No longer are cyber thieves content to steal individuals’ financial information off unencrypted hard drives or through spam or phishing schemes. Increasingly, these criminals are going after bigger targets – they are targeting corporations with ever more complex threats like SQL injections, advanced persistent threats and Zero-Day exploits. These criminals are ruthless and have begun targeting healthcare providers.
According to Robert Herjavec, ransomware attacks on hospitals may increase fivefold over the next five years. Why, you may ask, all this interest in hospitals and the healthcare industry?
- Financial gain. Medical records are far more valuable than credit card data. Medical records can sell for up to $50 each on the Dark Web compared to the meager $1 that Social Security and credit card data brings.
- Easier to hack. Banks and other financial institutions are becoming more difficult to crack for cyber thieves. These institutions have invested heavily in cybersecurity to protect their data, while healthcare’s investment in sophisticated cybersecurity is lagging.
- Medical identity theft is more difficult to detect. Consumers can purchase plans to help protect them again identity fraud and track their financial statements to detect fraud. But both patients and healthcare providers are unlikely to recognize a security breach immediately.
Large hospitals and other large healthcare organizations are not the only targets. Smaller private medical practices are also being targeted. According to Healthcare Informatics, 45 percent of all ransomware attacks in 2017 were in the healthcare field.
Regardless of the size of the organization, ransomware attacks can cause significant financial loss. Some organizations chose to pay the ransom because of the urgent need to resume patient care. However, there are more considerable economic consequences too.
- Disruption of services. During the ransomware attack, the healthcare provider cannot provide a wide array of medical services causing loss of income by interruption of the business’s operations.
- Loss of reputation. Patients often choose a medical practice, hospital or same-day surgery center based on the facility’s reputation. Loss of trust in a facility’s ability to safeguard patients’ medical records could potentially lead to business failure.
The CIO in any healthcare organization must communicate with the facility’s board of directors and management that cybersecurity is not an issue that can be tabled until next year. Clearly, everyone should develop a deep understanding of the serious consequences if their facility is attacked by ransomware. When the magnitude of potential damage is fully appreciated, cybersecurity will cease to be an expense. Cybersecurity will become an investment to protect the business from catastrophic cyber-attacks.
The healthcare industry is unique – bound by HIPAA for patient privacy and security – unlike credit cards which can be canceled and reissued – medical records uniquely belong to the patient and could be at risk for the life of the patient.
Why is the healthcare industry at increased risk for ransomware attacks?
Cybersecurity companies like Herjavec Group and Cybersecurity Ventures issued a report in 2016 that ransomware damages would be in the range of $1 billion for the year. Let’s look at some of the reasons the healthcare field is now the #1 target for ransomware.
- IoT growing in healthcare. The Internet of Things is exploding. Global healthcare entities will spend upward of $270 billion on IoT devices by 2023. Imaging devices connected to the internet are a tantalizing target. Add in equipment maintenance software that requires periodic updates, and we can begin to see the opportunities for cybersecurity breaches. The critical needs of patient care demand that imaging devices are available 24/7 with no scheduled downtime – leaving updates to patch weaknesses not always performed on a timely basis.
- Healthcare executives seem less aware of the risks than in other industries. Unfortunately, many healthcare executives seem less aware of the potential dangers from ransomware than management in different vertical industries. Hospitals, ambulatory clinics, imaging facilities and private practices are playing catchup to secure their networks.
- Insider threats. Insider threats generally come in two forms. An obvious insider threat is the disgruntled employee or former employee. Less obvious threats may come from third-party contractors or outside consultants. And lastly, lack of employee training may cause careless or inadvertent mistakes.
What types of problems does ransomware cause?
Understanding the potentially catastrophic dangers that ransomware is the first step in realizing how important cybersecurity is the healthcare field.
- Patient’s health and well-being. IoT connected devices include Wi-Fi heart pumps and smart beds in the surgical suite. If these devices become compromised through security, a fatality could result. Altering a patient’s records by changing their blood type could result in an adverse reaction after a blood transfusion.
- Hollywood Presbyterian Medical Center. The Locky strain of ransomware infected this Los Angeles hospital in 2016. The hospital paid over $16,000 in ransom. More damaging was the news that the breach put the hospital on lock-down because employees couldn’t access their computers. Their radiology and oncology departments couldn’t use their equipment.
- Hancock Health, Greenfield, Indiana. Officials paid over $55,000 to get decryption keys to regaining access to over 1,400 files. Although the hospital had backups, officials did not want to risk days or possibly weeks before they regained access to their data.
- 16 Hospitals Shut Down in the United Kingdom. In 2017, ransomware known as WannaCry creating chaos for hospital administrators, employees and patients. The ransomware even affected their telephone systems forcing employees to use their personal mobile phones. Citizens were advised to use these facilities for emergencies only.
- MedStar Network, D.C. and Maryland. The largest healthcare provider in the area, with 10 hospitals and 200 outpatient locations, was hit by a ransomware attack in the spring of 2016. Patient records were locked, and some patients had to be turned away.
- 2018 and no end in sight. Almost 50 major breaches have been reported by Healthcare IT News.
The Challenges Hospitals Face
First of all, the FBI will continue to monitor ransomware attacks through their Cyber Division. The FBI discourages hospitals and other organizations from paying ransoms – recommending a proactive approach – data backup and a business recovery plan instead.
Challenges include outdated systems and too few experienced cybersecurity personnel. The data is high value on the open market so ransomware intrusions will continue to occur.
Hospitals, rightly so, focus on patient care. But more attention and budget must be directed toward cybersecurity over the next five years. Lagging wages for IT personnel in the hospital industry are a contributing factor.
Many hospitals work on outdated platforms, and they utilize more off-the-shelf software too. Sadly, many hospitals lack the backups they need to protect themselves. Stricter adherence to back up recommendations could stem healthcare facilities from being forced to pay ransoms.
Protect your organization against ransomware attacks by acknowledging the risk, putting a plan in place and then allocating the budget for cybersecurity.