The Origins of Cryptoviral Extortion and Ransomware: Part IX

EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series of articles on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the ninth installment in the series.

Today, we take a brief look back in history to determine: What is the origin of the ransomware that has been attacking the healthcare sector of late?

It appears that the first software designed to attack a computing system and encrypt the data was demonstrated in 1996 at an Institute of Electrical and Electronics Engineers (IEEE) security and privacy conference. The creator of the software, Mordechai Moti Yung, was at Columbia University at the time, having invented the term “cryptovirology.” Although Young went on to a distinguished career at the IBM Thomas J. Watson Research Center, RSA Laboratories, and Google, the concept rapidly gained a foothold in criminal circles.

By 1992, ransomware was being used for collecting payments in human kidnapping cases. By 2006, a number of ransomware viruses were impacting the Internet. According to the Barkly Blog, the number of ransomware attacks is increasing rapidly: A new company is hit every 40 seconds; an individual is attacked every 10 seconds.

The Kaspersky Lab reported that around 35 percent of user computers receive at least one malware-class web attack each year. In 2016, the Lab itself repelled 758,044,650 attacks that were originating from 261,774,932 different URLs (website addresses).

These hackers are almost as good as our pharmaceutical companies in creating catchy names. Malware features titles such as GPcode, Archiveus, Krotten, Cryzip, and MayArchive.

The most recent large-scale attack was carried out by WannaCry, and like most other viruses, it targeted Microsoft Windows environments. The National Health Service in the United Kingdom was particularly hard hit in May.

Best Practices – A Security Update

In the world of ransomware, there is always a race between the attacker and the software vendor that creates a software patch to defeat the malware. Once a vendor is notified of vulnerability in its software, it typically works furiously to eliminate it. A skillfully constructed system has been put in place so that as soon as these weaknesses are found, software companies are notified that security patches are available. A new release of the software is compiled, and this then is pushed out to users. This gives healthcare providers an opportunity to secure their information systems.

But security researchers know that in many cases, users fail to keep their information systems updated. This perhaps is understandable, because there are so many malware attacks that almost daily updating is required. On average, upon receiving a security patch, it takes users approximately four business days to update their systems. This is not fast enough.

The IT professionals in every healthcare facility should update their systems within 3-4 hours after any new patch is released, no matter what time of day the release is made available. Every healthcare provider should have a zero-tolerance policy for this in place.

The threat is so severe that any management team hesitant to enforce such a policy could be considered negligent.

Leaks from U.S. Intelligence

Although everything done in the world of intelligence is supposed to be secret, sadly this is not the case in the United States. Public reporting by news organizations that publish leaked classified and sensitive information has revealed that the U.S. intelligence community over the years has developed a comprehensive set of cyber tools for spying. These tools often are used to break into the information systems of adversaries. They rely upon the exploitation of vulnerabilities in information systems. These tools are powerful, and they evidently work.

Since these cyber weapons are classified, it is a felony to reveal them. Once they are revealed, however, then the intelligence community loses a portal into organizations upon whom they are spying.

A recent leak of the hacking tools from the Central Intelligence Agency has been a gift to hackers worldwide. It is clear that leaked tools developed by U.S. intelligence have been used by criminals. The recent attack of “EternalBlue” is linked to this.

But at the same time U.S. intelligence is creating these cyber-hacking tools, other organizations such as the U.S. Department of Homeland Security and the Department of Health and Human Services Cybersecurity Task Force are working hard at developing a national strategy regarding cyberattacks.

It’s interesting – on the one hand, the U.S. government is spending billions of dollars developing hacking tools. At the same time, another part of the same government is organized to coordinate rapid patching of software, thus mitigating the risks of such hacking.

In previous segments of this series, we have reviewed how healthcare providers have a very challenging task in securely managing all of their information and data. If there is a breach that leads to the release of patient health data (or any other type of data, such as financial or insurance information), then the healthcare provider faces the difficult task of notification. Both state and federal agencies must be informed, but notices also must be sent out to each of the patients who have had their data compromised.

This is perhaps the great irony of today’s cyber security world: The government is creating many of the cyber tools that at the same time it is attempting to protect itself against; and healthcare providers can be subjected to fines and penalties if they fail to respond properly to an attack by cyber weapons that their own government has created.

