When Hackers turn to Blackmail

Abstract
Information technology has become an integral part of any organization in
the modern era of globalization. The organizations who have failed to use IT
properly for their benefit either have declined or is in a very unproductive
stage. Implementation of IT also brings in some dangers which are required
to be dealt efficiently with responsibility. This efficiency comes with adequate
knowledge of the nuances of the IT industry and the main drawbacks or
problems regarding the system. In this case study, Sunnylakes hospital has
been attacked by intruders and Sunnylakes electronic medical records
(EMR), which used to help a lot to Sunnylake to improve its performance in
dealing with patients information, have got hackers attack. The CEO of
Sunnylake hospital Paul received the blackmail continuously and is facing a
mind-boggling and annoying situation. With respect to this issue in the case,
this report will discuss the suggestions to deal with the attack and offer some
recommendations to Sunnylake in addition to the three pieces of advice
given by the experts in the case.
The Case
Sunnylake Hospital started as a community center with a vision to help
people to cure their disease. Paul Layman, the CEO of the Sunnylake Hospital
had joined the organization five years back with a vision of implementing
cutting edge technology to the community center to build it into a hospital
which is sought after by the people. Paul implemented electronic medical
records (EMR) which replaced the traditional way of prescribing and checking
patients records through papers by converting them into digital data. One
day an email stating the fault of the security systems of the organization was
found in the inbox of Paul Layman mail by some anonymous person.
However, Paul having full faith in his IT department and its director of IT
Jacob Dale ignored the message and hadnt gave a thought about it
seriously.
But on the starting of the next week it was found that the complete EMR
systems has been hacked and no one can access the data related to
patients. Jacob and his team of IT people are tried to bring back the data
however they are hacked again and again. There is a $100,000 demand from
the Hackers which would bring back the system back to normal.
Findings from this case
The following facts were recorded from the case study regarding the
implementation and maintaining of the system which can influence the way
out from the distress that Sunnylake Hospital is in.

When Hackers turn to Blackmail

Though the IT system of Sunnylake was one of kind and they were
pioneer in implementing the IT system they never gave a thought to
the security system of their data. The security system perspective
of the data has gone through a change in the last few years and also
the systems to infiltrate them.
He had too much trust on the IT department which made it
overconfident to look out for any discrepancies in the system which
also led to the attack.
They had the backup of the data which can be accessed through
EMR only. During any emergency other than hacking such as service
failures and other factors it would be impossible to retrieve those data.
They should have built a physical backup in terms of flash drive or
documents which can be accessed easily.
The usage of the EMR was restricted to authorizes personnel only but
they were vulnerable to infiltrate as a number of people objected the
implementation of the ENR. They should have built a strong
identification system to use the EMR.

three pieces of advice from the Experts

How should Sunnylake deal with this attack? There are three commentators
offer expert advice.
In the case, three experts have given their different recommendations to
Sunnylake to overcome their crisis. The suggestions are as followed: the
hospital should assign a skilled negotiator who is emotionally neutral to talk
with the hacker. Pay the ransom to the hacker. While the second suggestion
is that the code must be examined thoroughly. The CEO of Sunnylake Paul
should be responsible for his inadvertent executive which is lacking of
oversight and need to notice the hospitals full closure to all of the
constituents. The last one is mainly form the point of further defense. For
hospital, malware is helpful for daily work platform to ensure no IT attack to
disturb the regular working process in hospital. Those recommendations are
reasonable and effective. In addition to those, the following suggestions are
needed to be considered seriously.
Effective immediate action to deal with hacking
Regarding the immediate solutions, most of us agreed to pay the
hackers because the hospital could not risk their reputation and life
of patients. After paying the hackers, if they got access to the system, most
of us agreed on printing the records, inform the police and isolating the
network from the internet.
May be the extortionists can be put in jail for the crime of manslaughter

