While health care providers and healthcare providers cannot ignore HIPAA, a new threat has arisen and will be much greater: ransomware attacks on hospitals and healthcare providers that do not want to violate patient information, but instead become inaccessible. until they are paid by the organization. great rescue.
In recent weeks, the following major ransomware attacks have occurred in healthcare facilities:
- In February 2016, hackers used a piece of ransomware called Locky to attack the Hollywood Presbyterian Medical Center in Los Angeles, and the organization’s computers became impossible. One week later, the hospital gave in to the hacker’s demands and paid a $ 17,000.00 Bitcoin ransom for the key to unlocking the computer.
- In early March 2016, Methodist Hospital in Henderson, Kentucky was also attacked using the Locky ransomware. Instead of paying the ransom, the organization recovered data from backups. However, the hospital was forced to declare a “state of emergency” that lasted about three days.
- In late March, MedStar Health, which has more than 10 hospitals and more than 250 outpatient clinics in the Maryland / DC area, was the victim of a ransomware attack. The organization immediately shut down its network to prevent the attack from spreading and gradually began restoring backup data. Although MedStar’s hospitals and clinics were open, staff were unable to access email or electronic health records, and patients were unable to make an appointment online; everything had to be put back on paper.
Probably a factor as to why they’re doing so poorly. A recent study by the Health Information Trust Alliance found that 52% of U.S. hospital systems were infected with malicious software.
What is ransomware?
Ransomware is a piece of malware that renders a system inoperable (basically being hijacked) until a hacker is paid a ransom fee (usually requested in Bitcoin), which gives him the key to unlocking the system. Compared to many other cyber attacks, which typically seek access to data from a system (such as credit card information and Social Security numbers), ransomware blocks data.
Hackers typically use social engineering techniques, such as phishing emails and free software downloads, to access a ransomware system. In order for ransomware to work, only one workstation must be infected; After the ransomware infects a single workstation, it traverses the target organization’s network, encrypting files on both mapped and unmapped mapped network drives. With enough time, it can also access an organization’s backup files; it is impossible to recover the system using backups, as Methodist Hospital and MedStar did.
Once the files are encrypted, the ransomware displays a pop-up or webpage explaining that the files have been locked and giving instructions for paying to unlock them (some MedStar staff reported seeing such a pop-up before shutting down the system. Down). Rescue is almost always required in the form of Bitcoin (abbreviated as BTC), an unrecognizable “cryptocurrency”. After paying the ransom, the hacker promises to provide a decryption key to unlock the files.
Unfortunately, paying the ransom because the perpetrators of the ransomware are criminals – and therefore unreliable to begin with – is not guaranteed to work. An organization can pay hundreds, thousands of dollars and receive no response, or a key that doesn’t work or doesn’t work at all. For these reasons, as well as to prevent future attacks, the FBI recommends not paying ransomware victims. However, some organizations may be terrified and will not be able to use this restriction.
Therefore, ransomware attacks can be much more profitable for hackers than stealing data. After stealing a set of data, the hacker must acquire a buyer and negotiate the price, but in a ransomware attack, the hacker already has a “buyer”: the owner of the information, who is not in a position to negotiate the price. .
Why is the healthcare industry targeting ransomware attacks?
There are several reasons why the healthcare industry has become the main target of ransomware attacks. First and foremost is the sensitivity and importance of health data. Suppose a company that sells candy or pets gets a financial blow if it can’t access its customer data in a day or a week; orders may be unfulfilled or delivered late. However, no customer will be harmed or killed if a box of chocolates or a dog bed is not delivered on time. The same cannot be said of health; physicians, nurses, and other medical professionals need immediate and ongoing access to patient data to prevent injury, including death.
The US News & World Report points to another culprit: health care, unlike many other industries, was digitized almost overnight and gradually over time. In addition, many healthcare organizations see their IT department as a cost-cutting expense, and therefore do not allocate enough money or human resources to this function:
According to statistics from the Office for the Coordination of National Health Information Technologies, 9.4% of hospitals in 2008 used a basic electronic registration system, 96.9% of which used certified electronic registration systems in 2014.
This explosive growth rate is worrying and indicates that health care organizations cannot have the organizational readiness to adopt information technology in the short term. Many small and medium-sized health care organizations do not see IT as a component of medical care, but rather take it as a mandatory order from large hospitals or the federal government. This is why healthcare organizations do not prioritize IT and security technologies in their investments and therefore do not allocate the necessary resources to ensure the security of their computer systems, which makes them particularly vulnerable to privacy breaches.
What can the healthcare industry do about ransomware?
First, the healthcare industry needs a major overhaul: providers need to let information systems and information security be seen as a general cost to reduce IT XXI. it must be realized that it is a critical part of the health care of the 21st century and that adequate financial and human resources must be allocated for its implementation. and securing their information systems.
The good news is that ransomware is almost always included in a system with simple social engineering techniques, such as phishing emails, making it completely possible to prevent ransomware attacks by taking the following measures, among others:
- Implement a comprehensive organizational cybersecurity policy
- Establish ongoing staff training on safety awareness
- Regular entrance tests to identify vulnerabilities