By Portia Cole, emergent threat researcher, Avertium.
Labeling ransomware attacks as a matter of life and death may seem exaggerated, but in the realm of healthcare, it has proven to be a harsh truth. In recent years, cases of patients whose death have been linked to ransomware attacks have started to emerge. With recent trends indicating a surge in attacks on the industry, it is possible the human toll could only grow.
That toll does not take a single shape. If past cyberattacks are any indication, ransomware attacks can lead to compromised care or no care at all, and studies have found even neighboring facilities can be negatively impacted. Here is an overview of what healthcare organizations and their patients have suffered thus far, and what your organization can do to protect itself.
Cyberattacks with huge costs
In what has been called the “first alleged ransomware death,” an Alabama woman arrived at Springhill Medical Center in July 2019 to give birth, unaware that the hospital had fallen victim to a ransomware attack the week prior. It had yet to be resolved, and as a result, the equipment that monitors vital signs wasn’t transmitting information to the nurses’ desks, leaving staff unaware that the baby was in distress.
The infant was born with the umbilical cord wrapped around her neck and suffered severe brain damage; she died nine months later. The delivering doctor expressed that had she been shown the monitor’s readings, she would have opted for a cesarean section; in a text to a nurse manager about the unfolding situation, she wrote, “This was preventable.” The mother filed a malpractice lawsuit.
A 2021 ransomware attack led to a different kind of death—the death of a hospital. St. Margaret’s Health in Spring Valley, Illinois, was the victim of a ransomware attack. After the attack, the hospital was unable to submit claims to Medicare/Medicaid or insurers for months, contributing to a financial crisis. The hospital announced it would close its doors in June 2023.
According to a 2014 Identity Theft Resource Center Report, the healthcare industry has officially surpassed other major industries and now accounts for 42.3 percent of all data breaches recorded last year. As the number of patient medical records transitions to a digital sharing model, the potential cost of data breaches is now substantially higher than for those less regulated, like retail and public services. It’s clear that the industry is increasingly vulnerable to sophisticated cyberattacks; hackers are after vital patient information such as social security numbers and past medical records. With limited budgets and priorities often, and rightfully, placed on patient care, many healthcare organizations lack the resources to implement stronger security levels. Despite these constraints, with the right technology and best practices in place healthcare organizations can position themselves for success.
The costs associated with “damage control” for many healthcare providers is steep with the annual cap on fines for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, up from a maximum of $25,000 per year to $1.5 million. And fines are only part of the financial burden. Investigation and legal efforts, business downtime and decreased credibility all drive up costs even further.
Unfortunately, many healthcare organizations are still facing challenges when it comes to effectively communicating and collaborating on security. In many of these healthcare organizations, there is a department for privacy and compliance and then a separate department for enterprise IT security. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach as neither side is able to understand the full spectrum of the threat without the others’ data.
The consequences of the gap between compliance and IT security becomes evident when dealing with insider threats. An individual’s actions may look legitimate but when correlated against other activity, could indicate that malicious activity is occurring. A workstation that has always previously accessed clinical data or some other patient information doesn’t raise suspicion. But a subtle, steady increase in traffic, say of five or ten percent, correlated with communication to an unauthorized or new IP address, likely indicates a breach. The same example could apply to an external threat with a malicious actor using social engineering methods to entice an unwitting user to download malware. Once inside the network, the malware can replicate the very same scenario. Either way, a breach has occurred. The IT security department may discover the situation, investigate and handle it and move on to the next task. But without visibility into this type of data, how would the compliance department learn about possible data leakage and take the necessary steps to investigate and report?