Print Friendly, PDF & Email

Edward M. Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

The Inpatient Admission Order: Master the Who, When, and How

The Inpatient Admission Order: Master the Who, When, and How

During this webcast Dr. Ronald Hirsch delves into the inpatient admission order process including when to get it, when it becomes effective, its impact on billing and payment, who can write it, how to cancel it, the effects on the beneficiary, and more. You’ll leave with a clear understanding of inpatient orders and guidelines for handling improper orders that you can implement immediately.

June 20, 2024
Navigating AI in Healthcare Revenue Cycle: Maximizing Efficiency, Minimizing Risks

Navigating AI in Healthcare Revenue Cycle: Maximizing Efficiency, Minimizing Risks

Michelle Wieczorek explores challenges, strategies, and best practices to AI implementation and ongoing monitoring in the middle revenue cycle through real-world use cases. She addresses critical issues such as the validation of AI algorithms, the importance of human validation in machine learning, and the delineation of responsibilities between buyers and vendors.

May 21, 2024
Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Frank Cohen shows you how to leverage the Comprehensive Error Rate Testing Program (CERT) to create your own internal coding and billing risk assessment plan, including granular identification of risk areas and prioritizing audit tasks and functions resulting in decreased claim submission errors, reduced risk of audit-related damages, and a smoother, more efficient reimbursement process from Medicare.

April 9, 2024
2024 Observation Services Billing: How to Get It Right

2024 Observation Services Billing: How to Get It Right

Dr. Ronald Hirsch presents an essential “A to Z” review of Observation, including proper use for Medicare, Medicare Advantage, and commercial payers. He addresses the correct use of Observation in medical patients and surgical patients, and how to deal with the billing of unnecessary Observation services, professional fee billing, and more.

March 21, 2024
Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Optimize your inpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. Participants will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.

June 26, 2024
Advanced Inpatient Clinical Documentation Integrity: Harnessing Technology, Analytics, and Compliance

Advanced Inpatient Clinical Documentation Integrity: Harnessing Technology, Analytics, and Compliance

Join expert Angela Comfort, MBA, RHIA, CDIP, CCS, CCS-P., as she helps you navigate advanced inpatient CDI technologies, regulatory changes, and system interoperability. Angela will provide actionable strategies for integrating AI and predictive analytics into CDI practices, ensuring seamless system interoperability, and maintaining compliance with evolving regulations. Attendees will learn to select and implement advanced EHR systems and CDI software, leverage data analytics to enhance documentation accuracy, and stay audit-ready with the latest compliance updates. Real-world case studies and practical tools will empower you to drive continuous improvement in CDI, improve patient outcomes, and enhance organizational efficiency. Don’t miss this opportunity to advance your CDI practices and stay ahead in this dynamic field.

July 11, 2024
Foundations of Inpatient Clinical Documentation Integrity: Enhancing Accuracy and Compliance

Foundations of Inpatient Clinical Documentation Integrity: Enhancing Accuracy and Compliance

Join expert Angela Comfort, MBA, RHIA, CDIP, CCS, CCS-P, for an insightful webcast on improving inpatient clinical documentation integrity (CDI). Inaccurate documentation can lead to misdiagnosis, improper treatment, and compromised patient safety. High workloads, lack of standardized practices, and outdated EHR systems contribute to these issues, affecting care quality and financial outcomes. Angela will offer practical strategies and tools to enhance accuracy, consistency, and timeliness in documentation. Attendees will learn to use standardized templates, checklists, and advanced EHR systems, while staying compliant with regulations. Improve patient care, ensure accurate billing, and reduce audit risks with actionable insights from this essential webcast.

June 26, 2024
Mastering E/M Coding: Navigating the Evolving Landscape

Mastering E/M Coding: Navigating the Evolving Landscape

Join industry expert, Kathy Pride, RHIT, CPC, CPMA, CCS-P, for an in-depth exploration of Evaluation and Management (E/M) coding, tailored for healthcare professionals navigating recent guideline changes. Dive into advanced topics beyond mere code selection, including shared visits, criteria for selecting E/M levels, and documentation best practices. Gain clarity on complex guideline terminology and ensure compliance with regulatory standards. This comprehensive session is essential for coders, auditors, educators, and practitioners seeking to enhance their proficiency in E/M coding and maximize revenue capture.

June 19, 2024

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

Honor Memorial Day with Savings! Get 20% off all items using code MEMORIAL24 at checkout. Shop today and save! Offer valid until May 31. Exclusions apply.

Happy World Health Day! Our exclusive webcast, ‘2024 SDoH Update: Navigating Coding and Screening Assessment,’  is just $99 for a limited time! Use code WorldHealth24 at checkout.