While healthcare providers and vendors in the healthcare industry cannot afford to ignore HIPAA, a new threat has emerged, and it’s about to get bigger: ransomware attacks on hospitals and healthcare providers that don’t want to breach patient information but make it accessible until the organization pays. . A hefty ransom.
In the past few weeks, the following major ransomware attacks have occurred on healthcare facilities:
-
In February 2016, hackers used a piece of ransomware called Locky to attack Hollywood Presbyterian Medical Center in Los Angeles, rendering the organization’s computers inoperable. A week later, the hospital acceded to the hackers’ demands and paid a $17,000.00 bitcoin ransom for the keys to unlock their computers.
-
In early March 2016, Methodist Hospital in Henderson, Kentucky was also attacked using Locky ransomware. Instead of paying the ransom, the company restored the data from backups. However, the hospital was forced to declare a “state of emergency” which lasted for about three days.
-
In late March, MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics in the Maryland/DC area, was hit by a ransomware attack. To prevent the attack from spreading, the organization immediately shut down its network and gradually began restoring data from backups. Although MedStar’s hospitals and clinics were open, employees were unable to access email or electronic health records, and patients were unable to make appointments online; Everything had to go back to paper.
Perhaps, this is only the beginning. A recent study by the Health Information Trust Alliance found that 52% of US hospital systems were infected with malicious software.
What is Ransomware?
Ransomware is malware that disables a system (in short, holds it hostage) until a ransom fee (usually demanded in Bitcoin) is paid to the hacker, who then provides a key to unlock the system. Unlike other cyber attacks, which typically seek to access data on a system (such as credit card information and social security numbers), ransomware simply locks the data.
Hackers typically use social engineering techniques — such as phishing emails and free software downloads — to get ransomware into a system. Ransomware only needs to infect one workstation to work; Once ransomware infects a single workstation, it traverses the target organization’s network, encrypting files on both mapped and unmapped network drives. Given enough time, it can even reach an organization’s backup files—making it impossible to restore the system using backups, as Methodist Hospital and MedStar did.
Once the files are encrypted, the ransomware displays a pop-up or a webpage explaining that the files are locked and giving instructions on how to pay to unlock them (some Medstar employees such a pop-up before shutting down the system (below). The ransom is almost always demanded in the form of Bitcoin (BTC for short), a defunct “cryptocurrency”. Once the ransom is paid, the hacker promises, a decryption key will be provided to unlock the files.
Unfortunately, because ransomware criminals are criminals – and thus, untrustworthy to begin with – paying the ransom is not guaranteed to work. A company can pay hundreds, even thousands of dollars and get no response, or get a key that doesn’t work, or that doesn’t work at all. For these reasons, as well as to prevent future attacks, the FBI recommends that victims of ransomware not cave and pay. However, some organizations may be apprehensive and unable to exercise such restraint.
Because of this, ransomware attacks can be much more profitable for hackers than simply stealing data. Once a set of data is stolen, the hacker must gather a buyer and negotiate a price, but in a ransomware attack, the hacker already has a “buyer”: the owner of the data, who is in no position to negotiate a price.
Why is the healthcare industry being targeted by ransomware attacks?
There are several reasons why the healthcare industry has become a prime target for ransomware attacks. First is the sensitivity and importance of healthcare data. A company that sells candy or pet supplies will take a financial hit if it can’t access its customer data for a few days or a week; Orders may be incomplete or delivered late. However, a customer will not be harmed or killed if a box of chocolates or a dog bed is not delivered on time. The same cannot be said for healthcare; Physicians, nurses and other medical professionals need immediate and continuous access to patient data to prevent injury, even death.
US News & World Report points to another culprit: the fact that health care, unlike many other industries, has gone digital slowly and practically overnight over time. Additionally, many healthcare organizations view their IT departments as a cost to be minimized, and therefore do not allocate sufficient money or human resources to this function:
According to statistics from the Office of the National Coordinator for Health Information Technology, while only 9.4 percent of hospitals used a basic electronic record system in 2008, 96.9 percent of them used a certified electronic record system in 2014.
This explosive growth rate is alarming and indicates that healthcare organizations have not been organizationally prepared to adopt information technology in such a short period of time. Many small- or medium-sized health care organizations do not view IT as an integral part of medical care but rather as a mandate forced upon them by large hospitals or the federal government. Precisely for this reason, healthcare organizations do not prioritize IT and security technology in their investments and thus do not allocate the necessary resources to ensure the security of their IT systems, which makes them particularly vulnerable to privacy breaches.
What can the healthcare industry do about ransomware?
First, the healthcare industry needs a major shift in mindset: Providers must stop viewing information systems and information security as the means to reduce overhead costs, realize that IT is a vital part of 21st century healthcare, and allocate the appropriate financial and human resources to execute. and secure their information systems.
The good news is, since ransomware almost always enters a system through simple social engineering techniques like phishing emails, it is entirely possible to prevent ransomware attacks by taking measures such as:
-
Establishing a comprehensive organizational cyber security policy
-
Implement continuous employee training on security awareness
-
Regular penetration testing to identify vulnerabilities