When Hackers turn to Blackmail

Out of all mistakes, there were two points which matched exactly what we
had learned in the lecture. That can be categorized as technical and human
factors. Sunnylake faced the situation when someone was downloading
antivirus or uploading an existing application, this is the human factor. It
seems that the IT department does not have efficient security tools for
restricting the execution of some bugged software without the approval of IT
administrator and they do not have updated or upgraded security system,
this is the technical factor.
Security plans for the future include, implementation of strict
security policies, installation of network based infection detection system,
limited access to the users, blocking potentially dangerous ports and
websites, email filtration, isolating the intranet from the Internet, upgrading
the system with trained IT security professionals and training the staffs.
There are also some good points that can be taken from lecture notes. As for
example, critical information should have an individual owner.
Information security should be included in staff agreements, so that no one
can be careless about executing bugged software. User validation,
restriction, and security awareness can greatly reduce IS misuse and
promote security environment.
A strong firewall system is required to be built to secure the data from
infiltration. As we come to know from the case that though the IT department
was able to restore the system it was being hacked again, which implies the
absence of a strong firewall system. More awareness is required in EMR front
as it is evident that the hackers were able to enter the system through some
applications that the users used. A review committee to check any problem
and suggest the solutions required to be formed. The committee should have
third party representatives to have a neutral view.
A physical back up of sensitive data such as detail study and past records
of the patients, their medical background should be kept in hard copies and
also in flash drives, so if emergency occurs that will not affect the day to day
operations of the hospital to a great extent. The hospital is bound to
reconsider the security question from the view of initiative defense seriously,
mainly the security technology.
Since it involves the life of the people, there is a necessity for redundancy of
backup and a disaster recovery plan in case of emergencies which can
minimize the downtime and bring back the hospital into business.
Make full use of anti-spam technology and strictly implementation
For Sunnylake hospital, it is wise to enhance their security awareness, the
maximum extent possible to avoid the disclosure of e-mail address.

When Hackers turn to Blackmail

However, as a hospital, it is impossible not to publish their e-mail address.

Thus, in the face of frequent spam attacks, it is generally supposed that
more still have to rely on mail service providers, anti-spam technology.
Sunnylake can choose a variety of techniques - from anti-virus package to a
dedicated network security hardware (such as firewalls and intrusion
detection systems), to all sectors of the network to provide protection (Icove,
Seger&VonStorch, 2000). Sunnylake also needs to employ a professional
network security consultants to help companies design appropriate for
network security solutions, or to ensure that existing solutions, timely and
safety.
Paul should source special and skilled people to be in charge of the
implementation, network, securityand develop strategies and maintenance
of networks and their security of individuals or groups must have access to
every part of the network. Moreover, the network policy management should
be extremely reliablehas the special personnel with required technical
capacity.To ensure that specific areas of the network have been a protected
password only those who have a special password to enter. It is to ensure
that only those who have given permission to enter the network in a
particular area. And it is the most simple and most commonly used method.
Avoid the workers negligence
Strengthen the workers security recognition, including the doctors, nurses
especially the workers in the sector of IT. Jacob Dale, the director of IT
department of Sunnylake needs to implement network security training in
the whole hospital.Training of the staffs is also required as most of them were
from traditional background and had little knowledge about IT. Some of the
security basics like never leave the systems unlocked, enforcing strong
password policy, changing password every 45 days, remove admin rights so
that the staff cannot install software, Implement policy to block vulnerable
sites. When workers focus on their own work, they often ignore the following
standard guidelines for network security. For example, they may choose
some very easy to remember passwords, so that they can easily log on their
networks. However, this password may be vulnerable to hackers through a
simple common sense, or some kind of widely-used password cracking
software to guess or crack. Employees may inadvertently lead to other
security vulnerabilities, including the unexpected reception and
dissemination of computer viruses. One workers negligence may lead to the
whole system being victim.

