was that a intentional? That was really, that was sort of rogue, or rogue is a strong word for it. But, so in other parts of my work on ransomware, I look at kind of what the DOJ, what the FBI has given as advice to people, and they've really been sort of talking out of both ends in terms of whether or not they advise people to pay. There was a big deal a couple of years ago when an FBI agent was speaking at a conference, basically said, you know, most of the time you just tell people to pay. And everybody said, oh my God, this means, you know, the FBI has no idea what to do about ransomware and they can't help you, which probably was roughly what it meant. And then the FBI kind of rolled that back and they said, no, no, no, like, our advice is you shouldn't pay, but if you need to pay, then you should pay and either way you should let us know about it because we'd like to know. So there's really ambiguous guidance on this, sort of just in general from the law enforcement community. There's not been a huge amount of success in the past couple of years in catching people who operate ransomware schemes. The big success was the takedown of a bot called Gameover Zeus, which distributed one of the sort of first really effective ransomware programs called Cryptolocker. Now the person who ran that, who's a Russian hacker named Evgeny Bogachev is not in jail because he lives in Russia and they didn't want to arrest him, but they didn't figure out who it was. They did take down some of his infrastructure. It's not clear either that law enforcement has a great way of tracking these and figuring out who's behind them or even if they did that they would be able to do very much about it because we think a lot of these operations are run overseas that we don't know for sure. So I would say in general outside of healthcare you've seen sort of a much more wish-you-wash-you response from people saying, we really don't encourage you to pay because that just keeps them going, but if it's important you have to weigh the priorities and whatever and hopefully human services coming out and saying if you're gonna pay you're gonna report this. This is gonna be a HIPAA breach, you're gonna send letters to everybody was a very strong step in the context of sort of the larger law enforcement and policy guidance. Nobody has tried to say that about any other kind of company or if you're gonna pay a ransom you need to report that under data breach certification laws under anything else. So it was sort of impressive I would say. It was a very strong step towards saying we're gonna try and cut off this cash, we're gonna try and make this a less viable business model. For criminals the point of doing this is probably not that people think the integrity of the data has been compromised because we have no evidence to suggest that's ever happened. No evidence to suggest that aside from being criminals these are people who go in and take out important facts from your medical records because, I don't know if there is evidence to suggest that. Probably the point of sending that guidance is to try and get people to stop paying in hope that then they'll leave the hospitals alone because it's just not lucrative enough that they'll go after the university either. Find a new place to play. It's talking about at a local hospital, very local, Tucity and that it's right here in Massachusetts and it was right in the Boston Globe and it's a chief of the distortion and the erasure of innocence, proof of innocence, like you know DUI or something, they were false charges and so the proof of innocence things were disappeared and even the ambulance that took the person there's no bill for that. So I inquired and they said there's supposed to be a hospital that has to have insurance so somebody has to pay for that ambulance but does the public under the FOIA Act have a right to even find out because this guy was on the front page and he had polonics for years and he had a district of five, six years or so. So he was actually destroying and or altering the ones that were of people of interest that were to be protected in towns that have a very, shall we say questionable source of major income in the billions. Coming in I'll show you. Well thank you all so much for coming. It's been really fun for me to talk to some people who actually come out of the healthcare world and have a wonderful rest of your Thursday. Thank you.