Why Healthcare Is So Vulnerable to Ransomware and What We Can Do About It

It’s one of the oldest forms of attack on the web, right up there with distributed denial of service. Yet it’s still more relevant than ever today. I’m speaking, of course, about ransomware.

According to research conducted by Cybersecurity Ventures, a ransomware attack will occur every 14 seconds by the end of this year. Security firm KnowBe4, meanwhile, predicted a 300% year-over-year growth rate. With the rise of multiple new attack vectors, a rapidly growing threat surface and the criminal black market — which now offers ransomware-as-a-service — it’s a problem that’s not going away anytime soon.

This is unsurprising.

Whether as a smokescreen for a more sophisticated attack or simply a money-making scheme in and of itself, ransomware is incredibly effective. It requires little concerted effort on the part of an attacker, who simply needs to sit back and wait for panicked victims to pay up. Moreover, cryptocurrency such as bitcoin provides a safe, anonymous payment vector.

It’s a perfect storm, and nowhere is its potential for harm more evident than in healthcare.

A Ticking Time Bomb for Healthcare

Remember WannaCry? It’s still remembered as one of the most devastating ransomware attacks in history. Part of the reason is that it managed to knock out nearly the entirety of the U.K.’s National Health Service, disrupting care across the entire nation.

Ultimately, it cost the NHS £92 million, or more than $117 million, and nearly 20,000 canceled appointments. Granted, WannaCry only caused the damage it did because of the NHS’s reliance on outdated software such as Windows XP. And there were no deaths tied directly to WannaCry, in spite of the chaos it caused.

Imagine, however, if WannaCry had been specifically designed to target medical equipment rather than computer systems. Imagine if a hacker designed ransomware to shut down life-saving, internet-connected devices such as infusion pumps, insulin monitors or telemedicine terminals. Imagine if a criminal managed to infect a connected operating room at the precise moment a physician was performing life-saving surgery.

Suddenly, we’re no longer dealing with potential data loss. Lives are literally on the line.

We’ve already seen a few glimpses of the harm this could cause. In 2016, MedStar Health suffered a crippling ransomware attack. For several days, the hospital was forced to shut down its email and records databases. As a side effect of this attack, cancer patients at the hospital suffered from delays in their radiation treatments.

That’s just one example. There are many others. At the same time, ransomware has yet to be linked to direct, measurable physical harm.

Not yet, at least. I expect it will at some point. As hospitals gradually bring more of their medical equipment online and march inevitably toward a digital future, the chances of a truly life-threatening ransomware attack become ever greater.

Healthcare is, in essence, a ticking time bomb. It’s not a question of if — it’s a question of when.

Even when it doesn’t threaten the physical well-being of patients, ransomware still has the potential to cause great harm. Medical records fetch an incredibly high price on the black market. For that reason, many modern ransomware viruses are designed to exfiltrate data as they encrypt it — and as anyone who has suffered from identity theft will tell you, the results can be absolutely devastating.

The Way Forward

Unfortunately, there’s no easy fix to this problem. Addressing the innate vulnerability of care providers and other covered entities to this particular breed of cyberattack requires a comprehensive, multifaceted approach. First — and perhaps most significant — hospitals must revise their procurement process for medical equipment.

At present, device manufacturers often provide free samples to care organizations. These devices are usually brought online without proper testing, bypassing any sort of risk assessment or security testing processes. Every such device is a potential window for an attacker, a potential threat to the well-being of patients.

“In hospitals,” notes a medical professional interviewed by Scientific American, “there’s a whole underground procurement process whereby medical device vendors approach clinicians and give them lots of stuff for free that eventually makes its way onto our floors, and then a year later we get a bill for it.”

This cannot be allowed to continue. Yet this entire ecosystem itself is the result of budgetary constraints combined with a focus on efficiency. The ability of clinicians and hospital staff to provide immediate patient care is every bit as important as cybersecurity.

