Just in the last six months, ransomware—malicious software that locks files until a ransom is paid in exchange for the key—has affected at least a dozen hospitals in North America. This includes the recent 10-hospital MedStar Health system compromised in Maryland, the largest health system successfully attacked by ransomware so far.
Of these incidents, one of the most significant targeted the Hollywood Presbyterian Medical Center (HPMC) in Los Angeles. In an attack that displaced patients and spurred panic in the medical industry, HPMC ended up paying $17,000 to hackers holding the hospital's Electronic Health Records (EHRs) hostage—the money, though, is miniscule relative to the massive inefficiency and chaos created by the process. For 10 days, the hospital was held hostage, staff at HPMC had to go analog, using pen and paper, fax and phone calls to relay information. The incident set a precedent for future healthcare-related cyber attacks: organizations are willing to pay up. And hackers are evidently taking the hint. Infections are becoming so prevalent that the Department of Homeland Security (DHS) and the Canadian Cyber Incident Response Centre (CCIRC) released a joint alert in late March.
Taking a closer look at the HPMC case and those that have followed it, we can see this is just the beginning of what will be a long string of attacks and the monetary demands may have been just a proof of concept. It's well-known that the healthcare industry has far lagged behind cybersecurity best practices, and these ransomware attacks show just how easily attackers can cripple an institution. With organizations dropping the ball, it's now up to the citizens to take action to secure their own data.
Ransomware's Rise to Notoriety
Ransomware has been around for some time, tricking everyday users into locking themselves out of their devices and leaving them to either pay the ransom or risk losing the files forever. But why is this brand of attack gaining popularity now, and why are healthcare organizations the target du jour?
Ultimately, ransomware has a great ROI if executed effectively. It's a relatively unsophisticated attack, and hackers are able to bring in big money through quick extortion rather than making the effort of selling records on the black market. This is especially true for healthcare, in which up-to-date software and hardware—let alone proper cybersecurity measures—are painfully lacking and the stakes are potentially tragic. Put simply, it's the perfect target. Not to mention that variations in ransomware, from Samsam to Locky provide a range for possible attacks, and Forrester predicted 2016 is the year ransomware will flood healthcare organizations, or possibly even individual medical devices.
The sensitive information found in health records is another reason attackers target healthcare organizations. It's double indemnity—if the victim organization won't pay the ransom, hackers can still make a profit, easily exfiltrating records and data to sell. On the black market, criminal hackers can demand $20 per health insurance credential and upwards of $50 per medical record. This is in stark contrast with the dollar or two they might make selling someone's credit card information. And this highly sought-after private and personal information is lasting, unlike credit card data that can be made void with one phone call—not to mention health records often contain financial information as an added bonus. With the odds in their favor to make a profit off a healthcare-related breach, hackers are more than willing to cash in.
Are Organizations Being Honest About Security?
The inevitable wave of ransomware is concerning to all industries, but there is an added element of fear for healthcare organizations, which have to consider HIPAA and FDA compliance regulations that can create even more problems in the wake of failure to protect sensitive patient data and safety.
This is likely the reason spokespeople and leadership from HPMC, and now other affected organizations, have asserted there was no evidence that medical records had been stolen (i.e. patient privacy was not compromised). From a security standpoint it's more likely the lack of evidence indicates records were stolen, but why would they admit otherwise? HIPAA fines only go into effect when a breach of patient privacy is proven and/or it's been determined the hospital failed to "exercise reasonable diligence to protect their systems"—using said "evidence"—and a breach does not even have to be publicly reported unless more than 500 people are affected. This lack of public accountability also allows for a lack of significant investment in tools or security measures, which non-security minded decision makers tend to think are a waste of money.
Even with HPMC's denial of records being stolen, I'm hard pressed to believe hackers left with nothing. Despite HIPAA/HITECH regulations, healthcare trails other industries in terms of information security, claiming three of the top seven breaches in 2015. Even worse, there's no sign of improvement— healthcare counts for 87.9 percent of breaches to date in 2016, according to an Identity Theft Resource Center report.
If hackers were able to encrypt HPMC's digital assets in order to demand a ransom, they surely had complete control of the hospital's network. If that's the case, they could have easily pilfered records and erased all traces of their steps.
What Can Patients Do?
Being aware of threats to healthcare organizations, consumers can assume their records are being compromised at any given time, if they haven't been already. Patients who acknowledge this fact will take steps to protect themselves (i.e. credit and fraud monitoring). A proactive approach from each patient is imperative considering they can personally incur significant losses as a result of cyber crimes. Victims of medical identity theft pay an average of $13,500 out-of-pocket costs in legal expenses and financial loss.
This onus on the consumer will remain until hospitals adopt robust security systems. Knowing it is the least prepared industry in terms of security, the healthcare sector needs to take drastic steps to modernize. Implementing measures like cloud-based security solutions and constant network and application testing can help identify security gaps proactively, and advanced threat detection can raise a red flag if an attacker does make it in.
Until then, heathcare attacks will continue to be part of our daily lives.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.