Microsofts Safety measures to minimize attacks

When Hackers turn to Blackmail

The unwanted and malicious traffic has often been mistranslated by the
media as hackers. A more correct term for them would be crackers.
According to NISER, a hacker is defined as an individual who has strong
interest in the workings of any computers and will not to damage the system.
There are some hackers who have strayed away from this code and are
commonly called black hat hackers. A cracker, however, breaks into systems
usually using someone elses code and inflicts damage and defacement to
the site. Together these two groups cause a company much grief and cost
them a lot of time and money. A classic example of this is when several
international sites belonging to Microsoft.com were hacked. Initially, there
did not seem to have been any damage to the sites, but when further
research was done it was found that certain source codes were viewed and
possibly copied. The source code is the basic building blocks of computer
applications and it relates to the computer how the program is to function.
It is also noted that Microsoft not only has a problem with hackers seeing
their source code, but also with crackers defacing many of their overseas
sites. According to results found on Alldas.org has been defaced on at least
thirty-six separate occasions. Also according to these results, there were
twenty-two different attackers. This means that some of the attackers
hacked into Microsoft on several different occasions and in several different
locations. The dates of these attacks range from January 7, 2001 until March
30, 2002. By these statistics, it seems the hacks are still taking place. This
proves that if a giant corporation like Microsoft could be hacked while
spending millions of dollars each year on security, it could happen to anyone.
One cannot assume that this was due to lack of preventative maintenance
on the part of Microsoft.com. No Internet based company will ever be 100%
secure. This is because a hacker or cracker only needs to send an alluring
email containing a well-disguised virus to an employee inside the company.
Upon opening the email, the virus is automatically placed in the system.
Anti-virus software can only find viruses by locating signatures of older
viruses. All an attacker has to do is slightly modify the signature to get
through. Microsoft learned the following six lessons, which could be taken by
other companies such as SunnyLake in order to prevent such numerous
attacks:
1. Offsite computer must be secure have a personal firewall and, up-to
date Anti-Virus scanner software.
2. External passwords must be kept secure.
3. Proactive review of network logs.

When Hackers turn to Blackmail

4. Defense inside the company network by routing all internal modems

through firewall as well.
5. Once previous steps completed email viruses and web servers become
a primary means of network attack.
6. Microsofts own products are the primary target of hackers, so extra
precautions need to be taken in the design of their software.

Avoiding Healthcare data breaches: Security plan

No matter how big or small, healthcare organizations are facing greater
challenges with protecting the personal data of their patients. To properly
protect your organization, you must have a plan that addresses all three
threat vectors: Lost (or stolen) hardware, internal misuse or even advanced
adversaries (hackers).
You will not be able to quickly identify and address todays threats without
the proper tools in place. The three main threats of data loss are lost (or
stolen) equipment, internal misuse (either intentional or unintentional), or
advanced threats due to hacking. Each of the three threats mentioned above
(data loss or theft, internal misuse or advanced hackers) requires a unique
set of technologies and processes to address them:
Data loss due to misplaced or stolen devices: The best way to combat this
type of threat is encryption. For example, Blue Cross Blue Shield of
Tennessee did not use encryption on the 57 hard drives that were stolen
when it is attacked and, as a result, it cost them more than $17 million in
fines and remediation efforts. Encrypting hard drives is wise, but what are
you doing about USB sticks and mobile devices? Todays USB flash drive
devices can hold upwards of 128Gb of data. Policies need to be put in place
to either restrict access to USB devices or to ensure that encryption is done
on data sent to them. Data loss prevention (DLP) software can help in this
effort by allowing your end users access to USB but can detect sensitive data
and encrypt it prior to being copied to USB.

Internal misuse: DLP software is also critical for ensuring sensitive data does
not leave the environment. It is alleged that internal employees were paid to
send emergency room records to outside vendors, such as lawyer referral
services and chiropractors. Sensitive data being sent from corporate email
addresses to personal email accounts between the hours of 4 and 6 p.m.
These same documents were then coming back into the environment
between 8 and 11 p.m., from their personal emails to their corporate emails.

When Hackers turn to Blackmail

Upon investigation, the client found that employees were doing this to avoid
having to virtual private network (VPN) into the environment. Their intentions
were good, trying to get work done at home, but this was clearly a misuse of
sensitive data. DLP software can be leveraged to help protect against both
intentional and unintentional misuse of data. It can be configured to monitor
various types of user actions, such as sending data via email, uploading it to
a website, copying it to a USB stick, sending via instant message or even
printing.
Advanced hacking threats
The traditional defense in depth approach to protecting healthcare
organizations is not working. More advanced tools and processes need to be
in place to better identify and monitor these advanced attacks. Full packet
capture tools fused with external threat intelligence can help identify attacks
as they occur on the network in real time. These tools can help you better
detect possible malicious activity on your network and remediate it before
data loss occurs. Another problem with advanced threats is that the malware
used often goes undetected by traditional anti-virus programs. Organizations
must strongly consider advanced malware detection tools beyond that of
traditional anti-virus. Advanced malware analytic tools on the market today
can better identify the likelihood that a file or system is infected.

