Anatomy of a ransomware attack

Dissecting the truth and fiction behind TV’s Grey’s Anatomy cliff hanger

By Laura Haight

Fans of the long-running medical drama "Grey's Anatomy" have to wait another month to find out how Grey+Sloan gets out from underneath the weight of a ransomware attack. But the episode did present a pretty frightening scenario and left many viewers asking: “Can this really happen?”.

In the cliff-hanger, the hospital was taken over by hackers seeking a Hollywood-sized ransom to release control of the entire hospital from electronic locks preventing access to blood banks, encrypted medical records and external control of medical devices.

Can it really happen? It can, it has, it does and it's more than possible as healthcare has become the number one target of hackers and cyber criminals.

If we dissect the drama, we can find some takeaways for both patients (that's pretty much all of us) and the healthcare community. Healthcare is a very large part of the area's employment picture. Greenville's two large hospital systems are home to nearly 27 percent of all area employees working in business or organizations of 400 or more. That doesn't even include third party health care support companies, and a seemingly endless array of dentists, pediatricians, eye care professionals, and chiropractors.

So the fact that a new national report states that 77 percent of all healthcare organizations in the US have been infected with malware since August 2015, that healthcare as a segment was in the top 5 target list for hackers in 2016, and that security companies, the FDA, ethical hackers, and analysts have been banging the gong about medical device security for at least three years should cause some eyebrows to lift.

Let's break down the reality from the amped-up-for TV storyline in the Grey's episode.

Monitoring devices, electronic locks, patient records were all locked down by a hacker. That's a pretty terrifying but increasingly likely scenario. The most recent and most visible example was last March's WannaCry hack that infected 300,000 computers in 150 countries, including radiology devices made by Bayer that were disabled by the virus.  There are also many documented cases of hacking implanted medical devices like pacemakers, defribillators, and insulin pumps. As well as hospital based infusion and monitoring systems. With historically weak security as a lure, hackers are turning their targets from locking down medical records or stealing Social Security numbers to taking control of health equipment and services and ransoming back access. Just like in Greys.

And just like a bad case of MRSA, one infected and connected device can quickly spread throughout the entire facility's IT network. According to Wired Magazine reporting, an average of 10 to 15 such devices are connected to each hospital bed.

The FDA has developed guidance for device manufacturers on cybersecurity. And it has even blocked some deficient devices from coming to market. But that, according to industry watchers is rare. For the most part, the industry has to police itself. Device manufacturers are turning a lot more attention to security on their devices, but updates are primarily embedded in new devices.

A ransom of 5000 Bitcoin was demanded of the Grey+Sloan facility. In real US dollars today (12/13/17)  that's $86 million at least. Bitcoin fluctuates like any currency and when the Grey's episode was filmed the ransom in dollars was a mere $20 million. Regardless, that's a lot, even for cardiologists and brain surgeons. It's also exaggerated for dramatic impact. In reality, ransom demands are considerably smaller. Hollywood Presbyterian Hospital in LA paid out $17,000 last year in a ransomware incident. But the demands can be higher when lives linked to MRI's, medication dosage pumps, and pacemakers hang in the balance.

The problem with Bitcoin, however, is that it is not easy. You can't just go to the bank, buy Bitcoin and transfer it to your hacker. The process is complex, underground and, often, doesn't work so smoothly.  That complicates the situation even more for victims who think they can just pay and everything will go back to normal. Even if you decide to pay, it can take a day or two to – sometimes more – to complete the transaction. For healthcare, that's situation critical with a poor prognosis. With Ransomware 1.0, not paying the ransom was an option for organizations with strong disaster recovery and the ability to switch over quickly to backup systems. But with the focus on control of medical devices, backups really don't help regain control of services, devices, and access controls.

The FBI storms in and takes over early in the unfolding of the disaster. No, that's not going to happen. It is possible in certain cyberattacks where your computers are taken over by hackers and used to attack another target that the FBI would identify you as a victim or a potential perp before you were even aware you'd been hacked. In the case of ransomware, the FBI wants you to notify them (that's a request, not the law) and not pay the ransom. If, however, patient information, personally identifiable information is exposed (even if you don't know that it has been taken), companies in South Carolina are legally required to report to the breach.

Operational thinking saves the day at Grey+Sloan. And that's a good lesson for any organization hit with a ransomware or other type of cyber attack. So many things we do are tied to technology, it seems impossible to accomplish anything without it. Operational thinking demands that we give up on what we can't do and turn attention to what has to be done. Solutions, often unusual ones, will bubble up. Regardless of your industry this is a great exercise to go through - preferably when you are not under attack or facing onrushing floodwaters.

How will things turn out at Grey+Sloan? It remains to be seen. But if art imitates life, we have a lot of work to do in an essential industry that is now sitting squarely in the crosshairs of cybercriminals.


