While healthcare providers and vendors in the healthcare industry cannot afford to ignore HIPAA, a new threat has emerged and is about to get much bigger: ransomware attacks on hospitals and healthcare providers. health care that do not seek to breach patient information, but instead make it inaccessible until the organization pays. a strong ransom.

In the past few weeks alone, there have been the following major ransomware attacks on healthcare facilities:

• In February 2016, hackers used ransomware called Locky to attack Hollywood Presbyterian Medical Center in Los Angeles, causing the organization’s computers to crash. After a week, the hospital gave in to the hackers’ demands and paid a ransom of $17,000.00 in Bitcoin for the key to unlock their computers.

• In early March 2016, the Methodist Hospital in Henderson, Kentucky was also attacked with Locky ransomware. Instead of paying the ransom, the organization restored the data from the backups. However, the hospital was forced to declare a “state of emergency” that lasted for approximately three days.

• In late March, MedStar Health, which operates 10 hospitals and more than 250 outpatient clinics in the Maryland/DC area, fell victim to a ransomware attack. The organization immediately shut down its network to prevent the attack from spreading and began gradually restoring data from backups. Although MedStar hospitals and clinics remained open, employees were unable to access email or electronic health records, and patients were unable to schedule appointments online; everything had to go back to paper.

This is probably just the beginning. A recent study by the Health Information Trust Alliance found that 52% of US hospital systems were infected with malware.

What is ransomware?

Ransomware is malware that renders a system inoperable (in essence, holds it hostage) until a ransom fee (usually demanded in Bitcoin) is paid to the hacker, who then provides a key to unlock the system. Unlike many other forms of cyberattacks, which generally seek to access data on a system (such as credit card information and social security numbers), ransomware simply locks the data.

Hackers often use social engineering techniques, such as phishing emails and freeware downloads, to introduce ransomware into a system. Only one workstation needs to be infected for the ransomware to work; Once the ransomware has infected a single workstation, it traverses the target organization’s network and encrypts files on mapped and unmapped network drives. Given enough time, it can even reach an organization’s backup files, making it impossible to restore the system from backups, as Methodist Hospital and MedStar did.

Once the files are encrypted, the ransomware displays a pop-up window or web page explaining that the files were locked and providing instructions on how to pay to unlock them (some MedStar employees reported seeing such a pop-up before they were encrypted). the system will shut down). below). The ransom is almost always demanded in the form of Bitcoin (abbreviated as BTC), an untraceable “cryptocurrency.” Once the ransom is paid, the hacker promises, a decryption key will be provided to unlock the files.

Unfortunately, because ransomware perpetrators are criminals and therefore not trustworthy to begin with, paying the ransom is not guaranteed to work. An organization can pay hundreds, even thousands of dollars and get no response, or receive a key that doesn’t work, or doesn’t work at all. For these reasons, as well as to determine future attacks, the FBI recommends that ransomware victims not give in and pay up. However, some organizations may panic and be unable to exercise such restraint.

Because of this, ransomware attacks can be much more lucrative for hackers than stealing data. Once a data set is stolen, the hacker must find a buyer and negotiate a price, but in a ransomware attack, the hacker already has a “buyer”: the owner of the data, who is unable to to negotiate the price. .

Why is the healthcare industry targeted by ransomware attacks?

There are several reasons why the healthcare industry has become a prime target for ransomware attacks. First is the sensitivity and importance of healthcare data. A business that sells, say, pet treats or supplies will take a financial hit if it can’t access customer data for a few days or a week; orders may go unfilled or be delivered late. However, no customer will be harmed or killed if a box of chocolates or a dog bed is not delivered on time. The same cannot be said of healthcare; doctors, nurses, and other medical professionals need immediate and continuous access to patient data to prevent injury, even death.

US News & World Report points to another culprit: the fact that healthcare, unlike many other industries, went digital virtually overnight rather than gradually and over time. Additionally, many healthcare organizations view their IT departments as a cost to be minimized and therefore do not allocate enough money or human resources to this function:

According to statistics from the Office of the National Coordinator of Health Information Technology, while only 9.4% of hospitals used a basic electronic record system in 2008, 96.9% of them used record systems Certified email in 2014.

This explosive growth rate is alarming and indicates that healthcare entities may not have the organizational readiness to adopt information technology in such a short time. Many of the small to mid-sized healthcare organizations do not view IT as an integral part of healthcare, but view it as a mandate imposed by larger hospitals or the federal government. Precisely for this reason, healthcare organizations do not prioritize IT and security technologies in their investments and therefore do not allocate the necessary resources to ensure the security of their IT systems, making them especially vulnerable to attacks. privacy violations.

What can the healthcare industry do about ransomware?

First, the healthcare industry needs a major mindset shift: providers need to stop viewing information systems and information security as overhead costs to be minimized, realize that IT is a critical part of 21st century healthcare and allocate the appropriate financial and human resources to run and secure your information systems.

The good news is that since ransomware almost always enters a system through simple social engineering techniques, such as phishing emails, it is entirely possible to prevent ransomware attacks by taking measures such as:

• Institute a comprehensive organizational cybersecurity policy

• Implement ongoing employee training on security awareness.

• Periodic penetration tests to identify vulnerabilities