Electronic Health Reporter

Guest post by Mike Baker, founder and principal, Mosaic451.

Over the past couple of months, hospitals and other healthcare facilities have come under siege by cyber-criminals. However, the hackers aren’t after patient data; they never even access it. Instead, they are infecting computers with ransomware, a type of malware that locks down a system and prevents the owner from accessing their data until they pay a ransom, usually in Bitcoin. Among the high-profile attacks that have made headlines:

• In February, Hollywood Presbyterian Medical Center in Los Angeles fell victim to the Locky virus, which disabled the organization’s computers and kept employees from accessing patients’ electronic health records (EHRs). Access was restored a week later, after the hospital paid a $17,000.00 Bitcoin ransom to the hackers.
• Shortly afterward, Methodist Hospital in Henderson, Kentucky, also fell victim to Locky and was forced to declare an internal “state of emergency.” However, instead of paying the ransom, the hospital reported that it was able to restore its data from backups.
• In late March, Maryland/DC-based MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics, was hit by an undisclosed ransomware virus that forced the organization to revert to paper records. Like Methodist Hospital, MedStar did not pay the ransom and restored its system using backups.

Although any organization can fall prey to ransomware, lately healthcare facilities have been the primary targets. Some experts feel the problem has reached crisis levels – and hackers are only getting started.

Why Ransomware Attacks are on the Rise

Ransomware is growing in popularity because it is far more lucrative than more traditional cyberattacks where hackers access and steal data. Once the data is stolen, the hacker must find a buyer. Then, the hacker has to negotiate a price. Conversely, in a ransomware attack, the hacker has a built-in “buyer” — the owner of the data, who is not in a position to negotiate on price.

Ransomware is also a simpler and quicker mode of attack than a data breach. Once a hacker has breached a system, downloading a large data set can take some time, during which the attack could be identified and halted. Because ransomware never actually accesses a system’s data – it just locks it down – it works far more quickly and covertly. Victims have no idea they have been compromised until they find they cannot access their system.

Most ransomware does not make its way onto computers through brute-force hacking but via social engineering techniques such as enticing employees to click on phishing emails or insert malware-infected thumb drives into their computers.

Why is the Healthcare Industry Being Targeted?

Healthcare organizations are especially attractive targets due to the highly sensitive nature of their data; unlike in other industries, life-or-death stakes are involved. If an online retailer is hit with a ransomware attack and cannot access their customer data, they would take a financial hit and have to deal with unhappy customers, but in the end, no one would be hurt, and no one would die. However, if a healthcare facility cannot access its patient data, a patient could be given the incorrect medication or treatment, or their treatment could be delayed, resulting in injury and even death.

Additionally, the healthcare industry has unique cyber security vulnerabilities:

• The healthcare industry clung to paper records for years, as other industries were gradually transitioning to digital. When healthcare finally went electronic, it did so virtually overnight: Between 2008 and 2014, the percentage of hospitals using EHR skyrocketed from 9.4 percent to 96.9 percent. Experts question whether the industry was truly ready for such a drastic, rapid change.
• Many healthcare facilities, especially small and medium-sized providers, see information technology as a hindrance that was forced on them by the government, not a tool to improve patient care. As a result, healthcare organizations tend to view IT and cyber security as costs to be minimized and do not allocate sufficient monetary or human resources to them.
• The negative attitude toward IT trickles down from the executive suite to front-line employees, who feel that cybersecurity is “the IT department’s job,” and that their only responsibility is to treat patients.
• Many healthcare facilities provide little or no employee training on information security practices, resulting in employees being particularly susceptible to phishing and other social engineering techniques that are commonly used to get ransomware installed on a system.

What Can Be Done to Stem the Tide of Ransomware Attacks?

Although lackadaisical attitudes towards information technology and cybersecurity are not unique to healthcare, that industry in particular needs a major attitude shift. Providers need to realize that information technology is a critical part of modern healthcare. The notion that information security is everyone’s job must be modeled from the executive suite down to front-line supervisors. Employees should be as thoroughly trained on information security practices and security awareness as they are on sanitary procedures, and this training must be an ongoing process.

Information security threats are continually evolving. It’s difficult for any organization to keep up with the latest cybersecurity threats and devote sufficient human and technological resources to combating ransomware and other cyberattacks. For these reasons, it’s a good idea for healthcare facilities and other organizations to enlist the services of a professional managed security services provider (MSSP). An MSSP can deploy expert on-site security personnel to work in tandem with in-house IT staff and advise on information security policy, employee training, and proactive security measures, and also monitor the organization’s network and immediately respond to breaches if they do occur.

The good news is that most ransomware attacks can be prevented through proactive measures. If an attack does occur, systems monitoring can intercept the malware before it spreads, and secure backups of both patient data and the system will help an organization get back up and running quickly and without having to cave to hackers’ ransom demands.