Spotlight on :How safe are your Electronic Medical

Hackers?

Records from

Requiring medical practices to be on all EHR (electronic health records)

systems puts us all at risk of cyber criminals. Since we've had to protect our
credit card and bank information so fiercely, how will we ever protect our
medical information when we have to trust it in the hands of otherwise
incompetent, inexperienced, non-computer savvy people, like our doctors?
Most know medicine, not computers.
Some practices have done away with paper charts altogether which in my
opinion is silly. Even the most inexperienced computer person knows to keep
paper copies of important documents after entering them into a computer.
Unfortunately, having "live online" patient information has provided a
wonderful environment for cyber-criminals to exploit patients, mostly
because this new EHR program did not safeguard your personal information
as you yourself would do on your own personal computer with virus
protectors, firewalls, malware scanners and other programs to deter
invaders.

When Hackers turn to Blackmail

The firewalls and other technology safety measures were not in place to
protect the records at the same time the mandate was issued to health care
providers to get on the ball with the transfer of paper records to enter into
their own computers.

Many computer savvy professionals predicted long in advance that criminals

will see electronic patient records as a great opportunity for hacking and
theft, even to the point of selling records for profit.

HIPAA is an abbreviation for the "Health Insurance Portability and

Accountability Act of 1996." HIPAA protects any AND all your personal
identifying health information which is either held in a file or transmitted in
any form of media, whether electronically, paper, or orally. This is information
that contains your past, present or future mental or physical health
condition, the type of health care you receive, the payments you make for it
or receive regarding your health care provider, your demographics which is
your name, age, social security number, address, phone number, birth date
and any other information which can directly lead back to you personally.
Anyone who requests your personal identifying information is required to
safeguard it and provide you with written HIPAA rules (usually requiring your
signature) which they are required to provide at every instance or
transaction. These entities may include but not limited to:
- Your physicians and specialists, includes any healthcare provider under
their supervision such as Nurse Practitioners and Physician Assistants,
his/her office and medical personnel,
-Hospitals and nursing homes and their
maintenance and housekeeping employees

employees,

also

includes

-Your healthcare insurance plan and their employees (no exceptions)

-Healthcare clearinghouses (companies who are transcribers or interpreters
of healthcare data, charts and reports including laboratory and imaging tests
which is transcribed from either dictation, from handwritten notes or from
laboratory printout) and their employees (no exceptions)
-Pharmacies and their employees (no exceptions)
-Medical supply houses and their employees (companies who provide you
with durable goods and medical supplies such as diabetic supplies)
-Many but not all medical research facilities who conduct research using
humans and their data.

When Hackers turn to Blackmail

Conclusion
The case study gives us an exposure to the fact that IT is essential for any
organization to flourish but to survive and sustain it is also required to
update the knowledge regarding the developments of the facets of the
systems. Also implementing any system should be followed by proper
training of personnel using the system as ignorance about the facts of the
system can lead to bigger problem than ever imagined.
References:

Hackers/Crackers
and
Their
Effects
http://www.angelfire.com/tn/koolest/Hackers.pdf

on

E-Commerce

Matthew Paster July 24, 2013 Avoiding healthcare Breaches

http://healthitsecurity.com/2013/07/24/avoiding-health-data-breaches-acomprehensive-security-plan/
Cheung, (2013). Low success in cracking technology crime cases. South
China Morning Post.
http://www.scmp.com/news/hong-kong/article/1138825/low-successcracking-technology-crime-cases
Cukier, (2007). Study determines hacking frequency and behavior.
http://www.spamfighter.com/News-7723-Study-Determines-HackingFrequency-and-Behavior.htm
Case
sunnylakehospital

of
:http://www.ukessays.co.uk/essays/information-

system/case-of-sunnylake-hospital.php
Caroline Eisenmann September 9, 2009 http://blogs.hbr.org/2009/09/whenhackers-turn-to-blackmail/
RachaelOhalloranhttp://rachaelohalloran.hubpages.com/hub/Spotlight-On-

How-Safe-Are-Your-Electronic-Medical-Records-From-Hackers

When Hackers turn to Blackmail