A hospital employee sits at her desk working. Suddenly the screen goes blank and a message is displayed: “You’ve been hacked,” followed by instructions regarding how to pay a “ransom.” She checks, and all of her patient files are encrypted and cannot be read. Within minutes, this message appears on all the devices connected to the hospital’s network and locks all employees out of critical files necessary to treat patients or perform any administrative services. The hospital is essentially shut down. No patient records are accessible.
In July of 2012, the Surgeons of Lake County Florida revealed that they had been the victims of such a malicious attack on their entire organization’s critical data files.1 Without these files, the physicians could not operate their business or perform patient surgeries. The files also contained the personal information of many patients—including detailed electronic health records (EHRs). They were among the early victims of ransomware in the health care community. In 2015, an estimated 1,000 instances of ransomware took place each day. The federal government reports that in the first nine months of 2016, there were approximately 4,000 daily occurrences of ransomware in the United States.2 Considering that a stunning 88 percent of all ransomware attacks were directed at the health care community between April and June of 2016 (the most recent period for which data exists), there is no more important industry to educate and protect.3
It is ultimately the board’s responsibility to ensure that their organization understands the risk and is prepared to not only prevent it, but respond if the worst-case scenario does occur.
WHAT IS RANSOMWARE, AND HOW DOES IT WORK?
Ransomware is defined as malicious software or downloads that breach the perimeter of a computer’s security, install themselves and encrypt valuable files needed for sometimes even basic use of the computer. The ransomware often spreads to other machines connected to its network and infects them as well. Shortly after, the hacker will reach out to the network’s administrator and demand payment for the return of important files. The demand is often made in Bitcoin, a digital currency that is created and held electronically. The Bitcoin transaction makes the hacker extremely difficult to trace, and because patient lives can be at risk, time is of the essence in restoring access.4
There are two primary types of ransomware:
Lockerware: Hackers will lock the network’s users out of all files necessary to operate the computer and render it useless. A message may pop up on the screen indicating that you’ve been hacked and how to pay. This type accounted for approximately 36 percent of all ransomware in 2015.5 A downside to this type of ransomware is that it does not allow the ransom to be paid via the internet in Bitcoins—the most untraceable type of currency—because the computer cannot function on even a basic level.
Cryptoware: Unlike Lockerware, Cryptoware allows the computer to still be usable, but the data is not accessible to users. This ransomware can include a timer that gives the victim only a limited amount of time to pay, although negotiating for more time to pay may be an option.6 Because ransomware is a volume business, the hacker may be making enough money to not care about extending timers. Symantec reports that 64 percent of attacks in 2015 were of this type, and it seems to be the more preferred technique of sophisticated hackers because it allows the ransom to be paid online via the infected computer.5
With either type of hack, employees no longer have access to any patient records, causing significant disruptions in patient care with the potential for adverse impacts. Like any other emergency situation, hospitals must be prepared to transition to paper-based “offline” care without impacting the quality of care provided. According to PC Magazine, total lockout or file encryption happens very quickly—often within three minutes of initial infection.6
THE THREAT IS REAL AND GROWING
With an estimated 1,000 variants of ransomware released each day, it is quickly becoming a major threat to the American health care system and the millions of patients it treats.5 From December 2015 to May 2016, the United States led the world with over 50 percent of the total detections of ransomware.7 In comparison, the second closest country was Italy, comprising only 13 percent of detections.7 Health care providers are 200 percent more likely to suffer data breaches than other industries.8 With medical data being at least 10 times more valuable than other data selling on the black market of the Dark Web, it is not surprising these ransomware attacks continue with increasing frequency.9
Considering these statistics, it is a bit surprising that 69 percent of Americans trust hospitals and health care organizations to keep their data safe, more than any other industry including banks and government entities.9 At the same time, consumers are becoming more aware of the risk. According to the American Hospital Association’s 2017 Environmental Scan, 62 percent of consumers prefer device security more than ease of use.20 The cost to hospitals is significant: the Ponemon Institute estimates that the unplanned downtime costs health care organizations $7,900 per minute that data is unavailable for use.10
PRIVACY AND TRUST IMPLICATIONS
Another significant cost is the potential loss of reputation for the hospital or health system under attack. Under the Health Insurance Portability and Accountability Act (HIPAA) regulations, ransomware infection constitutes a security incident. In addition, it is almost always a reportable data breach as defined by HIPAA and the Health Information Technology for Economic and Clinical Health Act (HITECH).11 Once the data is encrypted, it triggers an acquisition of data under HIPAA, which requires disclosure to any and all affected consumers.11 Notifying every person affected by the breach can be difficult, expensive and time consuming, leading to frustration and possible delays in care for affected patients and families.
PROTECTING YOUR ORGANIZATION
In order to best protect an organization’s network from ransomware, it is recommended that hospitals and health systems have layers of security on the front end with all features enabled but understand that breaches can still happen. It only takes one employee mistaking a phishing email as legitimate to breach a network. Popular types of phishing emails include those that appear to contain resumes for consideration—these are often forwarded to human resources and opened by someone with administrative access.12
Fake billing, shipping and invoicing emails are also used to target employees.12 For this reason and to prevent the unauthorized installation of programs, it is also recommended that local administrative rights be removed from all computers for which it is not essential. At the same time, it should be noted that not all ransomware requires administrative rights to install and simply gaining access to the computer is sometimes enough for infection. Training staff to spot phishing attacks and suspicious emails is critical to the health of a network. Often the fake emails or websites look very convincing or know enough about the individual targeted to mine their data.5
The Ponemon Institute estimates that training staff yields a 50 times return on investment by preventing future attacks.10 Within the health care industry, breaches caused by human error accounted for 40 percent of the total breaches in 2016, up from 28 percent in 2015.13 It is also recommended that organizations hire a “white hat hacker” to actively look for system vulnerabilities that can be fixed before they are exploited.
Regular backups of all data on the network is highly recommended and is the most effective way to avoid paying the ransom. Backups not only prevent data loss, but also allow the restoration of the system without paying a ransom, which decreases the incentive for hackers to target the network again. Backups should be disconnected from the network after every data delivery to prevent hackers from accessing it.
THE FUTURE OF THE “INTERNET OF THINGS”
Despite firewalls, well-trained employees and other security tactics, breaches will continue. This is particularly true because of the significant increase in the “Internet of Things.” As the number of devices used increases and electronic health records become more interconnected, there are more opportunities to be hacked.
A recent report predicted that ransomware attacks against the health care industry will at least double by 2018.17 In 2015, health care record theft was up 1,100 percent over the previous year—one in every third person had their records breached in 2015.18 The FBI estimates that ransomware cost the American economy $1 billion in 2016.19
It’s clear that ransomware is not going away. In addition to help from law enforcement, the health care industry must be alert to new threats through the use of sophisticated network security, comprehensive employee training and the use of very regular, working backups.
Content for this article was contributed by Bob Gregg, CEO, ID Experts, www2.idexpertscorp.com.
RANSOMWARE: WHAT YOU CAN DO NOW
Hospital and health system boards can proactively prevent cybercrime and prepare for potential breaches by taking the following steps:
Sources and More Information