Ransomware Attacks Show That Healthcare Must Take Cybersecurity Seriously

While healthcare providers and healthcare industry vendors cannot afford to ignore HIPAA, a new threat has emerged and is poised to become much bigger: ransomware attacks on hospitals and healthcare providers that are not seeking to breach patient information but instead render it inaccessible until the organization pays a hefty ransom.

In just the past few weeks, the following major ransomware attacks on healthcare facilities have occurred:

In February 2016, hackers used a piece of ransomware called Locky to attack Hollywood Presbyterian Medical Center in Los Angeles, rendering the organization’s computers inoperable. After a week, the hospital gave in to the hackers’ demands and paid a $17,000.00 Bitcoin ransom for the key to unlock their computers.

In early March 2016, Methodist Hospital in Henderson, Kentucky, was also attacked using Locky ransomware. Instead of paying the ransom, the organization restored the data from backups. However, the hospital was forced to declare a “state of emergency” that lasted for approximately three days.

In late March, MedStar Health, which operates 10 hospitals and over 250 outpatient clinics in the Maryland/DC area, fell victim to a ransomware attack. The organization immediately shut down its network to prevent the attack from spreading and began to gradually restore data from backups. Although MedStar’s hospitals and clinics remained open, employees were unable to access email or electronic health records, and patients were unable to make appointments online; everything had to go back to paper.

Likely, this is only the beginning. A recent study by the Health Information Trust Alliance found that 52% of U.S. hospitals’ systems were infected by malicious software.

What is ransomware?

Ransomware is malware that renders a system inoperable (in essence, holding it hostage) until a ransom fee (usually demanded in Bitcoin) is paid to the hacker, who then provides a key to unlock the system. As opposed to many other forms of cyber attacks, which usually seek to access the data on a system (such as credit card information and Social Security numbers), ransomware simply locks the data down.

Hackers usually employ social engineering techniques – such as phishing emails and free software downloads – to get ransomware onto a system. Only one workstation needs to be infected for ransomware to work; once the ransomware has infected a single workstation, it traverses the targeted organization’s network, encrypting files on both mapped and unmapped network drives. Given enough time, it may even reach an organization’s backup files – making it impossible to restore the system using backups, as Methodist Hospital and MedStar did.

Once the files are encrypted, the ransomware displays a pop-up or a webpage explaining that the files have been locked and giving instructions on how to pay to unlock them (some MedStar employees reported having seen such a pop-up before the system was shut down). The ransom is nearly always demanded in the form of Bitcoin (abbreviated as BTC), an untraceable “cryptocurrency.” Once the ransom is paid, the hacker promises, a decryption key will be provided to unlock the files.

Unfortunately, because ransomware perpetrators are criminals – and thus, untrustworthy to begin with – paying the ransom is not guaranteed to work. An organization may pay hundreds, even thousands of dollars and receive no response, or receive a key that does not work, or that does not fully work. For these reasons, as well as to deter future attacks, the FBI recommends that ransomware victims not cave in and pay. However, some organizations may panic and be unable to exercise such restraint.

Because of this, ransomware attacks can be much more lucrative for hackers than actually stealing data. Once a set of data is stolen, the hacker must procure a buyer and negotiate a price, but in a ransomware attack, the hacker already has a “buyer”: the owner of the information, who is not in a position to negotiate on price.

Why is the healthcare industry being targeted in ransomware attacks?

There are several reasons why the healthcare industry has become a prime target for ransomware attacks. First is the sensitivity and importance of healthcare data. A company that sells, say, candy or pet supplies will take a financial hit if it cannot access its customer data for a few days or a week; orders may be left unfilled or delivered late. However, no customers will be harmed or die if a box of chocolates or a dog bed isn’t delivered on time. The same cannot be said for healthcare; physicians, nurses, and other medical professionals need immediate and continuous access to patient data to prevent injuries, even deaths.

U.S. News & World Report points to another culprit: the fact that healthcare, unlike many other industries, went digital practically overnight instead of gradually and over time. Additionally, many healthcare organizations see their IT departments as a cost to be minimized, and therefore do not allocate enough money or human resources to this function:

Using Healthcare Technology for Your Aging in Place Loved Ones

The preponderance of healthcare technology in the home is growing by leaps and bounds, and especially those items made for the parents of baby boomers. With the start of boomers turning 65 on the first of this year, there is a growing aging population that knows about this technology and welcomes it for their parents who are aging in place. The older generation, the parents, however, may not be as likely to choose it, as they may feel that web and cell-based information invades their privacy or limits their independence. Other barriers to choosing technology in the home may be that the expense is cost-prohibitive.

Some of the home-based health technologies available today include complete wireless systems that will monitor the movement of an individual, provide fall detection and a panic button, and report medical issues such as temperature and blood pressure. Other devices monitor just one or two of the above separately. In addition, pill-taking reminders, symptom and patient record systems, video phones and caregiving assistance tools can be found from numerous manufacturers.

A study regarding healthcare technologies by the National Alliance for Caregiving and UnitedHealthcare was recently released at the annual Consumer Electronics show in Las Vegas this year. It showed that in a study of 1,000 family caregivers, two thirds welcome new devices that can help them with their duties. These people had all used some form of technology to help them out and provide at least five hours of unpaid service per week. The ages of the respondents was split by 47% over 50 and 53% under 50.

Here are the top three devices that 70% or more of those surveyed said would be most helpful:
– Personal Health Record Tracking – A computerized, web or cell-based system that tracks the health condition of the care recipient, including medications, current readings such as temperature and blood pressure, and manages test results and patient history.
– Caregiving Coordination System – An automated record that lets family members coordinate physician appointments and work together to organize caregiving assignments for the recipient.
– Medication Support Systems – A device that notifies the care recipient when it is time to take prescriptions and supplements and dispenses them into a handy container. The system-supported device can also notify caregivers when a dose has not been taken.

Baby boomers realize the benefits of health technologies, especially when they are not in the same city or cannot get to the care recipient on a regular basis. The survey respondents said that the advantages of the systems include saving time, making caregiving easier logistically, making the recipient feel safer, feeling more effective as a caregiver and reducing caregiving stress. While some of the elderly parents may be resistant to the health technology, over time, baby boomers will be looking to these solutions for themselves, and realize the benefits over the barriers.