What does your annual audit opinion really mean?

By Kelly Wessel

I recently read an article, authored by a Certified Public Accountant, about what non-profits should do to get ready for their annual audit. It was about identifying risks and establishing internal control.   This article jumped out at me because if you just read the title, and maybe if you read the article and you don’t have an audit background, you’re going to think that the whole objective of having great internal controls is to look like you’re managing your risk so you’ll “pass” your financial statement audit.  Many small businesses and non-profits believe that getting a financial statement audit verifies that their business is free of fraud, has sufficient internal control, and that receiving an unqualified opinion means that they don’t need to be reviewing and tweaking the internal control system on a regular basis. 

That’s just not true.
 
The purpose of a financial statement audit is for an independent objective party (the CPA) to certify that in his opinion, your business’ financial statements fairly present its financial position, i.e. the financial statements are somewhat correct.  Have you ever closely read the whole audit report? Go read your last audit report after you read this post and call me.
 
To illustrate, the following paragraph is from a real audit report. I lifted it off an actual annual report for a local non-profit. (Oh shut-up it’s right there on their website.) Names are X’d out but I added italics.
 
“Management is responsible for maintaining X’s system of internal control that includes careful selection and development of staff, proper division of duties, and written policies and procedures. Although there are inherent limitations to the effectiveness of any system of accounting controls, management believes that X’s system provides reasonable assurance that assets are safeguarded from unauthorized use or disposition and that the accounting recordsare sufficiently reliable to permit the preparationof financial statements that conformin all materialrespects withgenerally accepted accounting principles.”
 
The above paragraph leads you to believe that this CPA firm didn’t perform a separate internal control review. Instead, they took management’s word that the system of internal accounting control is sufficient.  I’m sure management really believes that their internal accounting control is sufficient.  After all, they can trust their employees (don’t get me started). I happen to believe that in this situation the audit firm doing this audit should not be using management’s assurance of the control system’s reliability.  Why?  Because the CFO and the Controller of this non-profit don’t have a single accounting or audit background between them. They have lots of non-profit experience, but there’s nothing in either of their backgrounds that would suggest they know how to establish a strong system of internal control. 
 
But there’s more to this report:

“The Board of Directors, composed exclusively of independent, outside directors, meets annually with the independent auditors and through the audit committee meets regularly with the independent auditors to review accounting and internal control matters. Part of these meetings are conducted with no staff present…”
 
I suppose once a year is regular enough. The Directors, who are probably volunteers, (not a single one of whom is an accountant --I looked them up -- much less a CPA), meet with the auditors to review internal control matters.  My guess is that none of the Directors would know an internal control if it sat in his lap. (Oh, come on, I’ve been on plenty of volunteer, non-profit boards.) 
 
Then there’s the explanation for what the audit firm is actually responsible:
 
“Auditor's Responsibility
Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with auditing standards generally accepted in
the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.
 
“An audit involves performing procedures to obtain audit evidence about the amounts and  disclosures in the financial statements. The procedures selected depend on the auditor's
judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, the auditor considers internal control relevant to the entity's preparation and fair presentation of the financial statements in order to design audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity's internal control…”
 
If the auditors see a material misstatement or recognize a fraud, they will alert management and probably won't issue an unqualified opinion. But what about the internal control weaknesses that management doesn’t know about? Those weaknesses, the ones that management isn’t aware of, are the most serious; they’re the ones that expose the business to errors and fraud.  Did the auditors perform extra testing in those areas that no one knows are vulnerable?   How could they have? Management is responsible for internal control and management said it was fine.
 
Also, pay attention to the word “materiality.” Financial statement items are material if they can influence the economic decisions of users. Maybe materiality was set low, like $10,000. More likely it was $100,000. What if there’s a bookkeeper or cashier who is skimming $5,000 every year?  That’s not material relative to a financial statement audit.  If you manage that small business or non-profit, you know that even immaterial theft is VERY.  DAMN. IMPORTANT.  It’s not just about the money.  And again, the auditor didn't express an opinion on the effectiveness of internal control, nor are they claiming there is no fraud,  because they relied on management to tell them that internal control was sufficient.
 
Now for the big reveal -  The Opinion:
 
"In our opinion, the financial statements referred to above present fairly, in all material respects, the financial position of X, as of December 31, 2016, and the changes in its net  
assets and its cash flows for the year then ended in conformity with accounting principles
generally accepted in the United States of America."
 
What does the opinion really mean? It means that the auditor thinks your financial statements are fine. That's all.  How do you feel about it now?  Next year, ask your auditor exactly what it means to receive an unqualified opinion - don't just take my word for it.
 
But no matter: hooray!  You passed your annual audit. Go for drinks after work! 
 
Because tomorrow, now that you’ve read this post, the real work begins.