When cybercrime began making headlines in the 1980s, there was an unwritten code of ethics between hackers that healthcare was off-limits.
Today, that moral philosophy is no more as hospitals and healthcare organizations are the targets of crippling digital attacks. Ransomware, where hackers hold an organization's enterprise system hostage until a payment is received, is a pinnacle of where cybercrime is headed and hackers are already proving the damage that can be done to patient privacy and healthcare integrity.
Ransomware attacks in the healthcare industry are making headlines – from the Hollywood Presbyterian Medical Center in February to the May attack on Kansas Heart Hospital. In this case, the hospital paid the requested ransom to free data only to have the hackers demand an additional sum. Recently, congressmen Ted Lieu and Will Hurd argued to the U.S. Department of Health and Human Services that ransomware should not be "treated the same or subject to the exact same risk assessment" as a conventional breach. Because of this, it's important for healthcare CTOs to view ransomware as a different set of products that criminals create, even though the most effective preventative measures are not all that different from ones used against traditional cybercrime.
What are the risks?
Hackers view hospitals and other healthcare providers as "soft targets" with valuable records rich with personal, financial and employer data. The 2016 Internet Security Threat Report by Symantec confirmed this vulnerability, saying healthcare organizations are at a greater risk of cyber-attacks today than ever before. As hospitals around the globe increase their digital footprint with wearables, the Internet of Things (IoT), and EHRs, ransomware becomes more threatening to healthcare employees and patients.
Social engineering threats – which hackers often introduce in the form of email phishing or click bait – are flourishing as employees unknowingly allow hackers to bypass security architecture. This is a major avenue for cyber criminals to access information, modify code, and retrieve information. A cloud-based architecture increases the risk of social engineering issues even more, as patient controlled devices such as wearables are frequently exposing vulnerable access points to healthcare data.
Another risk factor involves the Internet of Things (IoT), despite its promise to streamline the industry. As the number of "things" working together to deliver faster patient data and improve overall care increases, hackers have more opportunities to capture vital information and then hold it hostage. The problem with the IoT lies within trying to connect a number of devices that have just enough intelligence to be useful but are deployed with little to no enterprise management capabilities. To minimize security risks as the healthcare industry moves toward true interoperability, enterprise systems need to be able to accommodate the next generation of health IT tools as well as the "bring your own device" movement, which also introduces risks as employees access healthcare information through unsecure methods. Healthcare IT leaders can combat this by being more vigilant when allowing personal devices to connect to networks.
How can ransomware be prevented?
As in the case of Kansas Heart Hospital, paying the ransom may not always result in an immediate return of critical data. Because of this, prevention is the best measure against an attack and healthcare organizations can set themselves up to ideally never pay a ransom in the future. While hackers are using unfamiliar vulnerabilities, ransomware attacks are consistent with any other form of malware and should be prevented with similar security techniques.
Workforce training must be a big priority, especially for larger healthcare organizations, to protect against social engineering tactics used by modern criminals. Developing and implementing a comprehensive security training program that lays out best practices for employees can go a long way in ensuring human error is the least of a CTO's worry when thinking of ransomware.
In addition, IT systems should be tested for how well they can stop hackers from gaining access to an organization's digital infrastructure. This can be done manually or automatically via software. If vulnerabilities are found, they need to be fixed as quickly and securely as possible. Having intrusion detection software that automatically monitors for and reports malicious activities will help streamline prevention, while endpoint security solutions that create specific criteria for outside devices to meet before they can connect to a network can minimize risk created by the "bring your own device movement." If you need to shop an IT vendor to help with this process, ask them how they manage security in their own business. Any top provider should have a security due diligence check list that defines their policies to protect their customer base, and then translate that to regular language.
Finally, every healthcare organization should have separate disaster recovery and business continuity plans, with the business continuity plan setting the requirements for the disaster recovery plan. The C-suite, IT leaders and departmental leaders should be involved in the development of the plans to ensure coordination and that processes and technology most critical to the delivery of care are represented accurately.
How should organizations react to a ransomware attack?
Even with the above measures in place, hackers may still find a way to exploit security loopholes, and healthcare organizations should always be prepared for the "what-if" of being hit with a ransomware attack. Should this happen, sunlight is the best disinfectant and the faster the problem is exposed, the faster the necessary information can be gathered to gain control of the situation. Ransomware works off encrypting data and that doesn't happen overnight – it can take days if not weeks. Acting fast to block an attack ensures the encryption of every piece of data can't be completed and the integrity of some data will be preserved without having to pay out a ransom.
Having complete and tested backups of the patient and operations data necessary to provide care will also help. This is essential to countering ransomware attackers who may be betting on the IT department not having effective backup and recovery systems. Organizations must also have the ability to restore servers and network configurations safely so that control is maintained and alternative attacks are prevented. Secure back-ups will help a business continuity plan go to work so patient care can be maintained.
Some CIOs and CTOs may try to keep a ransomware attack under cover to avoid shining light on a security weakness. However, because time is so critical in fixing an attack, it's best for an organization to be as transparent as possible and work with security vendors and trusted solution providers to mitigate the risk and gracefully navigate the situation.
What threat is ransomware to the future?
It's a reality that more and more sensitive data will be stored electronically in the healthcare industry. Healthcare combines all the vulnerable details of financial information with the personal records of an individual's identity, making the industry a prime target for attackers that will continue to grow in the years to come.
Now and in the future, healthcare leaders and IT system architects need to take the initiative and stand against paying ransoms. Organizations need to create and implement policies that encourage immediate action in the event of an attack. Recovery plans should articulate what IT leadership will do, how departments will continue to work, and how leaders will communicate the news throughout their organization and beyond. While every attack may not be preventable, having a proactive mindset to architecture security in an increasingly connected industry can help safeguard healthcare and its precious information from being held hostage.
Ken Bradberry is the chief technology officer, Commercial Healthcare at Xerox. He has more than 20 years of experience in healthcare technology and focuses on creating and sustaining innovative health IT solutions and products. Previously, has held technical design and engineering strategy and leadership positions in support of healthcare application and infrastructure technologies.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.