While healthcare providers and healthcare industry providers cannot afford to ignore HIPAA, a new threat has emerged and is about to get much bigger: ransomware attacks on hospitals and healthcare providers that They do not seek to violate patient information, but instead make it inaccessible until the organization pays. a considerable ransom.

In the last few weeks alone, the following major ransomware attacks have occurred in healthcare facilities:

  • In February 2016, hackers used a ransomware called Locky to attack the Hollywood Presbyterian Medical Center in Los Angeles, rendering the organization’s computers inoperable. After a week, the hospital gave in to the hackers’ demands and paid a $ 17,000.00 Bitcoin ransom for the key to unlock their computers.

  • In early March 2016, the Methodist Hospital in Henderson, Kentucky, was also attacked with the Locky ransomware. Instead of paying the ransom, the organization restored the data from the backups. However, the hospital was forced to declare a “state of emergency” that lasted for approximately three days.

  • In late March, MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics in the Maryland / DC area, fell victim to a ransomware attack. The organization immediately shut down its network to prevent the attack from spreading and began gradually restoring data from backups. Although MedStar hospitals and clinics remained open, employees were unable to access email or electronic medical records, and patients were unable to make appointments online; everything had to go back to paper.

This is probably just the beginning. A recent study by the Health Information Trust Alliance found that 52% of US hospital systems were infected by malicious software.

What is ransomware?

Ransomware is malware that renders a system unusable (essentially holding it hostage) until a ransom fee (usually requested in Bitcoin) is paid to the hacker, who then provides a key to unlock the system. Unlike many other forms of cyberattacks, which generally seek to access data on a system (such as credit card information and social security numbers), ransomware simply blocks the data.

Hackers often use social engineering techniques, such as phishing emails and free software downloads, to introduce ransomware onto a system. Only one workstation needs to be infected for the ransomware to work; Once the ransomware has infected a single workstation, it traverses the target organization’s network and encrypts files on both mapped and unmapped network drives. With enough time, it can even reach an organization’s backup files, making it impossible to restore the system using backups, as Methodist Hospital and MedStar did.

Once the files are encrypted, the ransomware displays a pop-up window or web page that explains that the files have been locked and gives instructions on how to pay to unlock them (some MedStar employees reported seeing such a pop-up before the system will shut down). The ransom is almost always demanded in the form of Bitcoin (abbreviated as BTC), an untraceable “cryptocurrency”. Once the ransom is paid, the hacker promises that a decryption key will be provided to unlock the files.

Unfortunately, because the ransomware perpetrators are criminals and therefore unreliable to begin with, the ransom payment is not guaranteed to work. An organization can pay hundreds, even thousands of dollars and receive no response, or receive a key that does not work or does not work at all. For these reasons, as well as to deter future attacks, the FBI recommends that ransomware victims do not give in and pay. However, some organizations may panic and not be able to exercise such restraint.

Because of this, ransomware attacks can be much more lucrative for hackers than stealing data. Once a dataset is stolen, the hacker must find a buyer and negotiate a price, but in a ransomware attack, the hacker already has a “buyer” – the owner of the information, who is in no condition. to negotiate the price. .

Why is the healthcare industry being targeted by ransomware attacks?

There are several reasons why the healthcare industry has become a prime target for ransomware attacks. First, there is the sensitivity and importance of health data. A business that sells, for example, candy or pet supplies, will suffer a financial hit if it cannot access its customer data for a few days or a week; Orders may be left unfulfilled or delivered late. However, no customer will be harmed or killed if a box of chocolates or dog bed is not delivered on time. The same cannot be said for healthcare; Doctors, nurses and other medical professionals need immediate and continuous access to patient data to avoid injuries, even deaths.

US News & World Report points to another culprit: the fact that healthcare, unlike many other industries, went digital virtually overnight rather than gradually and over time. Additionally, many healthcare organizations view their IT departments as a cost that needs to be minimized and therefore do not allocate enough money or human resources to this function:

According to statistics from the Office of the National Coordinator for Health Information Technology, while only 9.4 percent of hospitals used a basic electronic record system in 2008, 96.9 percent of them used information systems. electronic registry certified in 2014.

This explosive growth rate is alarming and indicates that health entities may not have the organizational readiness to adopt information technology in such a short period of time. Many small or medium-sized healthcare organizations do not see IT as an integral part of healthcare, but instead view IT as a mandate that was imposed on them by larger hospitals or the federal government. Precisely for this reason, healthcare organizations do not prioritize IT and security technologies in their investments and therefore do not allocate the necessary resources to ensure the security of their IT systems, making them especially vulnerable to disruptions. privacy violations.

What can the healthcare industry do about ransomware?

First, the healthcare industry needs a major mindset shift: providers need to stop viewing information systems and information security as overhead costs to be minimized, to realize that IT is a critical part of 21st century healthcare and allocate adequate human and monetary resources to run and secure its information systems.

The good news is that since ransomware almost always enters a system through simple social engineering techniques, such as phishing emails, it is entirely possible to prevent ransomware attacks by taking steps such as:

  • Institute a comprehensive organizational cybersecurity policy

  • Implement ongoing employee safety awareness training.

  • Periodic penetration tests to identify vulnerabilities.