The two must work in perfect harmony with one another. This is often far easier said than done. As is often the case, hospital staff have a tendency to treat security processes as guidelines rather than concrete rules.

“To use an ultrasound machine, you need a password, which has to change every ninety days,” another interviewee told Scientific American. “Staff just want to use the ultrasound machine. It’s not holding a lot of patient data, so they create a shared login so that they can provide patient care.”

Password sharing is just the tip of the iceberg in terms of improper use of medical equipment. Clinicians and support staff might use personal devices on the hospital floor. They might surf the web or download personal files on medical workstations. Or they might simply open a phishing email and bring the entire hospital network to its knees.

See, that’s one of the biggest problems with ransomware. Even with strong security controls, all it takes for infection is for one person to open something they shouldn’t. It’s why phishing emails are among the top delivery mechanisms for ransomware.

In order to improve both device procurement and overall security posture, healthcare organizations must seek total buy-in for cybersecurity. They must work together with staff from across the organization for this. Only by understanding each clinician’s unique needs — only by understanding each department’s requirements for effective patient care — can health systems implement effective security solutions.

Collaboration aside, training and education are also critical. Ensure that each individual has a working understanding of the kinds of security threats their departments face. Coach them on best practices with regard to why those practices are important, and endeavor to do so in a way that resonates with them.

Healthcare organizations cannot simply throw training brochures and dry data in their faces. Cybersecurity must be engaging, interesting and exciting.

Whether hospitals do that through gamification or some other tactic is their call — just do something creative with it.

Moreover, it may be worth considering mindfulness coaching. Hospitals are high-stress, exhausting environments. It isn’t surprising that a physician might inadvertently open a phishing email after working a 70-hour week.

Mindfulness training can help with that. Ideally, it should become second nature for everyone to step back and examine every email they receive and every file they consider downloading before taking further action. As a side benefit, mindfulness meditation has been proven as an effective treatment not just for stress, but also for several other conditions that might impact physicians and care staff.

Training aside, few cybersecurity solutions can be used to make things more convenient for staff while still maintaining both data security and compliance. Endpoint management software that provides complete visibility of the devices connected to a network is a good starting point. Alternative authentication methods, such as biometric, behavioral or device-based, also help.

A physician could activate an MRI machine with a fingerprint sensor rather than having to remember a complex, ever-changing password. A nurse could gain access to patient records through voice identification or facial recognition. A clinician could activate a telemedicine terminal simply by having their smartphone nearby.

Finally, healthcare organizations can implement some basic measures to protect against malware: a robust patching process that keeps all software on the network up to date, automated backups and the ability to immediately air-gap any infected system, and a separate guest network for personal devices and consumer IoT technology.

Closing Thoughts on Healthcare Cybersecurity

Hospitals are uniquely vulnerable to ransomware attacks. In another organization, it might be financial data, proprietary technology or customer information on the line. In a healthcare setting, it’s ultimately the well-being of patients.

Whether your organization is a covered entity or a business partner, you have a duty of care to your patients. A responsibility to not just provide them with proper treatment, but to ensure they’re protected against the potentially catastrophic impact of ransomware.

That ransomware will become more prominent is inevitable. That healthcare organizations will continue to be targeted by it is undeniable. But hospitals don’t need to take things lying down.

Better device procurement. Due diligence. Air-gapped networks. Cybersecurity and mindfulness training.

These are just a few of the protective measures that hospitals can — and should — take.

Matthew Davis works as a writer for Future Hosting, a leading provider of VPS hosting. He focuses on data news, cybersecurity, and web development topics. You can usually find his hiding behind a computer screen, searching for the next breaking news in the tech industry.

Get the best insights in digital health directly to your inbox.

Related

U.S. Health IT Experts More Confident in Cybersecurity Practices, Report Finds

The Woman Behind the Facebook Health Data Breach Complaint

Giving Data Security a Human Face to Regain Patient Trust